X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=RD4SaL2/RgLdJgnOrpzjr4OtzvJPes/+9k1R8rCQOvVv0TM3TnWap LKX2El4fCIFsGkBEOo+eF/76syTliW6bysqRlaymgvASJu1IPc/0uhorVZvWUu88 mEhGq8hIrfFRmXDT7/5+XtzB5DzzYMCa82eHE28e0iK83aWc5Fl48w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=ucuga3rFYfBuyVfohE1JHzrDLOo=; b=DSoq1NAzb/6TwyiHHDnuIGbi4cbK W3tE+YjX0n+gP9ExEPiaJxb5gNqBk7FffxMutxpio4s5GHE3uszrmgMu9GpYrt0H /EquAOjexLvigsqSMIOctwk1RMd/n4nbM8wXb25djBEHit8gBN2tkOyIic99xhno iwPIUOWu0vawQeU= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 Date: Sat, 8 Jun 2013 20:47:26 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: DS_FORCE_REDISCOVERY lookup slows ssh logon Message-ID: <20130608184726.GA9607@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <51B2D55B DOT 3020904 AT dancol DOT org> <51B2EC44 DOT 30102 AT dancol DOT org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51B2EC44.30102@dancol.org> User-Agent: Mutt/1.5.21 (2010-09-15) On Jun 8 01:33, Daniel Colascione wrote: > On 6/7/2013 11:55 PM, Daniel Colascione wrote: > > (By the way: how on earth does logon eventually succeed if group enumeration > > fails? I'm using the stored-password authentication method, and when sshd > > eventually connects, my user (according to whoami.exe /priv) is a member of the > > groups I expect.) > > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just > getting a truncated group list from initgroups while checking ~/.ssh > permissions, which still happens to work fine in my case, the logon delay aside. > > Changing openssh to call setgroups only after calling seteuid might help (so > we'd retrieve the group list in the context of our new user), but because > get_groups calls deimpersonate before talking to the server, that wouldn't > actually work. > > What about something like this? Hmm. I'm not so sure. I think it's a bit of a hack to depend on the availability of the LSA private key entry for this part of the code. Actually, the problem you have is based on the fact that you're using a machine-local cyg_server account to run sshd. In domain environments it's prudent to create such an account in AD and add a matching group policy to make sure that account has the required rights on the machines which are supposed to run sshd. I created a short FAQ entry once, http://cygwin.com/faq.html#faq.using.sshd-in-domain What probably *does* make sense is not to call get_logon_server twice if the first call returned with ERROR_ACCESS_DENIED. That requires only a bit of minor code rearranging. I'll prepare something today or tomorrow. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple