On Jul 14 11:51, Corinna Vinschen wrote:
> On Jul 12 15:39, Denis Excoffier wrote:
> > On 2014-07-09 12:12 Corinna Vinschen wrote:
> > >> 
> > >> I have encountered this case in real life. The domain admins have set
> > >> the trustPosixOffset of the secondary domain to zero. This value is therefore
> > >> never recorded and the cldap->open occurs again and again.
> > > 
> > > Ouch.  Why on earth are admins doing this?  There's no way to
> > > workaround this reliably.
> > > 
> > Reliably i don’t know. I’ve modified uinfo.cc in order that the special value
> > for td->PosixOffset is no longer 0. Taking into account that LDAP_SERVER_DOWN
> > is now recognized, my ‘getent passwd’ executes gracefully in 40 minutes
> > (instead of 60) and ‘getent group’ in 25 minutes (instead of 90). Also quicker
> > is ‘mkpasswd -d secondary_domain’ of course. Patch attached.
> 
> That won't work.  It works around your immediate problem by defining
> a non-0 start value, no doubt about that, but it doesn't fix the
> underlying problem.
> 
> A POSIX offset of 0 is bad.  If other trusted domains have no functional
> POSIX offset value, but are set to 0 instead, they won't have different
> UID values for accounts of different domains.  Two users from different
> domains, both with RID 1000 will both have UID 1000 in Cygwin.  Also,
> the lower UID numbers are reserved for special accounts.
> 
> There is no guarantee that there won't be a collision at some point of
> the 32 bit UID spectrum, but a POSIX offset of 0 will almost guarantee
> the collision.
> 
> There are two ways to workaround that.
> 
> - The better solution is to inform your IT of the problem.
> 
> - The not so well one is to enhance /etc/nsswitch.conf to allow to
>   define POSIX offsets for domains indepedent of the AD setting.

I tried the third solution for the time being, which is, generating the
fake POSIX offset a bit differently.  Fake offsets are a bit dangerous
in that there's no guarantee that you get a stable mapping between SID
and UID/GID, but it's *hopefully* a border situation we're trying to
workaround.  Please give the latest developer snashot from
http://cygwin.com/snapshots/ a try.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat