This is the mail archive of the
cygwin-developers@cygwin.com
mailing list for the Cygwin project.
RE: Subauthentication
- From: "Hartmut Honisch" <hartmut_honisch at web dot de>
- To: "Pierre A. Humblet" <Pierre dot Humblet at ieee dot org>
- Cc: <cygwin-developers at cygwin dot com>
- Date: Fri, 13 Dec 2002 11:55:46 +0100
- Subject: RE: Subauthentication
Hi Pierre,
I think I found a way to make GetUserName return the correct user after
impersonating a token created my NtCreateToken: The token needs a valid
logon session id, one that is associated with the correct user.
As I mentioned, when logging on, Windows creates a new logon session, and
LSA associates the username with that session.
And even though NtCreateToken allows to specify a TokenUser, It seems that
when impersonating a token, Windows replaces the TokenUser by the user
associated with the token's logon session id. And since create_token uses
the active logon session associated with the _impersonating_ user, not the
user to _be_ impersonated, TokenUser will contain the wrong user name after
impersonating it.
So I successfully tried the following approch:
- use subauthentication to create a new logon session for the new user
- if the token is suitable (i.e. verify_token returns TRUE), use it for
impersonation
- if the token is not suitable(because of the setgid issues you explained to
me), call create_token, but reuse the subauthentication token's logon
session id in the new token.
I verified that with a token created by NtCreateToken (with the right logon
session id of course), I'm able to impersonate and GetUserName /
GetTokenInformation(...TokenUser...) will give me the correct user.
Hartmut