Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com From: "Hartmut Honisch" To: "Pierre A. Humblet" Cc: Subject: RE: Subauthentication Date: Fri, 13 Dec 2002 11:55:46 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <3DF50D30.AE8FA801@ieee.org> Hi Pierre, I think I found a way to make GetUserName return the correct user after impersonating a token created my NtCreateToken: The token needs a valid logon session id, one that is associated with the correct user. As I mentioned, when logging on, Windows creates a new logon session, and LSA associates the username with that session. And even though NtCreateToken allows to specify a TokenUser, It seems that when impersonating a token, Windows replaces the TokenUser by the user associated with the token's logon session id. And since create_token uses the active logon session associated with the _impersonating_ user, not the user to _be_ impersonated, TokenUser will contain the wrong user name after impersonating it. So I successfully tried the following approch: - use subauthentication to create a new logon session for the new user - if the token is suitable (i.e. verify_token returns TRUE), use it for impersonation - if the token is not suitable(because of the setgid issues you explained to me), call create_token, but reuse the subauthentication token's logon session id in the new token. I verified that with a token created by NtCreateToken (with the right logon session id of course), I'm able to impersonate and GetUserName / GetTokenInformation(...TokenUser...) will give me the correct user. Hartmut