DS_FORCE_REDISCOVERY lookup slows ssh logon

Corinna Vinschen corinna-cygwin@cygwin.com
Sat Jun 8 19:02:00 GMT 2013

On Jun  8 20:47, Corinna Vinschen wrote:
> On Jun  8 01:33, Daniel Colascione wrote:
> > On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> > > (By the way: how on earth does logon eventually succeed if group enumeration
> > > fails? I'm using the stored-password authentication method, and when sshd
> > > eventually connects, my user (according to whoami.exe /priv) is a member of the
> > > groups I expect.)
> > 
> > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
> > getting a truncated group list from initgroups while checking ~/.ssh
> > permissions, which still happens to work fine in my case, the logon delay aside.
> > 
> > Changing openssh to call setgroups only after calling seteuid might help (so
> > we'd retrieve the group list in the context of our new user), but because
> > get_groups calls deimpersonate before talking to the server, that wouldn't
> > actually work.
> > 
> > What about something like this?
> Hmm.  I'm not so sure.  I think it's a bit of a hack to depend on the
> availability of the LSA private key entry for this part of the code.
> Actually, the problem you have is based on the fact that you're using a
> machine-local cyg_server account to run sshd.  In domain environments
> it's prudent to create such an account in AD and add a matching group
> policy to make sure that account has the required rights on the machines
> which are supposed to run sshd.  I created a short FAQ entry once,
> http://cygwin.com/faq.html#faq.using.sshd-in-domain
> What probably *does* make sense is not to call get_logon_server twice
> if the first call returned with ERROR_ACCESS_DENIED.  That requires 
> only a bit of minor code rearranging.  I'll prepare something today
> or tomorrow.

In facxt, this tiny patch should fix the 3 second timeout:

Index: sec_auth.cc
RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
retrieving revision 1.47
diff -u -p -r1.47 sec_auth.cc
--- sec_auth.cc	23 Apr 2013 09:44:33 -0000	1.47
+++ sec_auth.cc	8 Jun 2013 19:00:46 -0000
@@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
   if (ret)
       __seterrno_from_win_error (ret);
-      /* It's no error when the user name can't be found. */
-      return ret == NERR_UserNotFound;
+      /* It's no error when the user name can't be found.
+	 It's also no error if access has been denied.  Yes, sounds weird, but
+	 keep in mind that ERROR_ACCESS_DENIED means the current user has no
+	 permission to access the AD user information.  However, if we return
+	 an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
+	 to ask for another server.  This is not only time consuming, it's also
+	 useless; the next server will return access denied again. */
+      return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
   len = wcslen (domain);

Would you mind to give it a try in your environment?


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list