Re: timeout in LDAP access

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]

On Jul 12 15:39, Denis Excoffier wrote:
> On 2014-07-09 12:12 Corinna Vinschen wrote:
> >> 
> >> I have encountered this case in real life. The domain admins have set
> >> the trustPosixOffset of the secondary domain to zero. This value is therefore
> >> never recorded and the cldap->open occurs again and again.
> > 
> > Ouch.  Why on earth are admins doing this?  There's no way to
> > workaround this reliably.
> > 
> Reliably i don’t know. I’ve modified uinfo.cc in order that the special value
> for td->PosixOffset is no longer 0. Taking into account that LDAP_SERVER_DOWN
> is now recognized, my ‘getent passwd’ executes gracefully in 40 minutes
> (instead of 60) and ‘getent group’ in 25 minutes (instead of 90). Also quicker
> is ‘mkpasswd -d secondary_domain’ of course. Patch attached.

That won't work.  It works around your immediate problem by defining
a non-0 start value, no doubt about that, but it doesn't fix the
underlying problem.

A POSIX offset of 0 is bad.  If other trusted domains have no functional
POSIX offset value, but are set to 0 instead, they won't have different
UID values for accounts of different domains.  Two users from different
domains, both with RID 1000 will both have UID 1000 in Cygwin.  Also,
the lower UID numbers are reserved for special accounts.

There is no guarantee that there won't be a collision at some point of
the 32 bit UID spectrum, but a POSIX offset of 0 will almost guarantee
the collision.

There are two ways to workaround that.

- The better solution is to inform your IT of the problem.

- The not so well one is to enhance /etc/nsswitch.conf to allow to
  define POSIX offsets for domains indepedent of the AD setting.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]