Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
Message-ID: <3DF9FF0E.6C0400DC@ieee.org>
Date: Fri, 13 Dec 2002 10:38:54 -0500
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: cygwin-developers AT cygwin DOT com
Subject: Re: Subauthentication
References: <20021213130733 DOT P7796 AT cygbert DOT vinschen DOT de> <NFBBLLCAILKHOEOHEFMHGEAJCEAA DOT hartmut_honisch AT web DOT de> <20021213140618 DOT S7796 AT cygbert DOT vinschen DOT de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Corinna Vinschen wrote:
> 
> 
> ...that sounds like the best approach to begin with.  For gods sake
> we have create_token which works on NT4.  The additional advantage
> of getting a fine logon session id would then require 2K or XP...
> which isn't too bad.
> 
> If we require that stuff to work on NT4 from the beginning I fear we
> will get stuck in all the workaround and licensing hogwash.
> 
> Other opinion anyone?
> 
Nice work, Hartmut.
I fully agree with Corinna's approach. Let's keep it simple.

I have one concern: does subauthentication require access
to the PDC for domain users?
Using NtCreateToken doesn't *when* setgroups has been called.

I would prefer keeping it that way, thus possibly skipping the
call to subauth when setgroups has been called (ftpd, telnetd, 
sshd do not call setgroups, AFAIK). It is also unlikely that
the token created by subauth would match the groups specified
by setgroups.

Pierre