This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: DS_FORCE_REDISCOVERY lookup slows ssh logon
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Sat, 8 Jun 2013 21:02:14 +0200
- Subject: Re: DS_FORCE_REDISCOVERY lookup slows ssh logon
- References: <51B2D55B dot 3020904 at dancol dot org> <51B2EC44 dot 30102 at dancol dot org> <20130608184726 dot GA9607 at calimero dot vinschen dot de>
- Reply-to: cygwin at cygwin dot com
On Jun 8 20:47, Corinna Vinschen wrote:
> On Jun 8 01:33, Daniel Colascione wrote:
> > On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> > > (By the way: how on earth does logon eventually succeed if group enumeration
> > > fails? I'm using the stored-password authentication method, and when sshd
> > > eventually connects, my user (according to whoami.exe /priv) is a member of the
> > > groups I expect.)
> >
> > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
> > getting a truncated group list from initgroups while checking ~/.ssh
> > permissions, which still happens to work fine in my case, the logon delay aside.
> >
> > Changing openssh to call setgroups only after calling seteuid might help (so
> > we'd retrieve the group list in the context of our new user), but because
> > get_groups calls deimpersonate before talking to the server, that wouldn't
> > actually work.
> >
> > What about something like this?
>
> Hmm. I'm not so sure. I think it's a bit of a hack to depend on the
> availability of the LSA private key entry for this part of the code.
>
> Actually, the problem you have is based on the fact that you're using a
> machine-local cyg_server account to run sshd. In domain environments
> it's prudent to create such an account in AD and add a matching group
> policy to make sure that account has the required rights on the machines
> which are supposed to run sshd. I created a short FAQ entry once,
> http://cygwin.com/faq.html#faq.using.sshd-in-domain
>
> What probably *does* make sense is not to call get_logon_server twice
> if the first call returned with ERROR_ACCESS_DENIED. That requires
> only a bit of minor code rearranging. I'll prepare something today
> or tomorrow.
In facxt, this tiny patch should fix the 3 second timeout:
Index: sec_auth.cc
===================================================================
RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
retrieving revision 1.47
diff -u -p -r1.47 sec_auth.cc
--- sec_auth.cc 23 Apr 2013 09:44:33 -0000 1.47
+++ sec_auth.cc 8 Jun 2013 19:00:46 -0000
@@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
if (ret)
{
__seterrno_from_win_error (ret);
- /* It's no error when the user name can't be found. */
- return ret == NERR_UserNotFound;
+ /* It's no error when the user name can't be found.
+ It's also no error if access has been denied. Yes, sounds weird, but
+ keep in mind that ERROR_ACCESS_DENIED means the current user has no
+ permission to access the AD user information. However, if we return
+ an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
+ to ask for another server. This is not only time consuming, it's also
+ useless; the next server will return access denied again. */
+ return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
}
len = wcslen (domain);
Would you mind to give it a try in your environment?
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple