X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=Phrd8hGQ2jtHKK8wIrzL6qrkSda7sWRYo3BmB7ujEsoXIQ9Cz8vnb
	L3PJwn+3niFxDHkcYcsKoAfvL9Ym8tZy62E/aSZWRFH09N4pzbJoWea+ohsxJ66W
	FmqTZ90Y8EHP/FWwjB/Li7GBTJvR+vY4Ak8P380VZ4t3o8ZrDGuXHE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=9XBeekCYkl6AVVPlyV/KlSSq86I=; b=ufO5EsPGQiSooK/KbiWDcIb2tNWH
	Hfmc6qA40SJCRU373ASq2Hkd1kVtbkKEAjZo3IS5+UYk2wxT8R0954aEmkArpVTG
	pq3gXq+o33y/M02PcaH7WRn/CVbA0hTn7f6UR9TPQLzWo4n0fprT3oCrxSEh/lXt
	B0kBg1SF5djRxMw=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: calimero.vinschen.de
Date: Wed, 25 Jun 2014 12:15:26 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: timeout in LDAP access
Message-ID: <20140625101526.GO1803@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <F312783D-AD66-4614-922B-E44403C7E372 AT Denis-Excoffier DOT org> <20140617100011 DOT GL23700 AT calimero DOT vinschen DOT de> <C462E4F3-1E51-46DC-BD27-BC4786A5E8BB AT Denis-Excoffier DOT org> <20140618083304 DOT GV23700 AT calimero DOT vinschen DOT de> <20140618180102 DOT GA27055 AT calimero DOT vinschen DOT de> <FEEBC1A4-B147-45C1-A5AC-F5B9108E998F AT Denis-Excoffier DOT org> <20140623090959 DOT GA1803 AT calimero DOT vinschen DOT de> <C2FB35D9-AE47-4461-8A94-20605D5EB996 AT Denis-Excoffier DOT org> <20140624155851 DOT GJ1803 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="HVCoas+krw6dou6l"
Content-Disposition: inline
In-Reply-To: <20140624155851.GJ1803@calimero.vinschen.de>
User-Agent: Mutt/1.5.23 (2014-03-12)

--HVCoas+krw6dou6l
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jun 24 17:58, Corinna Vinschen wrote:
> On Jun 23 22:38, Denis Excoffier wrote:
> > On 2014-06-23 11:09, Corinna Vinschen wrote:
> > > On Jun 19 19:53, Denis Excoffier wrote:
> > >=20
> > > Do you really *want* to enumerate 500K users when accessing the DCs
> > > remote over a slow DSL line?  Isn't this a situation in which you'd
> > > rather like to avoid enumerating accounts or restrict it to an
> > > essential subset?  That's what db_enum would be good for.
> > IMHO the line is not especially slow. Instead, the
> > server (and occasionally the client) is clobbered sometimes. For exampl=
e it
> > seems more difficult (ie timeout occurs more frequently) for a server
> > to output the last sid=E2=80=99s in a domain than to output a full Page=
Size of
> > results.
> >=20
> > Personally i don=E2=80=99t *want* to use /etc/nsswitch.conf at all. Wha=
t bothers me
> > is that the user does not get any indication of a timeout (and several =
successive
> > and unrelated timeouts may be met in a single invocation of getent). Th=
erefore
> > even if all servers are up, the user has no means to know that the list=
 is exhaustive.
> > If the timeout occurs for the last chunk this is not so important, but =
if=20
> > the timeout occurs in the middle it may be. That is the difference betw=
een
> > a large timeout and a timeout, say, too accurate.
> > [...]
> > >> 1) for most of the 100-sid chunks, the high timeout is not used, the=
refore
> > >> the global penalty in delay is not so high. And perhaps a 120s timeo=
ut is high
> > >> enough so that when it is met, we could abandon not only the current=
 domain,
> > >> but also the whole search?
> > >=20
> > > Would that be really a bright idea?  Assuming your ADs (and their DCs)
> > > are in different remote locations,  One of those connections being do=
wn
> > > would disable enumerating other domains.
> > It would be a means to have getent 'depend' on a unique timeout.
> > >=20
> > >> 2) if value of timeout is not high enough (i have no figures=E2=80=
=A6), timeout may
> > >> occur when the PC is in fact occupied with other tasks (eg antivirus=
 scanning
> > >> or something else), unrelated to network delays or server latencies.
> > >=20
>=20
> Stay tuned.  I'm rewriting the LDAP access code to perform all critical
> LDAP calls in interruptible threads.  The Windows LDAP calls don't
> provide any kind of synchronization, only timeouts.  I hoped to get away
> with short timeouts but it seems I hoped in vain.
>=20
> So the next iteration of this code will not use any timeout other than
> the default LDAP network timeout of 2 minutes, but the calls will be
> interruptible by signals.
>=20
> I hope that fixes this the right way :}

I applied a matching patch and created new developer snapshots on
http://cygwin.com/snapshots/

No more artificial timeouts, but the LDAP calls will be interruptible by
a signal now.

Also, if an error occurs during ad enumeration, getpwent/getgrent will
return NULL with errno set accordingly.

But that won't help you much when running getent.  getent simply stops
the enumeration when getpwent/getgrent return NULL.  It does not check
the error code and therefore it won't indicate if the enumeration has
been stopped for a reason other than the end of the list has been
reached.


Please test,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--HVCoas+krw6dou6l
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTqqE+AAoJEPU2Bp2uRE+glmUP/j0l0ZlRixMJCnRnc0nivxzz
fsb9X1gq1c73qZCSSeNjXvi8V8iHqvn7JtXBAyu/W0WhJiIIID7l339D29YotCvW
lp9Ktbowu/BfNKCzQ4E82TegcOgyqgnAEv5SamNIMpkqBn90ZL6/61+5OfZjc7TG
d33Ne000qGvf2NioVgjRHQMnWNnmbiPOVSpRK7FgVXjVZFcNDeO7ZcE+s1mTQ4s6
i3nim2UJtLy/OrJ0fBapv5sCoGJ85g9BYLlqfhe0pag6dHRW4RoO5l+cqdjULnK6
8e4x8SZ/ehfKXKmKbu5F9Hxih1fBGlN+n8tby6WFwd+ssxDIlA4YjSce5ns+/twk
xXjcPiLZMJ0Iblv23SUR9ScOza4P0TlEkjuUYgOxBSbeD7SDD3XMQX8mH5V9bQ61
+I5Gs8z6ODQnQqGJewoO22Ddq25k1wtEso5mwCXoAN4CcDLy6WhjuSUjDqTrWsiT
5RwVl6+5rjqGMlCfwCOoJsKC8CSWu/GEOZG+yKJVrnzIcyKYSUhmc+77d171tvqG
q2Lb3VJZnVqFTJhIilX5NKceJ0zG08SoriRApGQg5crGEw90ntN/yedoidmQqLuq
TWO9rUdCVloWLS27Fkqeuu1Imhi//vBcZWI7N7sufOLs1xSC+FVggGDdrI0GQmqE
UgytZ1xqRz0f8gOG1gr/
=WLV5
-----END PGP SIGNATURE-----

--HVCoas+krw6dou6l--