X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Mon, 17 Dec 2012 11:21:29 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Cygrunsrv and special Windows virtual accounts "NT SERVICE"
Message-ID: <20121217102129.GB1183@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <5F8AAC04F9616747BC4CC0E803D5907D053F8671 AT MLBXv04 DOT nih DOT gov> <20121214160616 DOT GI6237 AT calimero DOT vinschen DOT de> <5F8AAC04F9616747BC4CC0E803D5907D053F86BD AT MLBXv04 DOT nih DOT gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5F8AAC04F9616747BC4CC0E803D5907D053F86BD@MLBXv04.nih.gov>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Dec 14 16:23, Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote:
> > http://cygwin.com/ml/cygwin/2012-12/msg00154.html
> 
> Thanks.
> 
> > I'm wondering if it's such a bright idea to use a NULL password based on
> > a check for a certain domain.  That's practically guaranteed to break
> > at one point again.
> 
> I don’t think Microsoft is going to drop "NT SERVICE\" in any near future
> (they've just had the feature introduced!).  This is the only domain that
> needs to be treated specially (for now).

That's not how I understand the documentation:
http://technet.microsoft.com/en-us/library/dd548356.aspx

Virtual accounts use the NT SERVICE domain, but managed accounts 
seem to be subsumed under your normal AD domain name.

> > !pass || pass[0] == '\0'
> 
> MSDN says that password-less accounts must provide an empty string
> (and it does not mention NULL).  More cumbersome logic can involve
> checking for both the special domain and empty/NULL password (as above),
> resulting in NULL lpPassword only when both checks have been met.
> 
> > what about something like `-w NULL'?
> 
> I would not vote for this.  This precludes that the string "NULL" cannot
> be used as an otherwise regular password.

Apart from the fact that NULL is a terrible password, I'd still be more
comfortable to allow a NULL password as a user defined option on the
command line.  If not -W NULL, what about '-w -' or a long-only option
like --null-pwd?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple