DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=brBMhT
	ZSE/xPly74Hbj8ke+QOQ/bp00ZY8yYFVbsh1zcR0MVDvfMGZ54H4H+RPbFIwNJxD
	TSa1xV/ysCtlL5MuRCL/KLdOuZwu0/xl6T03ECG32DqtQIjgj3FndcnCv0F1iJPj
	9w2PXJcORTMUeYXMrOspNLWH0lCStUQQ9kWkM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-ID: <51B2EC44.30102@dancol.org>
Date: Sat, 08 Jun 2013 01:33:08 -0700
From: Daniel Colascione <dancol AT dancol DOT org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: DS_FORCE_REDISCOVERY  lookup slows ssh logon
References: <51B2D55B DOT 3020904 AT dancol DOT org>
In-Reply-To: <51B2D55B.3020904@dancol.org>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2JWTGCELBJMTQTFKHNICV"

------enig2JWTGCELBJMTQTFKHNICV
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> (By the way: how on earth does logon eventually succeed if group enumerat=
ion
> fails? I'm using the stored-password authentication method, and when sshd
> eventually connects, my user (according to whoami.exe /priv) is a member =
of the
> groups I expect.)

Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
getting a truncated group list from initgroups while checking ~/.ssh
permissions, which still happens to work fine in my case, the logon delay a=
side.

Changing openssh to call setgroups only after calling seteuid might help (so
we'd retrieve the group list in the context of our new user), but because
get_groups calls deimpersonate before talking to the server, that wouldn't
actually work.

What about something like this?

Index: sec_auth.cc
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
retrieving revision 1.47
diff -u -r1.47 sec_auth.cc
--- sec_auth.cc	23 Apr 2013 09:44:33 -0000	1.47
+++ sec_auth.cc	8 Jun 2013 08:31:16 -0000
@@ -246,7 +246,8 @@

 static bool
 get_user_groups (WCHAR *logonserver, cygsidlist &grp_list,
-		 PWCHAR user, PWCHAR domain)
+		 PWCHAR user, PWCHAR domain,
+		 struct passwd *pw)
 {
   WCHAR dgroup[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
   LPGROUP_USERS_INFO_0 buf;
@@ -256,6 +257,33 @@
   /* Look only on logonserver */
   ret =3D NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf,
 			  MAX_PREFERRED_LENGTH, &cnt, &tot);
+
+  if (ret =3D=3D ERROR_ACCESS_DENIED)
+    {
+      /* If we can't list the user's groups as ourselves, try
+	 impersonating the user and trying again.  If the user is a
+	 domain account and we're just a privileged local account, the
+	 user might have more access than we do. Only try
+	 lsaprivkeyauth because other methods for creating user tokens
+	 don't give us network credentials anyway.
+      */
+
+      HANDLE user_token =3D lsaprivkeyauth (pw);
+
+      if (user_token)
+	{
+	  if (ImpersonateLoggedOnUser (user_token))
+	    {
+	      ret =3D NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf,
+				      MAX_PREFERRED_LENGTH, &cnt, &tot);
+
+	      RevertToSelf ();
+	    }
+
+	  CloseHandle (user_token);
+	}
+    }
+
   if (ret)
     {
       __seterrno_from_win_error (ret);
@@ -292,7 +320,8 @@

 static bool
 get_user_local_groups (PWCHAR logonserver, PWCHAR domain,
-		       cygsidlist &grp_list, PWCHAR user)
+		       cygsidlist &grp_list, PWCHAR user,
+		       struct passwd *pw)
 {
   LPLOCALGROUP_INFO_0 buf;
   DWORD cnt, tot;
@@ -301,6 +330,29 @@
   ret =3D NetUserGetLocalGroups (logonserver, user, 0, LG_INCLUDE_INDIRECT,
 			       (LPBYTE *) &buf, MAX_PREFERRED_LENGTH,
 			       &cnt, &tot);
+
+  if (ret =3D=3D ERROR_ACCESS_DENIED)
+    {
+      /* See the ERROR_ACCESS_DENIED comment in get_user_groups */
+
+      HANDLE user_token =3D lsaprivkeyauth (pw);
+
+      if (user_token)
+	{
+	  if (ImpersonateLoggedOnUser (user_token))
+	    {
+	      ret =3D NetUserGetLocalGroups (
+		logonserver, user, 0, LG_INCLUDE_INDIRECT,
+		(LPBYTE *) &buf, MAX_PREFERRED_LENGTH,
+		&cnt, &tot);
+
+	      RevertToSelf ();
+	    }
+
+	  CloseHandle (user_token);
+	}
+    }
+
   if (ret)
     {
       __seterrno_from_win_error (ret);
@@ -482,10 +534,10 @@
       return false;
     }
   if (get_logon_server (domain, server, false)
-      && !get_user_groups (server, grp_list, user, domain)
+      && !get_user_groups (server, grp_list, user, domain, pw)
       && get_logon_server (domain, server, true))
-    get_user_groups (server, grp_list, user, domain);
-  get_user_local_groups (server, domain, grp_list, user);
+    get_user_groups (server, grp_list, user, domain, pw);
+  get_user_local_groups (server, domain, grp_list, user, pw);
   get_unix_group_sidlist (pw, grp_list);
   return true;
 }


------enig2JWTGCELBJMTQTFKHNICV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGy7EYACgkQ17c2LVA10Vsf6QCfV2ULaiRxjKvWhTfbGzxLiz/+
i4kAoK2/vR+pJ9VF4/4L+7bXJE0GjA3C
=tMXe
-----END PGP SIGNATURE-----

------enig2JWTGCELBJMTQTFKHNICV--