diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2019-02-18 17:59:56 +0100 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2019-02-18 17:59:56 +0100 |
| commit | a96d68c5bd88080406d4523236449cf43ecebf39 (patch) | |
| tree | 8b55e608b757c97ccc08c2237cba7da2a94a0b01 | |
| parent | 959077ac0a6d03630e1df7cfcc6bdc602c47c0b2 (diff) | |
| download | cygnal-a96d68c5bd88080406d4523236449cf43ecebf39.tar.gz cygnal-a96d68c5bd88080406d4523236449cf43ecebf39.tar.bz2 cygnal-a96d68c5bd88080406d4523236449cf43ecebf39.zip | |
Cygwin: s4uauth: make sure to fetch correct package id
for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon
second. But we only fetch the package id for the supporting
authentication package (Kerberos/MsV1_0) once at the start.
Duplicate LsaLookupAuthenticationPackage call and move into the
Kerb/MsV1_0 branches so that it fetches the correct package id
for the method we call next.
Curious enough this worked before. Apparently both methods
work with the MICROSOFT_KERBEROS_NAME_A package id. However,
requesting and using the right authentication package id is
the prudent thing to do.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
| -rw-r--r-- | winsup/cygwin/sec_auth.cc | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index d66a2a5d8..6588e6781 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -1475,15 +1475,6 @@ s4uauth (struct passwd *pw) extract_nt_dom_user (pw, domain, user); try_kerb_auth = cygheap->dom.member_machine () && wcscasecmp (domain, cygheap->dom.account_flat_name ()); - RtlInitAnsiString (&name, try_kerb_auth ? MICROSOFT_KERBEROS_NAME_A - : MSV1_0_PACKAGE_NAME); - status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id); - if (status != STATUS_SUCCESS) - { - debug_printf ("LsaLookupAuthenticationPackage: %y", status); - __seterrno_from_nt_status (status); - goto out; - } /* Create origin. */ stpcpy (origin.buf, "Cygwin"); RtlInitAnsiString (&origin.str, origin.buf); @@ -1496,6 +1487,14 @@ s4uauth (struct passwd *pw) KERB_S4U_LOGON *s4u_logon; USHORT name_len; + RtlInitAnsiString (&name, MICROSOFT_KERBEROS_NAME_A); + status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id); + if (status != STATUS_SUCCESS) + { + debug_printf ("LsaLookupAuthenticationPackage: %y", status); + __seterrno_from_nt_status (status); + goto out; + } wcpcpy (wcpcpy (wcpcpy (sam_name, domain), L"\\"), user); if (TranslateNameW (sam_name, NameSamCompatible, NameUserPrincipal, upn_name, &size) == 0) @@ -1563,6 +1562,14 @@ msv1_0_auth: MSV1_0_S4U_LOGON *s4u_logon; USHORT user_len, domain_len; + RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME); + status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id); + if (status != STATUS_SUCCESS) + { + debug_printf ("LsaLookupAuthenticationPackage: %y", status); + __seterrno_from_nt_status (status); + goto out; + } user_len = wcslen (user) * sizeof (WCHAR); domain_len = wcslen (domain) * sizeof (WCHAR); /* Local machine */ authinf_size = sizeof (MSV1_0_S4U_LOGON) + user_len + domain_len; |