HI, On Sat, Jan 14, 2017 at 04:16:29PM -0500, selva.n...@gmail.com wrote: > From: Selva Nair <selva.n...@gmail.com> > > Currently the username unqualified by the domain is used to validate > a user which fails for domain users. Instead authorize the user > > (i) if the built-in admin group or ovpn_admin group is in the process token > (ii) else if the user's SID is in the built-in admin or ovpn_admin groups > > The second check is needed to recognize dynamic updates to group membership > on the local machine that will not be reflected in the token. > > These checks do not require connection to a domain controller and will > work even when user is logged in with cached credentials. > > Resolves Trac: #810 > > v2: include the token check as described above
Took me way too long... the code change looks reasonable ("does what it
says on the tin, and safely so").
One questions occured to me, though...
MS documentation for GetTokenInformation() suggests that group membership
tests should be done with "CheckTokenMembership()", which sounds more
convenient than "extract them all and walk the list" - so maybe this
is done to avoid domain controller contact?
OTOH, the example given somewhere else does the same thing with
EqualSid(), so MS doesn't know what to recommend either, it seems...
https://msdn.microsoft.com/de-de/library/windows/desktop/aa379554(v=vs.85).aspx
A few more tests, then merge...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
