From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1198 invoked by alias); 8 Jun 2013 18:47:35 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 1162 invoked by uid 89); 8 Jun 2013 18:47:29 -0000 X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.84/v0.84-167-ge50287c) with ESMTP; Sat, 08 Jun 2013 18:47:28 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 4E0F1520CD6; Sat, 8 Jun 2013 20:47:26 +0200 (CEST) Date: Sat, 08 Jun 2013 18:47:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: DS_FORCE_REDISCOVERY lookup slows ssh logon Message-ID: <20130608184726.GA9607@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <51B2D55B.3020904@dancol.org> <51B2EC44.30102@dancol.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51B2EC44.30102@dancol.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-SW-Source: 2013-06/txt/msg00148.txt.bz2 On Jun 8 01:33, Daniel Colascione wrote: > On 6/7/2013 11:55 PM, Daniel Colascione wrote: > > (By the way: how on earth does logon eventually succeed if group enumeration > > fails? I'm using the stored-password authentication method, and when sshd > > eventually connects, my user (according to whoami.exe /priv) is a member of the > > groups I expect.) > > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just > getting a truncated group list from initgroups while checking ~/.ssh > permissions, which still happens to work fine in my case, the logon delay aside. > > Changing openssh to call setgroups only after calling seteuid might help (so > we'd retrieve the group list in the context of our new user), but because > get_groups calls deimpersonate before talking to the server, that wouldn't > actually work. > > What about something like this? Hmm. I'm not so sure. I think it's a bit of a hack to depend on the availability of the LSA private key entry for this part of the code. Actually, the problem you have is based on the fact that you're using a machine-local cyg_server account to run sshd. In domain environments it's prudent to create such an account in AD and add a matching group policy to make sure that account has the required rights on the machines which are supposed to run sshd. I created a short FAQ entry once, http://cygwin.com/faq.html#faq.using.sshd-in-domain What probably *does* make sense is not to call get_logon_server twice if the first call returned with ERROR_ACCESS_DENIED. That requires only a bit of minor code rearranging. I'll prepare something today or tomorrow. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple