JehanneOS/newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Cygwin: s4uauth: make sure to fetch correct package id

Browse Source 
for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon
second.  But we only fetch the package id for the supporting
authentication package (Kerberos/MsV1_0) once at the start.

Duplicate LsaLookupAuthenticationPackage call and move into the
Kerb/MsV1_0 branches so that it fetches the correct package id
for the method we call next.

Curious enough this worked before.  Apparently both methods
work with the MICROSOFT_KERBEROS_NAME_A package id.  However,
requesting and using the right authentication package id is
the prudent thing to do.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen 2019-02-18 17:59:56 +01:00
parent 959077ac0a
commit a96d68c5bd
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
winsup/cygwin/sec_auth.cc
View File

@ -1475,15 +1475,6 @@ s4uauth (struct passwd *pw)
extract_nt_dom_user (pw, domain, user); extract_nt_dom_user (pw, domain, user);
try_kerb_auth = cygheap->dom.member_machine () try_kerb_auth = cygheap->dom.member_machine ()
&& wcscasecmp (domain, cygheap->dom.account_flat_name ()); && wcscasecmp (domain, cygheap->dom.account_flat_name ());
RtlInitAnsiString (&name, try_kerb_auth ? MICROSOFT_KERBEROS_NAME_A
: MSV1_0_PACKAGE_NAME);
status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
if (status != STATUS_SUCCESS)
{
debug_printf ("LsaLookupAuthenticationPackage: %y", status);
__seterrno_from_nt_status (status);
goto out;
}
/* Create origin. */ /* Create origin. */
stpcpy (origin.buf, "Cygwin"); stpcpy (origin.buf, "Cygwin");
RtlInitAnsiString (&origin.str, origin.buf); RtlInitAnsiString (&origin.str, origin.buf);
@ -1496,6 +1487,14 @@ s4uauth (struct passwd *pw)
KERB_S4U_LOGON *s4u_logon; KERB_S4U_LOGON *s4u_logon;
USHORT name_len; USHORT name_len;
RtlInitAnsiString (&name, MICROSOFT_KERBEROS_NAME_A);
status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
if (status != STATUS_SUCCESS)
{
debug_printf ("LsaLookupAuthenticationPackage: %y", status);
__seterrno_from_nt_status (status);
goto out;
}
wcpcpy (wcpcpy (wcpcpy (sam_name, domain), L"\\"), user); wcpcpy (wcpcpy (wcpcpy (sam_name, domain), L"\\"), user);
if (TranslateNameW (sam_name, NameSamCompatible, NameUserPrincipal, if (TranslateNameW (sam_name, NameSamCompatible, NameUserPrincipal,
upn_name, &size) == 0) upn_name, &size) == 0)
@ -1563,6 +1562,14 @@ msv1_0_auth:
MSV1_0_S4U_LOGON *s4u_logon; MSV1_0_S4U_LOGON *s4u_logon;
USHORT user_len, domain_len; USHORT user_len, domain_len;
RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME);
status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
if (status != STATUS_SUCCESS)
{
debug_printf ("LsaLookupAuthenticationPackage: %y", status);
__seterrno_from_nt_status (status);
goto out;
}
user_len = wcslen (user) * sizeof (WCHAR); user_len = wcslen (user) * sizeof (WCHAR);
domain_len = wcslen (domain) * sizeof (WCHAR); /* Local machine */ domain_len = wcslen (domain) * sizeof (WCHAR); /* Local machine */
authinf_size = sizeof (MSV1_0_S4U_LOGON) + user_len + domain_len; authinf_size = sizeof (MSV1_0_S4U_LOGON) + user_len + domain_len;