From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16384 invoked by alias); 14 May 2014 11:37:07 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 16357 invoked by uid 89); 14 May 2014 11:37:04 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 14 May 2014 11:37:03 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 58FE48E0773; Wed, 14 May 2014 13:36:59 +0200 (CEST) Date: Wed, 14 May 2014 12:59:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: More testing needed: New passwd/group AD/SAM integration Message-ID: <20140514113659.GD2436@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20140513105832.GM2436@calimero.vinschen.de> <20140513145247.GQ2436@calimero.vinschen.de> <20140513161626.GT2436@calimero.vinschen.de> <20140513164122.GU2436@calimero.vinschen.de> <20140513191732.GX2436@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Gle0L8H5l8ToQqD4" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-SW-Source: 2014-05/txt/msg00306.txt.bz2 --Gle0L8H5l8ToQqD4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 4092 On May 13 22:15, Henry S. Thompson wrote: > Corinna Vinschen writes: > > On May 13 18:29, Henry S. Thompson wrote: > >> Glitch (also true for x86 1.7.29-2): > >> id returns effectively immediately for all users and non-users _exce= pt_: > >> > time id Administrators > >> uid=3D544(+Administrators) gid=3D544(+Administrators) > >> groups=3D11(+Authenticated Users),544(+Administrators) > >>=20 > >> real 0m2.296s > >> user 0m0.015s > >> sys 0m0.015s > > > > This shouldn't happen as long as we still have the "+" prepended to > > BUILTIN accounts(*). And, as a matter of fact, I can't reproduce this > > with the latest from CVS (=3D=3D the snapshot you're testing). Did you= exit > > your shell and restart it after creating the /etc/nsswitch.conf file as > > described in my preliminary documentation? >=20 > Yes, and I just re-did that, and I'm still getting the delay. You did > notice that it's the plural version (Administrator_s_) that has the > delay -- Administrator (no 's') is just as fast as all the others. Yes, I noticed the "s". But I missed to explain that I wasn't talking about the delay. What I can't reproduce is that `id Administrators' returns a result: $ id +Administrators uid=3D544(+Administrators) gid=3D544(+Administrators) groups=3D11(+Authen= ticated Users),544(+Administrators) but: $ id Administrators id: Administrators: no such user But now I understand why this occurs. It's the different handling of account names without domain prefix on standalone vs. domain machines. I applied a patch now which checks the incoming names for validity under the current naming rules, so, in theory, `id Administrators' should now return "no such user" for you as well. > Adding the '+' doesn't change the behaviour. >=20 > Ah, it occured to me to do an strace, and I found the culprit, I > think: >=20 > 19 392152 [main] id 16856 stat_worker: 0 =3D (\??\C:\C64\dev,0x1802C2= 940) > 26 392178 [main] id 16856 fstat64: 0 =3D fstat(1, 0x23A4F0) > 30 392208 [main] id 16856 isatty: 1 =3D isatty(1) > 1085 393293 [main] id 16856 pwdgrp::fetch_account_from_windows: line: <= +Administrators:*:544:544:,S-1-5-32-544:/:/sbin/nologin> > 2253178 2646471 [main] id 16856 seterrno_from_win_error: /home/cygnus/vin= schen/mknetrel/src/cygwin-snapshot-20140513-1/winsup/cygwin/sec_auth.cc:244= windows error 1355 > 187 2646658 [main] id 16856 geterrno_from_win_error: unknown windows > error 1355, setting errno to 13 >=20 > Does that help? Yes, thank you, it does. I tracked it down to the fact that in this specific scenario, Cygwin asks for a domain controller of the "BUILTIN" domain. This request for a domain controller name of a not really existing domain takes about 2 secs. I added a check for the user's SID to make sure the logon server name is only requested if the SID is a "real" domain SID. > > (*) I'd be grateful for input to the questions I asked in my OP, too. >=20 > Sorry, I am just a Un*x guy trying to live on a Windows box, I have > nothing like the necessary Windows sysadmin background to have an > opinion. I thought I would try your snapshots precisely _because_ I > understand almost nothing about all this -- I followed the 'mkpasswd' > instructions 8 years ago, and never touched things after that, and I > was just trying to help by seeing if there was anything a trial by a > naive user could uncover before things got fully released. That's ok. The debugging attempts in terms of your above `id' example already lead me to understand why SFU decided to prefix the builtin account names. This really makes sense to be able to check incoming account names for validity. It's hard to explain, but I'm getting an idea that we're better off in the long run to stick to the naming scheme of SFU, or at least something close. I just created new snapshots on http://cygwin.com/snapshots/ Please give'em a try. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --Gle0L8H5l8ToQqD4 Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTc1VbAAoJEPU2Bp2uRE+g5rIP/0O/fYmu+zmhHblYNEhpVL3p FAsJw8cjjEAIT2KIZEb8lxxw/jCUNKvlCAmmYTDtqfimEXE1X6J9am4uL3oXGiPs 02tRxWNS20STPo2QIjRVBnhaZjdTik/JrG+TkG0pHvNYV1BqDf2U+5dfYABF4M8b uuvawkEGJd5QHK7itZQW5Ny7zguXhc1knyUUnUsn3zKjcTEBY/BVFOqej2viI12i I4McnvXQPdsBhVn+nOu53+3+UtAsxysbVQ2gtolIQWhZ+CrdbI7vhtQXdDHT08bE hPFYTWquE3BYfTGkGSN0JcdSBPB/xmCFKvg19K+fizWLN7PHY948XBlEhjL9yFYH 8Q/1NzDnqsl0vDGRNxBRZhU48iQFvaqMFFb8z+iBt7chnHaolwN/HYbErbEDujgn 1wJJKY+UAHNhLUKSFvGqTKb7HQ4GVyoJTariufKxQLbG3ulDX3OxQkCwdwmf0DVC BzODB8NUO/h3Yy9Dua5GpwWzHBQY0ULEpJ5/3fdsbkYk7va+QLyYwTGHEAU4CdRU sRpygBh5ADDOfZ2SV8uLWGSB+mBOnXXIX9ZdzRvSdgOCg5pFDRs+4xcvdXaSOQqL KdEtxXMw6NwF7fjL9YvAXcfjLVFmmq+K5PIi0QvrtuN/lgR0ZCI21CgPKJuQfmZD QGRxJ8OedTq/28ZQ0OV5 =rKc6 -----END PGP SIGNATURE----- --Gle0L8H5l8ToQqD4--