X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: sourceware.org In-Reply-To: <20091021085420.GF16678@calimero.vinschen.de> References: <412_1256107169_4ADEACA1_412_53_1_OFEB933357 DOT 245BF60B-ONC1257656 DOT 002475C7-C1257656 DOT 00249143 AT nbg DOT sdv DOT spb DOT de> <20091021085420 DOT GF16678 AT calimero DOT vinschen DOT de> To: cygwin AT cygwin DOT com MIME-Version: 1.0 Subject: Antwort: Re: Cygwin/OpenSSH authentication without applying group policies... X-KeepSent: B18C8273:80CC183C-C125765B:0051BE9F; type=4; name=$KeepSent Message-ID: <27419_1256569266_4AE5B9B2_27419_1466_1_OFB18C8273.80CC183C-ONC125765B.0051BE9F-C125765B.00527DBB@nbg.sdv.spb.de> From: Carsten DOT Porzler AT spb DOT de Date: Mon, 26 Oct 2009 16:01:03 +0100 X-SafeGuard_MailGateway: Version: 5.60.3.9732 SGMG Date: 20091026150106Z Content-Type: text/plain; charset="US-ASCII" X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Hello, > On Oct 21 08:39, Carsten DOT Porzler AT spb DOT de wrote: > > Dear Cygwin community, > > > > we are just having problems with some locations connect over WAN lines > > with only little bandwith. > > > > The logon process against a Win2003 AD domain controller takes much time > > (>50s). After some analysis we found out that there is much traffic > > between the SSH server and the domain controller over ip port 1026 (CAP, > > used for applying/downloading the Win2003 group policies). > > > > During a SSH logon it is not necessary to apply all group policies. > > Instead it would be OK, if the user would just be authenticated and get > > his group memberships. > > That's not correct, unfortunately. To construct a user token you must > know what user rights the user has since they are part of the token. > Cygwin itself does not ask for group policies and that stuff, it really > only requests information about the user rights of the user logging in. > Cygwin has no control about the information flow underneath the Win32 > functions used to request this information. A couple of months ago we > already had a discussion on this list about the login process being > slow. The reason was an unnecessary loop asking for group membership, > but that should be fixed for a long time. > That correct in principle, what you say. The problem with the loops was solved some months ago. > > Is it possible to deactivate applying the group policies during the SSH > > logon process or to reconfigure the SSH service so that we can use LDAP > > authentication instead of standard Win2003 authentication. > > > First of all, we can't support LDAP directly from ssh since that doesn't > allow us to create a user token. What exactly is done depends on the > method used for creating the token. You didn't tell us if you're using > password authentication or pubkey authentication. With password > authentication it's entirely up to the Win32 call LogonUser() to create > that token and to manage that connection. Using pubkey authentication > you have three choices described in the user's guide. Maybe one of them > helps, see > http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview > > My decripted problem occurs with password and public key (without saved password) authentication. I just asked the question because we see during network tracing that the group policies are transferred to the client. Other logon processes (e.g. mounting a network drive with another user than the logged on one) do not transfer the group policies. Is the call LogonUser() really the right one, we use for the login procedure? Thanks in advance and best regards Carsten Porzler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple