[newlib-cygwin] Cygwin: s4uauth: make sure to fetch correct package id

Mon Feb 18 20:46:00 GMT 2019

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=a96d68c5bd88080406d4523236449cf43ecebf39

commit a96d68c5bd88080406d4523236449cf43ecebf39
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Mon Feb 18 17:59:56 2019 +0100

    Cygwin: s4uauth: make sure to fetch correct package id
    
    for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon
    second.  But we only fetch the package id for the supporting
    authentication package (Kerberos/MsV1_0) once at the start.
    
    Duplicate LsaLookupAuthenticationPackage call and move into the
    Kerb/MsV1_0 branches so that it fetches the correct package id
    for the method we call next.
    
    Curious enough this worked before.  Apparently both methods
    work with the MICROSOFT_KERBEROS_NAME_A package id.  However,
    requesting and using the right authentication package id is
    the prudent thing to do.
    
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/sec_auth.cc | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index d66a2a5..6588e67 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1475,15 +1475,6 @@ s4uauth (struct passwd *pw)
   extract_nt_dom_user (pw, domain, user);
   try_kerb_auth = cygheap->dom.member_machine ()
 		  && wcscasecmp (domain, cygheap->dom.account_flat_name ());
-  RtlInitAnsiString (&name, try_kerb_auth ? MICROSOFT_KERBEROS_NAME_A
-					  : MSV1_0_PACKAGE_NAME);
-  status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
-  if (status != STATUS_SUCCESS)
-    {
-      debug_printf ("LsaLookupAuthenticationPackage: %y", status);
-      __seterrno_from_nt_status (status);
-      goto out;
-    }
   /* Create origin. */
   stpcpy (origin.buf, "Cygwin");
   RtlInitAnsiString (&origin.str, origin.buf);
@@ -1496,6 +1487,14 @@ s4uauth (struct passwd *pw)
       KERB_S4U_LOGON *s4u_logon;
       USHORT name_len;
 
+      RtlInitAnsiString (&name, MICROSOFT_KERBEROS_NAME_A);
+      status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
+      if (status != STATUS_SUCCESS)
+	{
+	  debug_printf ("LsaLookupAuthenticationPackage: %y", status);
+	  __seterrno_from_nt_status (status);
+	  goto out;
+	}
       wcpcpy (wcpcpy (wcpcpy (sam_name, domain), L"\\"), user);
       if (TranslateNameW (sam_name, NameSamCompatible, NameUserPrincipal,
 			  upn_name, &size) == 0)
@@ -1563,6 +1562,14 @@ msv1_0_auth:
   MSV1_0_S4U_LOGON *s4u_logon;
   USHORT user_len, domain_len;
 
+  RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME);
+  status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
+  if (status != STATUS_SUCCESS)
+    {
+      debug_printf ("LsaLookupAuthenticationPackage: %y", status);
+      __seterrno_from_nt_status (status);
+      goto out;
+    }
   user_len = wcslen (user) * sizeof (WCHAR);
   domain_len = wcslen (domain) * sizeof (WCHAR);	/* Local machine */
   authinf_size = sizeof (MSV1_0_S4U_LOGON) + user_len + domain_len;

