X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
Date:	Wed, 21 Oct 2009 10:54:20 +0200
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Cygwin/OpenSSH authentication without applying group policies...
Message-ID:	<20091021085420.GF16678@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<412_1256107169_4ADEACA1_412_53_1_OFEB933357 DOT 245BF60B-ONC1257656 DOT 002475C7-C1257656 DOT 00249143 AT nbg DOT sdv DOT spb DOT de>
MIME-Version:	1.0
In-Reply-To:	<412_1256107169_4ADEACA1_412_53_1_OFEB933357.245BF60B-ONC1257656.002475C7-C1257656.00249143@nbg.sdv.spb.de>
User-Agent:	Mutt/1.5.17 (2007-11-01)
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

On Oct 21 08:39, Carsten DOT Porzler AT spb DOT de wrote:
> Dear Cygwin community,
> 
> we are just having problems with some locations connect over WAN lines 
> with only little bandwith.
> 
> The logon process against a Win2003 AD domain controller takes much time 
> (>50s). After some analysis we found out that there is much traffic 
> between the SSH server and the domain controller over ip port 1026 (CAP, 
> used for applying/downloading the Win2003 group policies).
> 
> During a SSH logon it is not necessary to apply all group policies. 
> Instead it would be OK, if the user would just be authenticated and get 
> his group memberships.

That's not correct, unfortunately.  To construct a user token you must
know what user rights the user has since they are part of the token.
Cygwin itself does not ask for group policies and that stuff, it really
only requests information about the user rights of the user logging in.
Cygwin has no control about the information flow underneath the Win32
functions used to request this information.  A couple of months ago we
already had a discussion on this list about the login process being
slow.  The reason was an unnecessary loop asking for group membership,
but that should be fixed for a long time.

> Is it possible to deactivate applying the group policies during the SSH 
> logon process or to reconfigure the SSH service so that we can use LDAP 
> authentication instead of standard Win2003 authentication.

First of all, we can't support LDAP directly from ssh since that doesn't
allow us to create a user token.  What exactly is done depends on the
method used for creating the token.  You didn't tell us if you're using
password authentication or pubkey authentication.  With password
authentication it's entirely up to the Win32 call LogonUser() to create
that token and to manage that connection.  Using pubkey authentication
you have three choices described in the user's guide.  Maybe one of them
helps, see
http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -