Luke Kenneth Casson Leighton
lkcl at switchboard.net
Mon Apr 5 17:54:35 GMT 1999
On Sat, 3 Apr 1999, Hernan Ochoa wrote:
> >GINAs are not an appropriate place to provide alternative authentication.
> >microsoft is fully aware of this and deliberately does not provide any
> >information about the more appropriate API interface (the Local Security
> >Authority) except if you pay them extortionate amounts of money and if
> >they like the way that you smell.
> >therefore, the only _public_ way to provide alternative authentication is
> >to have a GINA that calls into MSGINA once you have "done your own thing"
> >sufficient to fool MSGINA into thinking that the [Kerberos, NIS etc] user
> GINA is more adecuate to change the "interface" of the login, i think.
> if you want to change the method of authentication you should use a subauthentication
> package, or an authentication package.
> the default authentication package is msv1_0.dll, here is where all the code that compares the hash of your password with the local or remote sam database resides.
and for nt5, there is an additional one: kerberos.dll.
> you can also write a subauthentication package that can do EXTRA authentication, and if that extra authentication fails, the logon is failed.
this is specific to msv1_0.dll: they have a further extension system.
you are _still_ required to have an account in the SAM database and there
is no API in the msv1_0.dll subauthentication system to create _new_
> to write a new authentication package would be the rigth thing.
> The LSA API is documented in LSAAUTH.HLP,
ur... no it's not. LSAAUTH.HLP has been completely truncated and
contains, for developer purposes, absolutely no useful information.
> i've being doing some research on this lately, do you know this
yes i do.
> it doesn't contain everything you need?
of course not.
> Microsoft has done some nasty tricks with this file. if you read the
> help file sequentially, you won't find the CRUCIAL sections where the
> LSA API is documented, they're missing. but if you go to the index, or
> do a search, you will see all that important parts that you were
> looking for.
no, you will find that the _client-side_ API is fully documented. the
server side is missing. i have some other documentation (the server side
function prototypes) and this is semi-sufficient: it has no explanation.
if you have the IFS kit it contains ntifs.h which also contains the
necessary function prototypes and the higher-order function prototype
> yes, another one from microsoft, unbelievable.
> i think there's everything you need, i didn't read the API too much
> because i didn't need it for what i was trying to accomplish, now that
> i remember, maybe it was too much oriented towards the MSV1_0 API,
it is. well, actually, it's "too much orientated" towards NT "profile"
> anyway, i have "researched" msv1_0.dll so if you need everything maybe
> i can help.
if one person writes a dummy authentication package and releases it under
the GPL we're in business.
More information about the samba-ntdom