| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=rXlzeprlMcgB3U3bQ2Gkf3SRwu9YOri0dcLwDsVP3UUy527K5vLHe | |
| XhoTOJvNJgjMdF1SmepnUgTgJtVOpJrUho6011MICHqGLwfcsClm9NwA4txThYRi | |
| w3IWzaGB+qqAZ64FFGyEoB++PEHku2qG8wRzHQ42IpMPga5c8YSubs= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=wAFg/GTAh27Xpyv8k4N5yi9pN+Q=; b=AX3+PPo9EvE86XDxhT3CoCbc+/yz | |
| T5b1IHrzzKfm5stPjI5+7hoQT7ep43KhBIX69vez7oK/EBzsSkkxPxWQFKmx7gv0 | |
| JCpC9R+D2glfXDgyRSSrEiop271zQnMEV6DjwwijBsAubLb9GPu4lFWFSczrZSVM | |
| xUC11t/lcPFXk5g= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-Spam-SWARE-Status: | No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 |
| Date: | Tue, 11 Jun 2013 09:44:08 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: DS_FORCE_REDISCOVERY lookup slows ssh logon |
| Message-ID: | <20130611074408.GA29728@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <51B2D55B DOT 3020904 AT dancol DOT org> <51B2EC44 DOT 30102 AT dancol DOT org> <20130608184726 DOT GA9607 AT calimero DOT vinschen DOT de> <20130608190214 DOT GC9607 AT calimero DOT vinschen DOT de> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20130608190214.GC9607@calimero.vinschen.de> |
| User-Agent: | Mutt/1.5.21 (2010-09-15) |
Daniel? Ping?
On Jun 8 21:02, Corinna Vinschen wrote:
> On Jun 8 20:47, Corinna Vinschen wrote:
> > Actually, the problem you have is based on the fact that you're using a
> > machine-local cyg_server account to run sshd. In domain environments
> > it's prudent to create such an account in AD and add a matching group
> > policy to make sure that account has the required rights on the machines
> > which are supposed to run sshd. I created a short FAQ entry once,
> > http://cygwin.com/faq.html#faq.using.sshd-in-domain
> >
> > What probably *does* make sense is not to call get_logon_server twice
> > if the first call returned with ERROR_ACCESS_DENIED. That requires
> > only a bit of minor code rearranging. I'll prepare something today
> > or tomorrow.
>
> In facxt, this tiny patch should fix the 3 second timeout:
>
> Index: sec_auth.cc
> ===================================================================
> RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
> retrieving revision 1.47
> diff -u -p -r1.47 sec_auth.cc
> --- sec_auth.cc 23 Apr 2013 09:44:33 -0000 1.47
> +++ sec_auth.cc 8 Jun 2013 19:00:46 -0000
> @@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
> if (ret)
> {
> __seterrno_from_win_error (ret);
> - /* It's no error when the user name can't be found. */
> - return ret == NERR_UserNotFound;
> + /* It's no error when the user name can't be found.
> + It's also no error if access has been denied. Yes, sounds weird, but
> + keep in mind that ERROR_ACCESS_DENIED means the current user has no
> + permission to access the AD user information. However, if we return
> + an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
> + to ask for another server. This is not only time consuming, it's also
> + useless; the next server will return access denied again. */
> + return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
> }
>
> len = wcslen (domain);
>
> Would you mind to give it a try in your environment?
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |