From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Wed, 28 Mar 2007 23:30:44 +0000 (+0000)
Subject: DEVEL15-windows-afslogon-20070328
X-Git-Tag: openafs-devel-1_5_18~11
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=a2edea90c53024f8f58eab87273051124e5f6041;p=packages%2Fo%2Fopenafs.git

DEVEL15-windows-afslogon-20070328


There are two serious problems with integrated logon:

(1) openafs afslogon.dll obtains Kerberos v5 tickets and then forwards them
    into the logon session.  This was done because MIT KFW did not have
    such functionality.   As of KFW 3.1, KFW does, so we are removing it.

    the functionality worked by copying the credentials to a FILE ccache
    and then using the Logon Event Handler to move the credentials into
    an API ccache and delete the temporary file.  For non-interactive
    logons the Logon Event handlers do not get triggered.  Neither do
    LogonScripts get executed.  As a side effect, for each logon a
    credential cache file was left behind.

(2) when combined with non-interactive logons, there are some very bad
    side effects if a network provider performs Kerberos v5 operations.
    Each logon occurs in a new logon session and will spawn a private
    copy of krbcc32s.exe.

    As a result, integrated logon is being disabled for non-interactive
    logons.


(cherry picked from commit 934f76fb185ee5e162aee3bc9f5711079bbbca5b)
---

diff --git a/src/WINNT/afsd/afslogon.c b/src/WINNT/afsd/afslogon.c
index bda7f9c83..e01458600 100644
--- a/src/WINNT/afsd/afslogon.c
+++ b/src/WINNT/afsd/afslogon.c
@@ -715,6 +715,13 @@ DWORD APIENTRY NPLogonNotify(
     int retryInterval;
     int sleepInterval;
 
+    /* Are we interactive? */
+    interactive = (wcscmp(lpStationName, L"WinSta0") == 0);
+
+    /* Do not do anything if the logon session is not interactive. */
+    if (!interactive)
+	return 0;
+
     (void) RegOpenKeyEx(HKEY_LOCAL_MACHINE, AFSREG_CLT_SVC_PARAM_SUBKEY,
                          0, KEY_QUERY_VALUE, &NPKey);
     LSPsize=sizeof(TraceOption);
@@ -744,9 +751,6 @@ DWORD APIENTRY NPLogonNotify(
 
     IL = (MSV1_0_INTERACTIVE_LOGON *) lpAuthentInfo;
 
-    /* Are we interactive? */
-    interactive = (wcscmp(lpStationName, L"WinSta0") == 0);
-
     /* Convert from Unicode to ANSI */
 
     /*TODO: Use SecureZeroMemory to erase passwords */
@@ -936,13 +940,16 @@ DWORD APIENTRY NPLogonNotify(
 	}
     }
     DebugEvent("while loop exited");
+
     /* remove any kerberos 5 tickets currently held by the SYSTEM account
      * for this user 
      */
+
     if (ISLOGONINTEGRATED(opt.LogonOption) && KFW_is_available()) {
+#ifdef KFW_LOGON
 	sprintf(szLogonId,"%d.%d",lpLogonId->HighPart, lpLogonId->LowPart);
 	KFW_AFS_copy_cache_to_system_file(uname, szLogonId);
-
+#endif
 	KFW_AFS_destroy_tickets_for_principal(uname);
     }
 
@@ -991,6 +998,15 @@ DWORD APIENTRY NPPasswordChangeNotify(
 	LPVOID StationHandle,
 	DWORD dwChangeInfo)
 {
+    BOOLEAN interactive;
+
+    /* Are we interactive? */
+    interactive = (wcscmp(lpStationName, L"WinSta0") == 0);
+
+    /* Do not do anything if the logon session is not interactive. */
+    if (!interactive)
+	return 0;
+
     /* Make sure the AFS Libraries are initialized */
     AfsLogonInit();
 
@@ -1294,6 +1310,7 @@ GetSecurityLogonSessionData(HANDLE hToken, PSECURITY_LOGON_SESSION_DATA * ppSess
 
 VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
 {
+#ifdef KFW_LOGON
     WCHAR szUserW[128] = L"";
     char  szUserA[128] = "";
     char szPath[MAX_PATH] = "";
@@ -1408,5 +1425,6 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
     DeleteFile(filename);
 
     DebugEvent0("KFW_Logon_Event - End");
+#endif
 }
 
diff --git a/src/WINNT/afsd/afslogon.h b/src/WINNT/afsd/afslogon.h
index a5ed23afc..8d529759d 100644
--- a/src/WINNT/afsd/afslogon.h
+++ b/src/WINNT/afsd/afslogon.h
@@ -27,8 +27,9 @@ SOFTWARE.
 #pragma once
 
 #include <windows.h>
+#include <objbase.h>
 #include <npapi.h>
-#if _WIN32_WINNT < 0x0501
+#if (_WIN32_WINNT < 0x0501)
 #define AFS_WIN32_WINNT _WIN32_WINNT
 #undef _WIN32_WINNT
 #define _WIN32_WINNT 0x0501
diff --git a/src/WINNT/afsd/logon_ad.cpp b/src/WINNT/afsd/logon_ad.cpp
index 204147150..a9febaa06 100644
--- a/src/WINNT/afsd/logon_ad.cpp
+++ b/src/WINNT/afsd/logon_ad.cpp
@@ -25,13 +25,12 @@ SOFTWARE.
 
 
 //#pragma keyword("interface",on)
-#define interface struct
+//#define interface struct
 #define SECURITY_WIN32
 #include "afslogon.h"
 
 /**/
 #include <security.h>
-#include <ntsecapi.h>
 #include <sddl.h>
 #include <unknwn.h>
 #include <oaidl.h>
diff --git a/src/WINNT/install/NSIS/OpenAFS.nsi b/src/WINNT/install/NSIS/OpenAFS.nsi
index c04558383..f4629108c 100644
--- a/src/WINNT/install/NSIS/OpenAFS.nsi
+++ b/src/WINNT/install/NSIS/OpenAFS.nsi
@@ -780,10 +780,11 @@ skipremove:
   WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "Logoff" "AFS_Logoff_Event"
   WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "Startup" "AFS_Startup_Event"
 
-  WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "Asynchronous" 0
-  WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "Impersonate"  0
-  WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "DLLName" "afslogon.dll"
-  WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "Logon" "KFW_Logon_Event"
+; No longer install KFW Logon Handler - KFW 3.1 and above supports this functionality
+;  WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "Asynchronous" 0
+;  WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "Impersonate"  0
+;  WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "DLLName" "afslogon.dll"
+;  WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" "Logon" "KFW_Logon_Event"
 
   SetRebootFlag true
   
diff --git a/src/WINNT/install/wix/files.wxi b/src/WINNT/install/wix/files.wxi
index 155ecef73..43a153570 100644
--- a/src/WINNT/install/wix/files.wxi
+++ b/src/WINNT/install/wix/files.wxi
@@ -12,10 +12,12 @@
             <Registry Id="reg_afslogon06" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" Name="Logoff" Type="string" Value="AFS_Logoff_Event" />
             <Registry Id="reg_afslogon07" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" Name="Logon" Type="string" Value="AFS_Logon_Event" />
             <Registry Id="reg_afslogon08" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" Name="Startup" Type="string" Value="AFS_Startup_Event" />
+	    <!-- KFW includes this functionality - OpenAFS does not need to provide it
             <Registry Id="reg_afslogon09" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" Name="Asynchronous" Type="integer" Value="0" />
             <Registry Id="reg_afslogon10" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" Name="Impersonate" Type="integer" Value="0" />
             <Registry Id="reg_afslogon11" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" Name="DLLName" Type="string" Value="[#fileafslogon_DLL]" />
             <Registry Id="reg_afslogon13" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\KFWLogon" Name="Logon" Type="string" Value="KFW_Logon_Event" />
+	    -->
         </Component>
         <Component Win64="$(var.Win64)" Id="cmf_afscpcc_EXE" Guid="$(var.cmf_afscpcc_EXE_guid)">
             <File Id="fileafscpcc_EXE"  Name="afscpcc.exe"  LongName="afscpcc.exe"  DiskId="1" src="$(var.ClientDir)afscpcc.exe" KeyPath="yes"/>