[ros-dev] SoC 2006 (Login Framework)
justin.haygood at gmail.com
Thu Jun 1 01:54:25 CEST 2006
And the coding begins :)
I delved into MSGINA to figure out what documented APIs it did
implement, but incompletely, and what APIs it implemented only via a
stub, and what APIs are left.
Initial patches coming sometime soonish (not today).
Details: http://soc2006.justinhaygood.com/?q=node/3 (Yes, I'm blogging
my progress so that people can see it publically outside of this list).
On Mon, 2006-05-29 at 10:25 +0200, Thomas Weidenmueller wrote:
> > 1. Winlogin
> We have a very basic winlogon in base\system\winlogon, it also has basic
> code to load msgina.dll and provide a very very basic SaS loop (that is
> used to display the GUI on the secured desktops and vor authentication
> related messages)
> > 2. MSGINA (ROSGINA would work better, no?)
> No, we need to stick to the name msgina.dll. There's a super-basic
> version implemented in dll\win32\msgina
> > 3. Some sort of Identity Management system with support for local and
> > remote authentication (remote can come with SMB support later)
> "Identity Management" is lsass.exe, which doesn't really exist in ros.
> Many of the security APIs make lsa calls, which is capable of performing
> authentication and also remote authentication.
> > Tiers 2 & 3 can be developed and tested on a non ReactOS system (aka a
> > real Windows system) initially (tho with the code staying in the ROS
> > Subversion tree), while Tier 1 is ReactOS specific.
> 3) won't be able to be testable in windows as what you're talking about
> is advapi32.dll + lsass.exe. That's how authentication and user
> management is handled. Unfortunately lsass.exe doesn't exists in ros as
> of now. We're going to have to work around these problems by adding some
> hacks (ie. only "enumerate" one account, the administrator account etc.
> > 1. Identity Management System with basic tools (get Setup to use it, at
> > least some basic command line tools to add and remove users and change
> > passwords, no need for a UI yet)
> Unfortunately to add, remove and change users you'd have to use
> netapi32.dll (ie. NetUserAdd, NetUserChangePassword, ...). This DLL
> doesn't exist anytime soon. A custom identity management system in ros
> is out of question as we'd require lsass.exe to be implemented. That's
> too much for your task, and we don't even have the RPC system working
> well enough to accomplish this.
> > 2. A ROSGINA that uses the Identity Management System
> msgina.dll should just use the publicly documented functions of
> kernel32, advapi32, netapi32, ... For the purpose of your project, we
> might just hardcode some values, etc in these DLLs to get it working.
> > 3. Get Winlogin back up and running and using the ROSGINA for
> > authentication.
> Winlogon already is able to load msgina.dll. However it's very
> incomplete as it only calls very few of msgina's exported Wlx*
> functions. msgina should export at least all documented Wlx* functions.
> > The identity management system's sole purpose is to create a
> > cross-subsystem, ReactOS-wide way to authenticate users. How each
> > subsystem uses the information provided is up to the individual
> > subsystem.
> These functions are all documented and we should not add a reactos
> specific implementation (See LogonUser(Ex), CreateProcessAsUser,
> ImpersonateLoggedOnUser, .... These is used to perform authentication
> and we should not invent our own set.
> > As such, I see a database (Berkerly DB or Sqlite) of users
> > (and possibly a separate one with groups) with some basic metadata
> > describing the user:
> The users are managed and saved in the registry (SAM database), it's
> located in HKLM/SAM. I'm not familiar with the format etc, but we lack
> lsa and sam for user managment. This is why for the purpose of your task
> we'll just make quick&dirty implementations of the required APIs to add
> some fake implementation. Implementing a lsass.exe, sam etc is way too
> much for your task.
> > The identity management system's API can be quite simple:
> > BOOL AuthenticateUserA( LPCSTR username, LPCSTR password );
> > BOOL AuthenticateUserW( LPCWSTR username, LPCWSTR password );
> As I mentioned above, rolling our own APIs is not desirable, you're
> going to have to use LogonUser(Ex) and CreateProcessAsUser for
> I advice you to take a look at the documentation of the mentioned APIs
> since they're fairly complex. Also you should read about the interface
> between winlogon and msgina, the functions start with the Wlx prefix,
> WlxInitialize for example. Remember that we need a SaS (that's basically
> a window message loop on the secured desktops) that is required for APIs
> like WlxSasNotify. Also you should take a look at our winlogon
> implementation. It's very basic but also it gives you an idea of how the
> architecture should look like.
> I hope this email helps you a bit more. Sorry for replying a bit late, I
> was going out a lot this weekend :)
> Best Regards,
> Ros-dev mailing list
> Ros-dev at reactos.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: not available
Url : http://www.reactos.org/pipermail/ros-dev/attachments/20060531/eb09b164/attachment-0001.png
More information about the Ros-dev