X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=xPItElsdPetsw76XtMBRP+qlIUHUZmLhQvD4tK/u+rWJLMW+3lXfa
	bYR4dkwulAwbmDO8a4DuyBJMDMp2xZqLW70AxxGt4+r2eHwdWiLzWtLNm/qo9lQx
	cu/WqsuuU9dOpYq8hhqFk/Z+NMWSPOCf2d0uudlfSMDtUBrpBNiGWM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=bLSIl8X4EiYAgmawoHG8RRxm3FQ=; b=po2/bqSkraDUg6o5yxKkUioEiKq+
	h+W7YfSBh/Vq7e5OEcQ9A1BtqoI8wmh26KvUitaFlFcfg98ZFrhy4FtYi2bG5q/d
	0efahrOfDVrWP552J1Jut+RmfY/i0m05hkWY9/5vxPTFWo9UvIyKl0RV+mG4swEy
	NGBsmYgP6WBkyp8=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: calimero.vinschen.de
Date: Wed, 14 May 2014 13:36:59 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: More testing needed: New passwd/group AD/SAM integration
Message-ID: <20140514113659.GD2436@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20140513105832 DOT GM2436 AT calimero DOT vinschen DOT de> <f5biop9x55t DOT fsf AT troutbeck DOT inf DOT ed DOT ac DOT uk> <20140513145247 DOT GQ2436 AT calimero DOT vinschen DOT de> <20140513161626 DOT GT2436 AT calimero DOT vinschen DOT de> <f5ba9aliqv0 DOT fsf AT troutbeck DOT inf DOT ed DOT ac DOT uk> <20140513164122 DOT GU2436 AT calimero DOT vinschen DOT de> <f5b61l9io4h DOT fsf AT troutbeck DOT inf DOT ed DOT ac DOT uk> <20140513191732 DOT GX2436 AT calimero DOT vinschen DOT de> <f5boaz1gz3d DOT fsf AT troutbeck DOT inf DOT ed DOT ac DOT uk>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="Gle0L8H5l8ToQqD4"
Content-Disposition: inline
In-Reply-To: <f5boaz1gz3d.fsf@troutbeck.inf.ed.ac.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)

--Gle0L8H5l8ToQqD4
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On May 13 22:15, Henry S. Thompson wrote:
> Corinna Vinschen writes:
> > On May 13 18:29, Henry S. Thompson wrote:
> >> Glitch (also true for x86 1.7.29-2):
> >>   id returns effectively immediately for all users and non-users _exce=
pt_:
> >>    > time id Administrators
> >>     uid=3D544(+Administrators) gid=3D544(+Administrators)
> >>     groups=3D11(+Authenticated Users),544(+Administrators)
> >>=20
> >>     real    0m2.296s
> >>     user    0m0.015s
> >>     sys     0m0.015s
> >
> > This shouldn't happen as long as we still have the "+" prepended to
> > BUILTIN accounts(*).  And, as a matter of fact, I can't reproduce this
> > with the latest from CVS (=3D=3D the snapshot you're testing).  Did you=
 exit
> > your shell and restart it after creating the /etc/nsswitch.conf file as
> > described in my preliminary documentation?
>=20
> Yes, and I just re-did that, and I'm still getting the delay.  You did
> notice that it's the plural version (Administrator_s_) that has the
> delay -- Administrator (no 's') is just as fast as all the others.

Yes, I noticed the "s".  But I missed to explain that I wasn't talking
about the delay.  What I can't reproduce is that `id Administrators'
returns a result:

  $ id +Administrators
  uid=3D544(+Administrators) gid=3D544(+Administrators) groups=3D11(+Authen=
ticated Users),544(+Administrators)

but:

  $ id Administrators
  id: Administrators: no such user

But now I understand why this occurs.  It's the different handling of
account names without domain prefix on standalone vs. domain machines.
I applied a patch now which checks the incoming names for validity under
the current naming rules, so, in theory, `id Administrators' should now
return "no such user" for you as well.

> Adding the '+' doesn't change the behaviour.
>=20
> Ah, it occured to me to do an strace, and I found the culprit, I
> think:
>=20
>    19  392152 [main] id 16856 stat_worker: 0 =3D (\??\C:\C64\dev,0x1802C2=
940)
>    26  392178 [main] id 16856 fstat64: 0 =3D fstat(1, 0x23A4F0)
>    30  392208 [main] id 16856 isatty: 1 =3D isatty(1)
>  1085  393293 [main] id 16856 pwdgrp::fetch_account_from_windows: line: <=
+Administrators:*:544:544:,S-1-5-32-544:/:/sbin/nologin>
> 2253178 2646471 [main] id 16856 seterrno_from_win_error: /home/cygnus/vin=
schen/mknetrel/src/cygwin-snapshot-20140513-1/winsup/cygwin/sec_auth.cc:244=
 windows error 1355
>   187 2646658 [main] id 16856 geterrno_from_win_error: unknown windows
> error 1355, setting errno to 13
>=20
> Does that help?

Yes, thank you, it does.  I tracked it down to the fact that in this
specific scenario, Cygwin asks for a domain controller of the "BUILTIN"
domain.  This request for a domain controller name of a not really
existing domain takes about 2 secs.  I added a check for the user's
SID to make sure the logon server name is only requested if the SID
is a "real" domain SID.

> > (*) I'd be grateful for input to the questions I asked in my OP, too.
>=20
> Sorry, I am just a Un*x guy trying to live on a Windows box, I have
> nothing like the necessary Windows sysadmin background to have an
> opinion.  I thought I would try your snapshots precisely _because_ I
> understand almost nothing about all this -- I followed the 'mkpasswd'
> instructions 8 years ago, and never touched things after that, and I
> was just trying to help by seeing if there was anything a trial by a
> naive user could uncover before things got fully released.

That's ok.  The debugging attempts in terms of your above `id' example
already lead me to understand why SFU decided to prefix the builtin
account names.  This really makes sense to be able to check incoming
account names for validity.  It's hard to explain, but I'm getting an
idea that we're better off in the long run to stick to the naming scheme
of SFU, or at least something close.

I just created new snapshots on http://cygwin.com/snapshots/
Please give'em a try.


Thanks,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--Gle0L8H5l8ToQqD4
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTc1VbAAoJEPU2Bp2uRE+g5rIP/0O/fYmu+zmhHblYNEhpVL3p
FAsJw8cjjEAIT2KIZEb8lxxw/jCUNKvlCAmmYTDtqfimEXE1X6J9am4uL3oXGiPs
02tRxWNS20STPo2QIjRVBnhaZjdTik/JrG+TkG0pHvNYV1BqDf2U+5dfYABF4M8b
uuvawkEGJd5QHK7itZQW5Ny7zguXhc1knyUUnUsn3zKjcTEBY/BVFOqej2viI12i
I4McnvXQPdsBhVn+nOu53+3+UtAsxysbVQ2gtolIQWhZ+CrdbI7vhtQXdDHT08bE
hPFYTWquE3BYfTGkGSN0JcdSBPB/xmCFKvg19K+fizWLN7PHY948XBlEhjL9yFYH
8Q/1NzDnqsl0vDGRNxBRZhU48iQFvaqMFFb8z+iBt7chnHaolwN/HYbErbEDujgn
1wJJKY+UAHNhLUKSFvGqTKb7HQ4GVyoJTariufKxQLbG3ulDX3OxQkCwdwmf0DVC
BzODB8NUO/h3Yy9Dua5GpwWzHBQY0ULEpJ5/3fdsbkYk7va+QLyYwTGHEAU4CdRU
sRpygBh5ADDOfZ2SV8uLWGSB+mBOnXXIX9ZdzRvSdgOCg5pFDRs+4xcvdXaSOQqL
KdEtxXMw6NwF7fjL9YvAXcfjLVFmmq+K5PIi0QvrtuN/lgR0ZCI21CgPKJuQfmZD
QGRxJ8OedTq/28ZQ0OV5
=rKc6
-----END PGP SIGNATURE-----

--Gle0L8H5l8ToQqD4--