Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com Message-ID: <3DF9FF0E.6C0400DC@ieee.org> Date: Fri, 13 Dec 2002 10:38:54 -0500 From: "Pierre A. Humblet" X-Accept-Language: en,pdf MIME-Version: 1.0 To: cygwin-developers AT cygwin DOT com Subject: Re: Subauthentication References: <20021213130733 DOT P7796 AT cygbert DOT vinschen DOT de> <20021213140618 DOT S7796 AT cygbert DOT vinschen DOT de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Corinna Vinschen wrote: > > > ...that sounds like the best approach to begin with. For gods sake > we have create_token which works on NT4. The additional advantage > of getting a fine logon session id would then require 2K or XP... > which isn't too bad. > > If we require that stuff to work on NT4 from the beginning I fear we > will get stuck in all the workaround and licensing hogwash. > > Other opinion anyone? > Nice work, Hartmut. I fully agree with Corinna's approach. Let's keep it simple. I have one concern: does subauthentication require access to the PDC for domain users? Using NtCreateToken doesn't *when* setgroups has been called. I would prefer keeping it that way, thus possibly skipping the call to subauth when setgroups has been called (ftpd, telnetd, sshd do not call setgroups, AFAIK). It is also unlikely that the token created by subauth would match the groups specified by setgroups. Pierre