Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com From: "Hartmut Honisch" To: Subject: RE: Subauthentication Date: Sat, 14 Dec 2002 14:18:48 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal In-Reply-To: <20021214094332.M19104@cygbert.vinschen.de> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > On Sat, Dec 14, 2002 at 12:12:01AM +0100, Hartmut Honisch wrote: > > > I have one concern: does subauthentication require access > > > to the PDC for domain users? > > > > Yes. The subauthentication dll would have to be installed on a domain > > controller. I suppose that's almost never > > going to be the case. So it's only going to work for local users. > > ?!? Wait, I thought the subauth module is on the local box and > the LSA itself will connect the PDC if necessary ?!? I'm not 100% sure about that. But if I interpret the MSDN correctly, it works like this: - The logon application (cygwin1.dll in our case) calls LsaLogonUser and requests subauthentication. - LSA will contact the MSV1_0 authentication package (AP) on the domain controller specified in "LsaLogonUser". For local accounts, that will be the local AP, and for domain accounts the AP on the domain controller. After all, only the authenticating authority can validate user credentials, and that is the PDC for domain accounts. - The the AP will look for the requested cygwin subauthentication package, which will have to be installed on the same machine, i.e. the PDC for domain accounts > However, I see two problems: > > - What happens to the handle returned by subauth? Can we close it > after we constructed another token? Or would that invalidate the > logon session id? From MSDN: "A logon session terminates when the last token referencing the logon session is deleted." So hopefully NtCreateToken will increment the reference count for the logon session. I'll check if that's the case. > > SubauthToken = CallSubauthentication(...); > ^^^^^^^^^^^^^^^^^^^^^ > you mean > > SubauthToken = subauth(...); > > right? Yes. > > // Check if subauthentication was successful > > if(IsValidToken(SubauthToken)) > Is that necessary? subauth() returns INVALID_HANDLE_VALUE if it can;t > create a token. Sorry. I guess my pseudo code was too abstract. Yes, INVALID_HANDLE_VALUE means invalid token. I guess I have to look at the authentication code more closely and talk to Pierre about how to avoid calling the PDC to speed things up. Hartmut