Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
From: "Hartmut Honisch" <hartmut_honisch AT web DOT de>
To: <cygwin-developers AT cygwin DOT com>
Subject: RE: Subauthentication
Date: Sat, 14 Dec 2002 14:18:48 +0100
Message-ID: <NFBBLLCAILKHOEOHEFMHGEANCEAA.hartmut_honisch@web.de>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
In-Reply-To: <20021214094332.M19104@cygbert.vinschen.de>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

> On Sat, Dec 14, 2002 at 12:12:01AM +0100, Hartmut Honisch wrote:
> > > I have one concern: does subauthentication require access
> > > to the PDC for domain users?
> >
> > Yes. The subauthentication dll would have to be installed on a domain
> > controller. I suppose that's almost never
> > going to be the case. So it's only going to work for local users.
>
> ?!?  Wait, I thought the subauth module is on the local box and
> the LSA itself will connect the PDC if necessary ?!?

I'm not 100% sure about that. But if I interpret the MSDN correctly, it
works like this:
- The logon application (cygwin1.dll in our case) calls LsaLogonUser and
requests subauthentication.
- LSA will contact the MSV1_0 authentication package (AP) on the domain
controller specified in "LsaLogonUser". For local accounts, that will be the
local AP, and for domain accounts the AP on the domain controller. After
all, only the authenticating authority can validate user credentials, and
that is the PDC for domain accounts.
- The the AP will look for the requested cygwin subauthentication package,
which will have to be installed on the same machine, i.e. the PDC for domain
accounts


> However, I see two problems:
>
> - What happens to the handle returned by subauth?  Can we close it
>   after we constructed another token?  Or would that invalidate the
>   logon session id?

From MSDN:
"A logon session terminates when the last token referencing the logon
session is deleted."

So hopefully NtCreateToken will increment the reference count for the logon
session. I'll check if that's the case.

> > SubauthToken = CallSubauthentication(...);
>                  ^^^^^^^^^^^^^^^^^^^^^
> you mean
>
>   SubauthToken = subauth(...);
>
> right?

Yes.

> > // Check if subauthentication was successful
> > if(IsValidToken(SubauthToken))
> Is that necessary?  subauth() returns INVALID_HANDLE_VALUE if it can;t
> create a token.

Sorry. I guess my pseudo code was too abstract. Yes, INVALID_HANDLE_VALUE
means invalid token.

I guess I have to look at the authentication code more closely and talk to
Pierre about how to avoid calling the PDC to speed things up.

Hartmut