Sami J. Lehtinen
Guest
|
 Posted:
Thu Oct 27, 2005 4:51 pm Post subject:
User account management and information functions usage with |
|
|
Our product is used to authenticate and authorize users running
processes and terminals on Windows servers.
When logging in a user we perform account authorization checks with
information gotten with NetUserGetInfo(), NetUserGetGroups() and
NetUserGetLocalGroups(). With trusted domains, these functions don't
seem to work, even though I'm able to login to the Windows workstations
ok with trusted domain account.
SJL2KD
- Windows 2000 Domain
- sjl2kd.ssh.com
- DC sjl2k.sjl2kd.ssh.com
- client machine Windows 2003 Server, sjlvpcws2003
- DNS handles both sjl2kd.ssh.com and sjl2k3d.ssh.com
SJL2K3D
- Windows 2003 Domain
- sjl2k3d.ssh.com
- forwarder to DNS in sjl2k.sjl2kd.ssh.com
- DC sjl2k3
Both domains have been setup to trust eachother.
I can login from the Windows login screen in sjlvpcws2003 with account
SJL2K3D/sjl.
When I use NetUserGetInfo(), I previously fetched the `servername' with
DsGetDcName() to get the DC to use. If I try to get the DC for SJL2K3D
in a server in SJL2K domain, I get ERROR_NO_SUCH_DOMAIN.
If, on the other hand, I use the domain controller of SJL2KD as
`servername', I only get ERROR_NO_SUCH_USER (I've tried username in
NetBIOS and DNS formats, i.e. SJL2K3D\sjl and sjl@sjl2k3d.ssh.com,
without success).
I need the user information structure to perform account validity
checks. Access token for the user is generated depending on
authentication method: we use LogonUser, SSPI, S4U and lastly if we
can't use the former, we use a custom authentication package to generate
the access token. I have yet to see an access token with trusted domain
logins :)
Here is the API for NetUserGetInfo as a reminder:
NET_API_STATUS NetUserGetInfo(
LPCWSTR servername,
LPCWSTR username,
DWORD level,
LPBYTE* bufptr
);
--
sjl@ssh.com |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in