dokany icon indicating copy to clipboard operation
dokany copied to clipboard
verified publisher icon dokan-dev

Network Redirector - NPAddConnection3 callback in dokannp doesn't add connections

Open slipch opened this issue 6 years ago • 7 comments

NPAddConnection3 callback in dokannp doesn't add connections. It only checks if there is such a connection. As a result we can't implement a full-fledged network file system with it , that can respond to WNetUseConnection or WNetAddConnectionX.

slipch avatar Oct 10 '19 14:10 slipch

Hi @slipch

Having WNetUseConnection or WNetAddConnectionX would mean to handle user accounts. This could be handled in many different ways. Maybe the easiest would that people register their own network redirect for this purpose ? Or maybe you see a good generic way this could be handled ?

Liryna avatar Oct 10 '19 18:10 Liryna

Hi Liryna, Thank you for your quick response! May be the using other np provider would be the best solution for me for now. But this solution is looking dubious for me. There would be two NP providers. I'm not sure how they would share the responsibility. Should my provider interact with dokany or it would be completely independent and talk only with our FS? Won't they interfere with each other? I lack knowledge about NP providers. As to Dokany implementation. I imagine a callback that FS implementation can register and NPAddConnection3 would call passing its augments to the callback. Thus allowing the FS implementation to create a new connection and return the result to NPAddConnection3 . Then it can deal with its user accounts system as it wants. I can create a connection and use another thread to call DokanMain, otherwise it would block the callback.

slipch avatar Oct 11 '19 11:10 slipch

I never implemented it but from my understanding you can just register your owner network provider to handle such calls and proceed the DokanMain in another thread as you said (maybe it will need to be a CreateProcess even).

You might be able to do it without any need of dokan.

Liryna avatar Oct 12 '19 17:10 Liryna

@slipch Looking at https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-functions We might be able to use Windows Credential Manager for the authentication with CredUIPromptForCredentials pretty easily 👍 no need of password management https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa

Liryna avatar Nov 04 '19 20:11 Liryna

@Liryna if you need tests run, I have a NAS I'm trying to use Dokany with over SMB with credentials!

tabormeister avatar Nov 11 '19 22:11 tabormeister

I'm pretty sure the account you use to run Dokan needs to have SeImpersonatePrivilege, and then you need to spawn a thread and have it call an Impersonate syscall at the 'delegate' level, in order to create a new network connection under the caller's token.

The Windows architecture prevents you from creating a new connection to the same server with different credentials, unless you impersonate. And when you impersonate at the 'delegate' level, it essentially creates a new login session just for the impersonating thread.

kyanha avatar Nov 12 '19 07:11 kyanha

@kyanha Yes this is possible to keep the security flow correct inside the user implementation. Mirror does support the impersonation.

But regarding the authentication. Dokan network provider run into another scope and create the link with the kernel not the mirror so I expect we do not need to deal with this.

But test are better than guessing :D will have to see this.

Liryna avatar Nov 12 '19 07:11 Liryna