X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=rXlzeprlMcgB3U3bQ2Gkf3SRwu9YOri0dcLwDsVP3UUy527K5vLHe
	XhoTOJvNJgjMdF1SmepnUgTgJtVOpJrUho6011MICHqGLwfcsClm9NwA4txThYRi
	w3IWzaGB+qqAZ64FFGyEoB++PEHku2qG8wRzHQ42IpMPga5c8YSubs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=wAFg/GTAh27Xpyv8k4N5yi9pN+Q=; b=AX3+PPo9EvE86XDxhT3CoCbc+/yz
	T5b1IHrzzKfm5stPjI5+7hoQT7ep43KhBIX69vez7oK/EBzsSkkxPxWQFKmx7gv0
	JCpC9R+D2glfXDgyRSSrEiop271zQnMEV6DjwwijBsAubLb9GPu4lFWFSczrZSVM
	xUC11t/lcPFXk5g=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1
Date: Tue, 11 Jun 2013 09:44:08 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: DS_FORCE_REDISCOVERY  lookup slows ssh logon
Message-ID: <20130611074408.GA29728@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <51B2D55B DOT 3020904 AT dancol DOT org> <51B2EC44 DOT 30102 AT dancol DOT org> <20130608184726 DOT GA9607 AT calimero DOT vinschen DOT de> <20130608190214 DOT GC9607 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20130608190214.GC9607@calimero.vinschen.de>
User-Agent: Mutt/1.5.21 (2010-09-15)

Daniel?  Ping?

On Jun  8 21:02, Corinna Vinschen wrote:
> On Jun  8 20:47, Corinna Vinschen wrote:
> > Actually, the problem you have is based on the fact that you're using a
> > machine-local cyg_server account to run sshd.  In domain environments
> > it's prudent to create such an account in AD and add a matching group
> > policy to make sure that account has the required rights on the machines
> > which are supposed to run sshd.  I created a short FAQ entry once,
> > http://cygwin.com/faq.html#faq.using.sshd-in-domain
> > 
> > What probably *does* make sense is not to call get_logon_server twice
> > if the first call returned with ERROR_ACCESS_DENIED.  That requires 
> > only a bit of minor code rearranging.  I'll prepare something today
> > or tomorrow.
> 
> In facxt, this tiny patch should fix the 3 second timeout:
> 
> Index: sec_auth.cc
> ===================================================================
> RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
> retrieving revision 1.47
> diff -u -p -r1.47 sec_auth.cc
> --- sec_auth.cc	23 Apr 2013 09:44:33 -0000	1.47
> +++ sec_auth.cc	8 Jun 2013 19:00:46 -0000
> @@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
>    if (ret)
>      {
>        __seterrno_from_win_error (ret);
> -      /* It's no error when the user name can't be found. */
> -      return ret == NERR_UserNotFound;
> +      /* It's no error when the user name can't be found.
> +	 It's also no error if access has been denied.  Yes, sounds weird, but
> +	 keep in mind that ERROR_ACCESS_DENIED means the current user has no
> +	 permission to access the AD user information.  However, if we return
> +	 an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
> +	 to ask for another server.  This is not only time consuming, it's also
> +	 useless; the next server will return access denied again. */
> +      return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
>      }
>  
>    len = wcslen (domain);
> 
> Would you mind to give it a try in your environment?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple