X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=RD4SaL2/RgLdJgnOrpzjr4OtzvJPes/+9k1R8rCQOvVv0TM3TnWap
	LKX2El4fCIFsGkBEOo+eF/76syTliW6bysqRlaymgvASJu1IPc/0uhorVZvWUu88
	mEhGq8hIrfFRmXDT7/5+XtzB5DzzYMCa82eHE28e0iK83aWc5Fl48w=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	bh=ucuga3rFYfBuyVfohE1JHzrDLOo=; b=DSoq1NAzb/6TwyiHHDnuIGbi4cbK
	W3tE+YjX0n+gP9ExEPiaJxb5gNqBk7FffxMutxpio4s5GHE3uszrmgMu9GpYrt0H
	/EquAOjexLvigsqSMIOctwk1RMd/n4nbM8wXb25djBEHit8gBN2tkOyIic99xhno
	iwPIUOWu0vawQeU=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status:	No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1
Date:	Sat, 8 Jun 2013 20:47:26 +0200
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: DS_FORCE_REDISCOVERY lookup slows ssh logon
Message-ID:	<20130608184726.GA9607@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<51B2D55B DOT 3020904 AT dancol DOT org> <51B2EC44 DOT 30102 AT dancol DOT org>
MIME-Version:	1.0
In-Reply-To:	<51B2EC44.30102@dancol.org>
User-Agent:	Mutt/1.5.21 (2010-09-15)

On Jun  8 01:33, Daniel Colascione wrote:
> On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> > (By the way: how on earth does logon eventually succeed if group enumeration
> > fails? I'm using the stored-password authentication method, and when sshd
> > eventually connects, my user (according to whoami.exe /priv) is a member of the
> > groups I expect.)
> 
> Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
> getting a truncated group list from initgroups while checking ~/.ssh
> permissions, which still happens to work fine in my case, the logon delay aside.
> 
> Changing openssh to call setgroups only after calling seteuid might help (so
> we'd retrieve the group list in the context of our new user), but because
> get_groups calls deimpersonate before talking to the server, that wouldn't
> actually work.
> 
> What about something like this?

Hmm.  I'm not so sure.  I think it's a bit of a hack to depend on the
availability of the LSA private key entry for this part of the code.

Actually, the problem you have is based on the fact that you're using a
machine-local cyg_server account to run sshd.  In domain environments
it's prudent to create such an account in AD and add a matching group
policy to make sure that account has the required rights on the machines
which are supposed to run sshd.  I created a short FAQ entry once,
http://cygwin.com/faq.html#faq.using.sshd-in-domain

What probably *does* make sense is not to call get_logon_server twice
if the first call returned with ERROR_ACCESS_DENIED.  That requires 
only a bit of minor code rearranging.  I'll prepare something today
or tomorrow.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -