DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type; q=dns; s=default; b=Tt5tim39Aku7F9vyP584tjI5E5woD
	tYT/21oefLmhse5CIMCswal4UOR3QujJKlZ9rUap3iE1LQtdxWLUacBr+GmFZX1z
	kaMmdPro43mxi8P/ie08I8sh3Mu/nF0D8YM5aG/0kliDJ1qRLLqpXKsUab1/S0OJ
	y59gZWXcQX3PtE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-ID: <51B2D55B.3020904@dancol.org>
Date: Fri, 07 Jun 2013 23:55:23 -0700
From: Daniel Colascione <dancol AT dancol DOT org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Cygwin <cygwin AT cygwin DOT com>
Subject: DS_FORCE_REDISCOVERY  lookup slows ssh logon
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2AHTWLOPWKLCBENJCUNJT"

------enig2AHTWLOPWKLCBENJCUNJT
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

In sec_auth.cc, get_server_groups contains this clause:

  if (get_logon_server (domain, server, false)
      && !get_user_groups (server, grp_list, user, domain)
      && get_logon_server (domain, server, true))
    get_user_groups (server, grp_list, user, domain);

The first call to get_logon_server retrieves cached domain information. We =
try
to look up user groups based on this information, and if fail to find this =
group
information (for any reason), we re-query the AD domain, get a new server, =
and
try again.

get_logon_server is a thin wrapper around DsGetDcName; get_logon_server's t=
hird
parameter determines whether we pass the DS_FORCE_REDISCOVERY flag to
DsGetDcName. DsGetDcName's documentation suggests that when doing AD operat=
ions,
we first retrieve cached information (by omitting DS_FORCE_REDISCOVERY), try
doing whatever it is that we're going to do, and if we can't reach the doma=
in
controller, ask for another DC name, this time with DS_FORCE_REDISCOVERY, a=
nd
having found a better DC, try the operation again.

The problem I'm having is that this rediscover-and-retry step is slowing do=
wn my
ssh logons by about three seconds. The DCs on my network (for reasons I don=
't
understand) reject anonymous connections to PIPE\SAMR, making NetUserGetGro=
ups
fail with ERROR_ACCESS_DENIED. The first call to get_user_groups fails almo=
st
instantaneously, but there's a delay of about three seconds querying the se=
cond
server, the one found when we call get_logon_server (domain, server, true),=
 and
this second call also eventually fails with ERROR_ACCESS_DENIED, probably
because the failure is a matter of policy, not of connectivity.

Would it be possible not to make the second call to NetUserGetGroups if the
first fails for a reason that doesn't have anything to do with network
connectivity? The purpose of DS_FORCE_REDISCOVERY seems to be to support
failover, and it doesn't seem useful to try a different server if we
successfully asked the first server and it just happened to say "no".

(By the way: how on earth does logon eventually succeed if group enumeration
fails? I'm using the stored-password authentication method, and when sshd
eventually connects, my user (according to whoami.exe /priv) is a member of=
 the
groups I expect.)


------enig2AHTWLOPWKLCBENJCUNJT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGy1V8ACgkQ17c2LVA10VsUpwCfTHj8JRFaFoYU1UrcA+RMk1oD
wPEAnidVbvryn6UiYjs4sfy+AvdBiknb
=M+Om
-----END PGP SIGNATURE-----

------enig2AHTWLOPWKLCBENJCUNJT--