WG: Re: SSH V.5.1 with Cygwin1.dll 1.7.0(0.189/5/3) 2008-12-09: Very large logon times...

WG: Re: SSH V.5.1 with Cygwin1.dll 1.7.0(0.189/5/3) 2008-12-09: Very large logon times...

[Markus.Bauer]

Hello Corinna,

my name is Markus Bauer. I'm a colleague from Carsten Porzler and I tried 
to figure out where the time is wasted.
I put some debugging statements in sec_auth.cc and syscalls.cc. The 
strange is, that I only see the statements from syscalls.cc but not the 
many I put in sec_auth.cc.

Maybe you have an idea?

Thank you very much.

Markus Bauer

Carsten Porzler/sdv schrieb am 16.01.2009 12:59:03:

> WG: Re: SSH V.5.1 with Cygwin1.dll 1.7.0(0.189/5/3) 2008-12-09: Very
> large logon times...
> 
> Carsten Porzler 
> 
> an:
> 
> Markus Bauer
> 
> 16.01.2009 12:59
> 
> FYI
> 
> ----- Weitergeleitet von Carsten Porzler/sdv am 16.01.2009 12:58 -----
> 
> Von:
> 
> Corinna Vinschen <corinna-cygwin@cygwin.com>
> 
> An:
> 
> cygwin@cygwin.com
> 
> Datum:
> 
> 09.01.2009 13:49
> 
> Betreff:
> 
> Re: SSH V.5.1 with Cygwin1.dll 1.7.0(0.189/5/3) 2008-12-09: Very 
> large  logon times...
> 
> Gesendet von:
> 
> cygwin-owner@cygwin.com
> 
> On Jan  7 11:02, Carsten.Porzler@spb.de wrote:
> > I just compiled the cygwin sources from the latest snapshot for 
testing. 
> > It seems to be working...
> > 
> > So, please tell me the debugging statements I have to insert into the 
> > source code to figure out where the logon process takes the time.
> 
> The idea is to add statements along these lines
> 
>   debug_printf ("CHECKPOINT 1");
>   debug_printf ("CHECKPOINT 2");
>   debug_printf ("CHECKPOINT 3");
>   [...]
> 
> liberally across the functions in the winsup/cygwin/sec_auth.cc file,
> with the starting point being the function lsaauth(), line 912 in recent
> sources, so that we can track down where exactly the time is wasted.
> After you added these statements all over the place, stop sshd, install
> this new DLL and then, before starting sshd again, tweak the following
> registry entries:
> 
>   HKLM\SYSTEM\CurrentControlSet\Services\sshd\Parameters
> 
>   AppPath  ==>  "/bin/strace"
>   AppArgs  ==>  "-o C:/sshd-strace.out /usr/sbin/sshd -d"
> 
> Note the old entries before so you can restore them afterwards.
> 
> Now log in exactly once and log out again.  Afterwards, the sshd process
> will have stopped automatically (that's what the lowercase -d does).
> Note that it takes *much* longer to login when running under strace.  Be
> (even more) patient.
> 
> After each run, examine the CHECKPOINTs in the C:/sshd-strace.out file.
> The left two columns show times in milliseconds which denotes the time
> it took to get to this statement, relative to the last debug output and
> relative to the process start.  At one point you will see that these
> numbers between two CHECKPOINTs are unusual high.  That means, the
> culprit of the delay is somewhere between these two CHECKPOINTs.  Now
> let's play stepwise refinement and add more of these CHECKPOINTs between
> the other two and reiterate the steps above, until you think you nailed
> it down to a certain part of the DLL, or even a single Windows function
> call.
> 
> For a start, add these, relative to the current code in CVS:
> 
>   syscalls.cc, line 2616:
> 
>     debug_printf ("CHECKPOINT 9999");
> 
>   sec_auth.cc, line 945:
> 
>     debug_printf ("CHECKPOINT 0");
> 
>   sec_auth.cc, line 1177:
> 
>     debug_printf ("CHECKPOINT 9998");
> 
> I assume the delay occurs either when trying to get the logon server
> information (function get_logon_server, line 180), or when connecting
> the logon server to fetch group information (function get_user_groups,
> line 225 and function get_user_local_groups, line 313), so it might be a
> good idea to add more CHECKPOINTs there.
> 
> When you think you found it, I'll take another look into it and
> hopefully this can be fixed easily.
> 
> 
> HTH,
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails regarding Cygwin to
> Cygwin Project Co-Leader          cygwin AT cygwin DOT com
> Red Hat
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: WG: Re: SSH V.5.1 with Cygwin1.dll 1.7.0(0.189/5/3) 2008-12-09: Very ?large logon times...

[Corinna Vinschen]

On Jan 22 09:44, Markus.Bauer wrote:
> Hello Corinna,

I already told your collegue Carsten:

Please, don't http://cygwin.com/acronyms/#TOFU

I hope you're aware that cygwin@cygwin.com is a public mailing list?
I'm just asking because you're addressing me personally...

> my name is Markus Bauer. I'm a colleague from Carsten Porzler and I tried 
> to figure out where the time is wasted.
> I put some debugging statements in sec_auth.cc and syscalls.cc. The 
> strange is, that I only see the statements from syscalls.cc but not the 
> many I put in sec_auth.cc.
> 
> Maybe you have an idea?

No.  Not really.  The only reason could be that the code isn't called.
Only further debugging will help.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSH V.5.1 with Cygwin1.dll 1.7.0: Very large logon times...

[Carsten.Porzler]

Hello,

> 
> No.  Not really.  The only reason could be that the code isn't called.
> Only further debugging will help.
> 

It ist very difficult to put in debug statements at the right places 
within the sourcecode because of the complexity of the programs.

But we have just found out these new facts:

- We copied our productive Active Directory database into a test 
environment
        + AD database contained 8700 users, 6000 groups, 9600 computers
        + part of this test network are only three computers: root domain 
controller, domain controller, member server
        + problem of large logon time could also be seen in this copied 
environment

- In the next step we deleted most of the Active Directory objects
        + After this deletion process AD database contains only 278 users, 
784 groups and 32 computers
        + SSH login takes only 1 sec. for login

With theses informations it should be possible for you developers to 
adjust the situation. Increase the number of your Active Directory 
objects, and you will probably see that the logon time will also increase!

Anything within your ssh logon process takes more time the bigger the 
Active Directory database is.

Thanks a lot in advance and best regards

Carsten Porzler

 


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSH V.5.1 with Cygwin1.dll 1.7.0: Very large logon times...

[Corinna Vinschen]

On Feb 20 15:48, Carsten.Porzler@spb.de wrote:
> It ist very difficult to put in debug statements at the right places 
> within the sourcecode because of the complexity of the programs.
> 
> But we have just found out these new facts:
> 
> - We copied our productive Active Directory database into a test 
> environment
>         + AD database contained 8700 users, 6000 groups, 9600 computers
>         + part of this test network are only three computers: root domain 
> controller, domain controller, member server
>         + problem of large logon time could also be seen in this copied 
> environment
> 
> - In the next step we deleted most of the Active Directory objects
>         + After this deletion process AD database contains only 278 users, 
> 784 groups and 32 computers
>         + SSH login takes only 1 sec. for login
> 
> With theses informations it should be possible for you developers to 
> adjust the situation. Increase the number of your Active Directory 
> objects, and you will probably see that the logon time will also increase!
> 
> Anything within your ssh logon process takes more time the bigger the 
> Active Directory database is.

I just discussed this problem and my code with somebody having more
insight into this AD stuff.  I now have a hunch what I could do to
fix this bad timing problem.  Stay tuned.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSH V.5.1 with Cygwin1.dll 1.7.0: Very large logon times...

[Corinna Vinschen]

On Feb 20 16:20, Corinna Vinschen wrote:
> On Feb 20 15:48, Carsten.Porzler@spb.de wrote:
> > It ist very difficult to put in debug statements at the right places 
> > within the sourcecode because of the complexity of the programs.
> > 
> > But we have just found out these new facts:
> > 
> > - We copied our productive Active Directory database into a test 
> > environment
> >         + AD database contained 8700 users, 6000 groups, 9600 computers
> >         + part of this test network are only three computers: root domain 
> > controller, domain controller, member server
> >         + problem of large logon time could also be seen in this copied 
> > environment
> > 
> > - In the next step we deleted most of the Active Directory objects
> >         + After this deletion process AD database contains only 278 users, 
> > 784 groups and 32 computers
> >         + SSH login takes only 1 sec. for login
> > 
> > With theses informations it should be possible for you developers to 
> > adjust the situation. Increase the number of your Active Directory 
> > objects, and you will probably see that the logon time will also increase!
> > 
> > Anything within your ssh logon process takes more time the bigger the 
> > Active Directory database is.
> 
> I just discussed this problem and my code with somebody having more
> insight into this AD stuff.  I now have a hunch what I could do to
> fix this bad timing problem.  Stay tuned.

Please try the latest 1.7.0 incarnation:

  http://cygwin.com/ml/cygwin-announce/2009-02/msg00018.html

This hopefully fixes the above problem.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSH V.5.1 with Cygwin1.dll 1.7.0: Very large logon times... ---- SUCCESS!!!

[Carsten.Porzler]

Hello,
> 
> Please try the latest 1.7.0 incarnation:
> 
>   http://cygwin.com/ml/cygwin-announce/2009-02/msg00018.html
> 
> This hopefully fixes the above problem.
> 

Yes, it works!!!

We need only 1 sec to login via SSH with an Active Directory user.

And it seems, that you have changed also the fact, that a user which logs 
on with his password runs with a network user token (like in some older 
versions) and can access also other network computers. But (as before) a 
user which logs on by public key authentication get only a local user 
token. --- That ist also very nice!

Thanks a lot for your support and development!

Best regards

Carsten Porzler


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SSH V.5.1 with Cygwin1.dll 1.7.0: Very large logon times... ---- SUCCESS!!!

[Corinna Vinschen]

On Feb 23 16:59, Carsten.Porzler@spb.de wrote:
> Hello,
> > 
> > Please try the latest 1.7.0 incarnation:
> > 
> >   http://cygwin.com/ml/cygwin-announce/2009-02/msg00018.html
> > 
> > This hopefully fixes the above problem.
> > 
> 
> Yes, it works!!!
> 
> We need only 1 sec to login via SSH with an Active Directory user.
> 
> And it seems, that you have changed also the fact, that a user which logs 
> on with his password runs with a network user token (like in some older 
> versions) and can access also other network computers.

This is the result of an older patch from back in 2008.

>  But (as before) a 
> user which logs on by public key authentication get only a local user 
> token. --- That ist also very nice!

Glad to read that.  And, while we're at it, read this:

http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

1.7 has two new methods to setuid a process and there's maybe something
to gain when using public key authentication...


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/