From a96d68c5bd88080406d4523236449cf43ecebf39 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Mon, 18 Feb 2019 17:59:56 +0100 Subject: [PATCH] Cygwin: s4uauth: make sure to fetch correct package id for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon second. But we only fetch the package id for the supporting authentication package (Kerberos/MsV1_0) once at the start. Duplicate LsaLookupAuthenticationPackage call and move into the Kerb/MsV1_0 branches so that it fetches the correct package id for the method we call next. Curious enough this worked before. Apparently both methods work with the MICROSOFT_KERBEROS_NAME_A package id. However, requesting and using the right authentication package id is the prudent thing to do. Signed-off-by: Corinna Vinschen --- winsup/cygwin/sec_auth.cc | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index d66a2a5d8..6588e6781 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -1475,15 +1475,6 @@ s4uauth (struct passwd *pw) extract_nt_dom_user (pw, domain, user); try_kerb_auth = cygheap->dom.member_machine () && wcscasecmp (domain, cygheap->dom.account_flat_name ()); - RtlInitAnsiString (&name, try_kerb_auth ? MICROSOFT_KERBEROS_NAME_A - : MSV1_0_PACKAGE_NAME); - status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id); - if (status != STATUS_SUCCESS) - { - debug_printf ("LsaLookupAuthenticationPackage: %y", status); - __seterrno_from_nt_status (status); - goto out; - } /* Create origin. */ stpcpy (origin.buf, "Cygwin"); RtlInitAnsiString (&origin.str, origin.buf); @@ -1496,6 +1487,14 @@ s4uauth (struct passwd *pw) KERB_S4U_LOGON *s4u_logon; USHORT name_len; + RtlInitAnsiString (&name, MICROSOFT_KERBEROS_NAME_A); + status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id); + if (status != STATUS_SUCCESS) + { + debug_printf ("LsaLookupAuthenticationPackage: %y", status); + __seterrno_from_nt_status (status); + goto out; + } wcpcpy (wcpcpy (wcpcpy (sam_name, domain), L"\\"), user); if (TranslateNameW (sam_name, NameSamCompatible, NameUserPrincipal, upn_name, &size) == 0) @@ -1563,6 +1562,14 @@ msv1_0_auth: MSV1_0_S4U_LOGON *s4u_logon; USHORT user_len, domain_len; + RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME); + status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id); + if (status != STATUS_SUCCESS) + { + debug_printf ("LsaLookupAuthenticationPackage: %y", status); + __seterrno_from_nt_status (status); + goto out; + } user_len = wcslen (user) * sizeof (WCHAR); domain_len = wcslen (domain) * sizeof (WCHAR); /* Local machine */ authinf_size = sizeof (MSV1_0_S4U_LOGON) + user_len + domain_len; -- 2.43.5