Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Fri, 11 Jul 2003 11:56:09 -0500
From: msg <michael DOT grigoni AT cybertheque DOT org>
Subject: cygwin_logon_user() not working
To: cygwin AT cygwin DOT com
Message-id: <3F0EEC29.447921AB@cybertheque.org>
Organization: Cybertheque Museum
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Accept-Language: en

Greetings:

Please help us to get NT authentication working. This is the platform:

	Windows 2000 server sp3
	Cygwin 1.3.22-1
	CYGWIN=ntsea ntsec
	users 'root' and 'Administrator' have these additional
	 permissions:

		Act as part of the operating system
			specifically set to these two users
		Replace process level token
			specifically set to these two users
		Increase quotas
			set for 'Administrators' group to which
			these two users belong

	/etc/passwd contains a real encrypted password for user
	'root' and none for user 'Administrator'; user root
	is uid=0 gid=0. /etc/passwd also contains an entry for
	a non-privileged user 'infra' with a real encrypted
	password.

The C code at the end of this message is a test of authentication;
it will take a username as it's single argument and get it's entry
from /etc/passwd, verify the typed-in passwd (using crypt()) and
attempt to get the NT access token and if successful call setuid()
to the new uid and create an empty file in /var/tmp which should
be owned by the new uid.  The code fails on the call to
cygwin_logon_user() which returns -1 (invalid HANDLE). The output
of 'strace' on this program shows cygwin_logon_user() extracting
the /etc/passwd information followed by a 'windows error 1314' which
is 'unknown' and converted to error 13.

Someone else posted this problem some years ago to the list but
received no responses.

We've tried running the program from a bash shell logged-in as
user 'root' and again logged-in as user 'Administrator' with no
difference (Windows logins, not cygwin 'login' logins).

Here is an example of running the program:
 (user root's prompt is '# ')

# cd /var/tmp/deleteme
# ./tryit infra
Password:
Fields from /etc/passwd for user: infra
	'UID' is:1005
Password verified
Bad NT access token
#


Extracted from 'strace':
19870 3594869 [main] tryit 1844 extract_nt_dom_user: pw_gecos = A041577
 (In House Account,U-WTS01\infra,
 S-1-5-21-746137067-839522115-1343024091-1005)

1844 cygwin_logon_user: LogonUserA (infra, WTS01,
 <password deleted for this email>, ...)

1844 seterrno_from_win_error: /netrel/src/cygwin-1.3.22-1
 /winsup/cygwin/security.cc:140 windows error 1314

1844 geterrno_from_win_error: unknown windows error 1314,
 setting errno to 13


Here is the test program's source:
/*
      --- tryit.c ---

	to build: gcc -o tryit tryit.c -lcrypt
 */

/*
#include <sys/types.h>
 */
#include <pwd.h>
#include <unistd.h>
#include <stdio.h>
#include <windows.h>
#include <sys/cygwin.h>

main(int argc, char *argv[])
{

FILE *fp;
HANDLE token;
struct passwd *passwd_entry;
char *password;

switch (argc) {
	case 2:
	if ((passwd_entry = getpwnam(argv[1])) == NULL) {
		printf("Bad user name %s\n", argv[1]);
		return(1);
	}
	break;

	default:
	printf("Usage: %s <username>\n",argv[0]);
	return(0);
	}
password = getpass ("Password:");

printf ("Fields from /etc/passwd for user: %s\n", argv[1]);
printf ("\t'UID' is:%d\n", passwd_entry->pw_uid);

if (strcmp(passwd_entry->pw_passwd, \
  (char *)crypt(password,passwd_entry->pw_passwd)) == 0) {
	printf("Password verified\n");
	}
 else {
	printf("Bad Password\n");
	return(1);
	}
token = cygwin_logon_user (passwd_entry, password);
if (token == INVALID_HANDLE_VALUE) {
	printf ("Bad NT access token\n");
	return(1);
	}
cygwin_set_impersonation_token (token);
if (setuid((uid_t)passwd_entry->pw_uid) != 0) {
        printf("Unable to set uid to %d\n", passwd_entry->pw_uid);
	return(1);
	}

if ((fp = fopen("/var/tmp/crapola", "w")) == NULL) {
	printf("Unable to create /var/tmp/crapola\n");
	return(1);
	}
}

----------------------------------------------------------------------


All help is very much appreciated.

Michael Grigoni
Cybertheque Museum

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/