X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=xPItElsdPetsw76XtMBRP+qlIUHUZmLhQvD4tK/u+rWJLMW+3lXfa bYR4dkwulAwbmDO8a4DuyBJMDMp2xZqLW70AxxGt4+r2eHwdWiLzWtLNm/qo9lQx cu/WqsuuU9dOpYq8hhqFk/Z+NMWSPOCf2d0uudlfSMDtUBrpBNiGWM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=bLSIl8X4EiYAgmawoHG8RRxm3FQ=; b=po2/bqSkraDUg6o5yxKkUioEiKq+ h+W7YfSBh/Vq7e5OEcQ9A1BtqoI8wmh26KvUitaFlFcfg98ZFrhy4FtYi2bG5q/d 0efahrOfDVrWP552J1Jut+RmfY/i0m05hkWY9/5vxPTFWo9UvIyKl0RV+mG4swEy NGBsmYgP6WBkyp8= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Date: Wed, 14 May 2014 13:36:59 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: More testing needed: New passwd/group AD/SAM integration Message-ID: <20140514113659.GD2436@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20140513105832 DOT GM2436 AT calimero DOT vinschen DOT de> <20140513145247 DOT GQ2436 AT calimero DOT vinschen DOT de> <20140513161626 DOT GT2436 AT calimero DOT vinschen DOT de> <20140513164122 DOT GU2436 AT calimero DOT vinschen DOT de> <20140513191732 DOT GX2436 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Gle0L8H5l8ToQqD4" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) --Gle0L8H5l8ToQqD4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On May 13 22:15, Henry S. Thompson wrote: > Corinna Vinschen writes: > > On May 13 18:29, Henry S. Thompson wrote: > >> Glitch (also true for x86 1.7.29-2): > >> id returns effectively immediately for all users and non-users _exce= pt_: > >> > time id Administrators > >> uid=3D544(+Administrators) gid=3D544(+Administrators) > >> groups=3D11(+Authenticated Users),544(+Administrators) > >>=20 > >> real 0m2.296s > >> user 0m0.015s > >> sys 0m0.015s > > > > This shouldn't happen as long as we still have the "+" prepended to > > BUILTIN accounts(*). And, as a matter of fact, I can't reproduce this > > with the latest from CVS (=3D=3D the snapshot you're testing). Did you= exit > > your shell and restart it after creating the /etc/nsswitch.conf file as > > described in my preliminary documentation? >=20 > Yes, and I just re-did that, and I'm still getting the delay. You did > notice that it's the plural version (Administrator_s_) that has the > delay -- Administrator (no 's') is just as fast as all the others. Yes, I noticed the "s". But I missed to explain that I wasn't talking about the delay. What I can't reproduce is that `id Administrators' returns a result: $ id +Administrators uid=3D544(+Administrators) gid=3D544(+Administrators) groups=3D11(+Authen= ticated Users),544(+Administrators) but: $ id Administrators id: Administrators: no such user But now I understand why this occurs. It's the different handling of account names without domain prefix on standalone vs. domain machines. I applied a patch now which checks the incoming names for validity under the current naming rules, so, in theory, `id Administrators' should now return "no such user" for you as well. > Adding the '+' doesn't change the behaviour. >=20 > Ah, it occured to me to do an strace, and I found the culprit, I > think: >=20 > 19 392152 [main] id 16856 stat_worker: 0 =3D (\??\C:\C64\dev,0x1802C2= 940) > 26 392178 [main] id 16856 fstat64: 0 =3D fstat(1, 0x23A4F0) > 30 392208 [main] id 16856 isatty: 1 =3D isatty(1) > 1085 393293 [main] id 16856 pwdgrp::fetch_account_from_windows: line: <= +Administrators:*:544:544:,S-1-5-32-544:/:/sbin/nologin> > 2253178 2646471 [main] id 16856 seterrno_from_win_error: /home/cygnus/vin= schen/mknetrel/src/cygwin-snapshot-20140513-1/winsup/cygwin/sec_auth.cc:244= windows error 1355 > 187 2646658 [main] id 16856 geterrno_from_win_error: unknown windows > error 1355, setting errno to 13 >=20 > Does that help? Yes, thank you, it does. I tracked it down to the fact that in this specific scenario, Cygwin asks for a domain controller of the "BUILTIN" domain. This request for a domain controller name of a not really existing domain takes about 2 secs. I added a check for the user's SID to make sure the logon server name is only requested if the SID is a "real" domain SID. > > (*) I'd be grateful for input to the questions I asked in my OP, too. >=20 > Sorry, I am just a Un*x guy trying to live on a Windows box, I have > nothing like the necessary Windows sysadmin background to have an > opinion. I thought I would try your snapshots precisely _because_ I > understand almost nothing about all this -- I followed the 'mkpasswd' > instructions 8 years ago, and never touched things after that, and I > was just trying to help by seeing if there was anything a trial by a > naive user could uncover before things got fully released. That's ok. The debugging attempts in terms of your above `id' example already lead me to understand why SFU decided to prefix the builtin account names. This really makes sense to be able to check incoming account names for validity. It's hard to explain, but I'm getting an idea that we're better off in the long run to stick to the naming scheme of SFU, or at least something close. I just created new snapshots on http://cygwin.com/snapshots/ Please give'em a try. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --Gle0L8H5l8ToQqD4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTc1VbAAoJEPU2Bp2uRE+g5rIP/0O/fYmu+zmhHblYNEhpVL3p FAsJw8cjjEAIT2KIZEb8lxxw/jCUNKvlCAmmYTDtqfimEXE1X6J9am4uL3oXGiPs 02tRxWNS20STPo2QIjRVBnhaZjdTik/JrG+TkG0pHvNYV1BqDf2U+5dfYABF4M8b uuvawkEGJd5QHK7itZQW5Ny7zguXhc1knyUUnUsn3zKjcTEBY/BVFOqej2viI12i I4McnvXQPdsBhVn+nOu53+3+UtAsxysbVQ2gtolIQWhZ+CrdbI7vhtQXdDHT08bE hPFYTWquE3BYfTGkGSN0JcdSBPB/xmCFKvg19K+fizWLN7PHY948XBlEhjL9yFYH 8Q/1NzDnqsl0vDGRNxBRZhU48iQFvaqMFFb8z+iBt7chnHaolwN/HYbErbEDujgn 1wJJKY+UAHNhLUKSFvGqTKb7HQ4GVyoJTariufKxQLbG3ulDX3OxQkCwdwmf0DVC BzODB8NUO/h3Yy9Dua5GpwWzHBQY0ULEpJ5/3fdsbkYk7va+QLyYwTGHEAU4CdRU sRpygBh5ADDOfZ2SV8uLWGSB+mBOnXXIX9ZdzRvSdgOCg5pFDRs+4xcvdXaSOQqL KdEtxXMw6NwF7fjL9YvAXcfjLVFmmq+K5PIi0QvrtuN/lgR0ZCI21CgPKJuQfmZD QGRxJ8OedTq/28ZQ0OV5 =rKc6 -----END PGP SIGNATURE----- --Gle0L8H5l8ToQqD4--