Mail Archives: cygwin/2013/06/08/02:55:43
| X-Recipient: | archive-cygwin AT delorie DOT com
|
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:message-id:date:from:mime-version:to:subject
|
| :content-type; q=dns; s=default; b=Tt5tim39Aku7F9vyP584tjI5E5woD
|
| tYT/21oefLmhse5CIMCswal4UOR3QujJKlZ9rUap3iE1LQtdxWLUacBr+GmFZX1z
|
| kaMmdPro43mxi8P/ie08I8sh3Mu/nF0D8YM5aG/0kliDJ1qRLLqpXKsUab1/S0OJ
|
| y59gZWXcQX3PtE=
|
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:message-id:date:from:mime-version:to:subject
|
| :content-type; s=default; bh=zYdzSwUFVorfA//L3fp/BLN8s+c=; b=OEY
|
| tNlczNnmOLWx2Pd+f5OajQirMFvij+K3WfmSE+8RFcDP3ojyDzdKzDsAOOg963Pj
|
| R93SDdnHRYd/bDiTxP11HZA9AAv5mk9XIucxmpKs2e14bAI+XPDKmjeZQP3PW8yc
|
| zdAKhISVZUP+G1jBKJv6w2+DKuZxLHWH7gI70OBU=
|
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm
|
| List-Id: | <cygwin.cygwin.com>
|
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com>
|
| List-Archive: | <http://sourceware.org/ml/cygwin/>
|
| List-Post: | <mailto:cygwin AT cygwin DOT com>
|
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
|
| Sender: | cygwin-owner AT cygwin DOT com
|
| Mail-Followup-To: | cygwin AT cygwin DOT com
|
| Delivered-To: | mailing list cygwin AT cygwin DOT com
|
| X-Spam-SWARE-Status: | No, score=-4.8 required=5.0 tests=AWL,BAYES_00,KHOP_PGP_SIGNED,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.1
|
| Message-ID: | <51B2D55B.3020904@dancol.org>
|
| Date: | Fri, 07 Jun 2013 23:55:23 -0700
|
| From: | Daniel Colascione <dancol AT dancol DOT org>
|
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
|
| MIME-Version: | 1.0
|
| To: | Cygwin <cygwin AT cygwin DOT com>
|
| Subject: | DS_FORCE_REDISCOVERY lookup slows ssh logon
|
| X-Virus-Found: | No
|
------enig2AHTWLOPWKLCBENJCUNJT
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
In sec_auth.cc, get_server_groups contains this clause:
if (get_logon_server (domain, server, false)
&& !get_user_groups (server, grp_list, user, domain)
&& get_logon_server (domain, server, true))
get_user_groups (server, grp_list, user, domain);
The first call to get_logon_server retrieves cached domain information. We =
try
to look up user groups based on this information, and if fail to find this =
group
information (for any reason), we re-query the AD domain, get a new server, =
and
try again.
get_logon_server is a thin wrapper around DsGetDcName; get_logon_server's t=
hird
parameter determines whether we pass the DS_FORCE_REDISCOVERY flag to
DsGetDcName. DsGetDcName's documentation suggests that when doing AD operat=
ions,
we first retrieve cached information (by omitting DS_FORCE_REDISCOVERY), try
doing whatever it is that we're going to do, and if we can't reach the doma=
in
controller, ask for another DC name, this time with DS_FORCE_REDISCOVERY, a=
nd
having found a better DC, try the operation again.
The problem I'm having is that this rediscover-and-retry step is slowing do=
wn my
ssh logons by about three seconds. The DCs on my network (for reasons I don=
't
understand) reject anonymous connections to PIPE\SAMR, making NetUserGetGro=
ups
fail with ERROR_ACCESS_DENIED. The first call to get_user_groups fails almo=
st
instantaneously, but there's a delay of about three seconds querying the se=
cond
server, the one found when we call get_logon_server (domain, server, true),=
and
this second call also eventually fails with ERROR_ACCESS_DENIED, probably
because the failure is a matter of policy, not of connectivity.
Would it be possible not to make the second call to NetUserGetGroups if the
first fails for a reason that doesn't have anything to do with network
connectivity? The purpose of DS_FORCE_REDISCOVERY seems to be to support
failover, and it doesn't seem useful to try a different server if we
successfully asked the first server and it just happened to say "no".
(By the way: how on earth does logon eventually succeed if group enumeration
fails? I'm using the stored-password authentication method, and when sshd
eventually connects, my user (according to whoami.exe /priv) is a member of=
the
groups I expect.)
------enig2AHTWLOPWKLCBENJCUNJT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGy1V8ACgkQ17c2LVA10VsUpwCfTHj8JRFaFoYU1UrcA+RMk1oD
wPEAnidVbvryn6UiYjs4sfy+AvdBiknb
=M+Om
-----END PGP SIGNATURE-----
------enig2AHTWLOPWKLCBENJCUNJT--
- Raw text -