X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=JxZj4Cl7DQ0eNsfGaelPslypUxkmp5a9Cv8im0+0uJLUCViGaJyMq
	qP3NDsSkioQK5T8VKzlipE/8GdjczHz+GxEtX40QG+oUKA5M4pbg28haKOIbqT4N
	XWNnTEIg94L7Mlg2UjUcjIdoemIs9MtL94HLVUiBhaCnFWdKwbuc78=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=GWwbyEiPdq8twv0IXth1FfvfoZ8=; b=XqXnxlGtIr8EOyJPrAMIIX1yvpdi
	PJZdJKqZeZUaQ5SMezy58jnwRBSWYuZHMPPBKg1okgMoYdb0sgBeJWZwT+pY3zUt
	eQPALZdMGtUq8863ZEteo6W4MyR2Bae+mzGU4vHSd8rqL1YNCcunVcHxngktqkGx
	ZnBXPkARN2Ma3ec=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1
Date: Sat, 8 Jun 2013 21:02:14 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: DS_FORCE_REDISCOVERY  lookup slows ssh logon
Message-ID: <20130608190214.GC9607@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <51B2D55B DOT 3020904 AT dancol DOT org> <51B2EC44 DOT 30102 AT dancol DOT org> <20130608184726 DOT GA9607 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20130608184726.GA9607@calimero.vinschen.de>
User-Agent: Mutt/1.5.21 (2010-09-15)

On Jun  8 20:47, Corinna Vinschen wrote:
> On Jun  8 01:33, Daniel Colascione wrote:
> > On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> > > (By the way: how on earth does logon eventually succeed if group enumeration
> > > fails? I'm using the stored-password authentication method, and when sshd
> > > eventually connects, my user (according to whoami.exe /priv) is a member of the
> > > groups I expect.)
> > 
> > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
> > getting a truncated group list from initgroups while checking ~/.ssh
> > permissions, which still happens to work fine in my case, the logon delay aside.
> > 
> > Changing openssh to call setgroups only after calling seteuid might help (so
> > we'd retrieve the group list in the context of our new user), but because
> > get_groups calls deimpersonate before talking to the server, that wouldn't
> > actually work.
> > 
> > What about something like this?
> 
> Hmm.  I'm not so sure.  I think it's a bit of a hack to depend on the
> availability of the LSA private key entry for this part of the code.
> 
> Actually, the problem you have is based on the fact that you're using a
> machine-local cyg_server account to run sshd.  In domain environments
> it's prudent to create such an account in AD and add a matching group
> policy to make sure that account has the required rights on the machines
> which are supposed to run sshd.  I created a short FAQ entry once,
> http://cygwin.com/faq.html#faq.using.sshd-in-domain
> 
> What probably *does* make sense is not to call get_logon_server twice
> if the first call returned with ERROR_ACCESS_DENIED.  That requires 
> only a bit of minor code rearranging.  I'll prepare something today
> or tomorrow.

In facxt, this tiny patch should fix the 3 second timeout:

Index: sec_auth.cc
===================================================================
RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
retrieving revision 1.47
diff -u -p -r1.47 sec_auth.cc
--- sec_auth.cc	23 Apr 2013 09:44:33 -0000	1.47
+++ sec_auth.cc	8 Jun 2013 19:00:46 -0000
@@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
   if (ret)
     {
       __seterrno_from_win_error (ret);
-      /* It's no error when the user name can't be found. */
-      return ret == NERR_UserNotFound;
+      /* It's no error when the user name can't be found.
+	 It's also no error if access has been denied.  Yes, sounds weird, but
+	 keep in mind that ERROR_ACCESS_DENIED means the current user has no
+	 permission to access the AD user information.  However, if we return
+	 an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
+	 to ask for another server.  This is not only time consuming, it's also
+	 useless; the next server will return access denied again. */
+      return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
     }
 
   len = wcslen (domain);

Would you mind to give it a try in your environment?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple