Hartmut Honisch
Fri Dec 13 15:12:00 GMT 2002

> I have one concern: does subauthentication require access
> to the PDC for domain users?

Yes. The subauthentication dll would have to be installed on a domain
controller. I suppose that's almost never
going to be the case. So it's only going to work for local users.

> I would prefer keeping it that way, thus possibly skipping the
> call to subauth when setgroups has been called (ftpd, telnetd,
> sshd do not call setgroups, AFAIK). It is also unlikely that
> the token created by subauth would match the groups specified
> by setgroups.

Couldn't we just always call subauth and just check if it was successful?
That way, a user could install the cygwin subauthentication module on
whatever machine he needs to.
If subauth is successful, we let verify_token decide whether to use the
subauth token or to call create_token, but at least have create_token use
the subauth token's logon session id.

Like in the following algorithm:

// Always call subauthentication. If a subauth dll is installed (either
locally or on the PDC),
// it will succeed. Otherwise, it will fail

SubauthToken = CallSubauthentication(...);

// Check if subauthentication was successful
    // Use subauthentication token
    NewToken = SubauthToken
    // Call NtCreateToken, but use SubauthToken's logon session id
    NewToken = create_token(SubauthToken.LogonSessionId, ...);
    // Call NtCreateToken and use current logon session id
    NewToken = create_token(CurrentLogonSessionId, ...);


More information about the Cygwin-developers mailing list