| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=JxZj4Cl7DQ0eNsfGaelPslypUxkmp5a9Cv8im0+0uJLUCViGaJyMq | |
| qP3NDsSkioQK5T8VKzlipE/8GdjczHz+GxEtX40QG+oUKA5M4pbg28haKOIbqT4N | |
| XWNnTEIg94L7Mlg2UjUcjIdoemIs9MtL94HLVUiBhaCnFWdKwbuc78= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=GWwbyEiPdq8twv0IXth1FfvfoZ8=; b=XqXnxlGtIr8EOyJPrAMIIX1yvpdi | |
| PJZdJKqZeZUaQ5SMezy58jnwRBSWYuZHMPPBKg1okgMoYdb0sgBeJWZwT+pY3zUt | |
| eQPALZdMGtUq8863ZEteo6W4MyR2Bae+mzGU4vHSd8rqL1YNCcunVcHxngktqkGx | |
| ZnBXPkARN2Ma3ec= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-Spam-SWARE-Status: | No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 |
| Date: | Sat, 8 Jun 2013 21:02:14 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: DS_FORCE_REDISCOVERY lookup slows ssh logon |
| Message-ID: | <20130608190214.GC9607@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <51B2D55B DOT 3020904 AT dancol DOT org> <51B2EC44 DOT 30102 AT dancol DOT org> <20130608184726 DOT GA9607 AT calimero DOT vinschen DOT de> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20130608184726.GA9607@calimero.vinschen.de> |
| User-Agent: | Mutt/1.5.21 (2010-09-15) |
On Jun 8 20:47, Corinna Vinschen wrote:
> On Jun 8 01:33, Daniel Colascione wrote:
> > On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> > > (By the way: how on earth does logon eventually succeed if group enumeration
> > > fails? I'm using the stored-password authentication method, and when sshd
> > > eventually connects, my user (according to whoami.exe /priv) is a member of the
> > > groups I expect.)
> >
> > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
> > getting a truncated group list from initgroups while checking ~/.ssh
> > permissions, which still happens to work fine in my case, the logon delay aside.
> >
> > Changing openssh to call setgroups only after calling seteuid might help (so
> > we'd retrieve the group list in the context of our new user), but because
> > get_groups calls deimpersonate before talking to the server, that wouldn't
> > actually work.
> >
> > What about something like this?
>
> Hmm. I'm not so sure. I think it's a bit of a hack to depend on the
> availability of the LSA private key entry for this part of the code.
>
> Actually, the problem you have is based on the fact that you're using a
> machine-local cyg_server account to run sshd. In domain environments
> it's prudent to create such an account in AD and add a matching group
> policy to make sure that account has the required rights on the machines
> which are supposed to run sshd. I created a short FAQ entry once,
> http://cygwin.com/faq.html#faq.using.sshd-in-domain
>
> What probably *does* make sense is not to call get_logon_server twice
> if the first call returned with ERROR_ACCESS_DENIED. That requires
> only a bit of minor code rearranging. I'll prepare something today
> or tomorrow.
In facxt, this tiny patch should fix the 3 second timeout:
Index: sec_auth.cc
===================================================================
RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
retrieving revision 1.47
diff -u -p -r1.47 sec_auth.cc
--- sec_auth.cc 23 Apr 2013 09:44:33 -0000 1.47
+++ sec_auth.cc 8 Jun 2013 19:00:46 -0000
@@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
if (ret)
{
__seterrno_from_win_error (ret);
- /* It's no error when the user name can't be found. */
- return ret == NERR_UserNotFound;
+ /* It's no error when the user name can't be found.
+ It's also no error if access has been denied. Yes, sounds weird, but
+ keep in mind that ERROR_ACCESS_DENIED means the current user has no
+ permission to access the AD user information. However, if we return
+ an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
+ to ask for another server. This is not only time consuming, it's also
+ useless; the next server will return access denied again. */
+ return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
}
len = wcslen (domain);
Would you mind to give it a try in your environment?
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |