Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com From: "Hartmut Honisch" To: Subject: RE: Subauthentication Date: Sat, 14 Dec 2002 00:12:01 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal In-Reply-To: <3DF9FF0E.6C0400DC@ieee.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > I have one concern: does subauthentication require access > to the PDC for domain users? Yes. The subauthentication dll would have to be installed on a domain controller. I suppose that's almost never going to be the case. So it's only going to work for local users. > I would prefer keeping it that way, thus possibly skipping the > call to subauth when setgroups has been called (ftpd, telnetd, > sshd do not call setgroups, AFAIK). It is also unlikely that > the token created by subauth would match the groups specified > by setgroups. Couldn't we just always call subauth and just check if it was successful? That way, a user could install the cygwin subauthentication module on whatever machine he needs to. If subauth is successful, we let verify_token decide whether to use the subauth token or to call create_token, but at least have create_token use the subauth token's logon session id. Like in the following algorithm: // Always call subauthentication. If a subauth dll is installed (either locally or on the PDC), // it will succeed. Otherwise, it will fail SubauthToken = CallSubauthentication(...); // Check if subauthentication was successful if(IsValidToken(SubauthToken)) { if(verify_token(SubauthToken)) // Use subauthentication token NewToken = SubauthToken else // Call NtCreateToken, but use SubauthToken's logon session id NewToken = create_token(SubauthToken.LogonSessionId, ...); } else { // Call NtCreateToken and use current logon session id NewToken = create_token(CurrentLogonSessionId, ...); } Hartmut