Pierre A. Humblet
Fri Dec 13 07:38:00 GMT 2002

Corinna Vinschen wrote:
> ...that sounds like the best approach to begin with.  For gods sake
> we have create_token which works on NT4.  The additional advantage
> of getting a fine logon session id would then require 2K or XP...
> which isn't too bad.
> If we require that stuff to work on NT4 from the beginning I fear we
> will get stuck in all the workaround and licensing hogwash.
> Other opinion anyone?
Nice work, Hartmut.
I fully agree with Corinna's approach. Let's keep it simple.

I have one concern: does subauthentication require access
to the PDC for domain users?
Using NtCreateToken doesn't *when* setgroups has been called.

I would prefer keeping it that way, thus possibly skipping the
call to subauth when setgroups has been called (ftpd, telnetd, 
sshd do not call setgroups, AFAIK). It is also unlikely that
the token created by subauth would match the groups specified
by setgroups.


More information about the Cygwin-developers mailing list