From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25815 invoked by alias); 14 Jul 2014 13:48:41 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 25708 invoked by uid 89); 14 Jul 2014 13:48:41 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 14 Jul 2014 13:48:39 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id A37368E0600; Mon, 14 Jul 2014 15:48:36 +0200 (CEST) Date: Mon, 14 Jul 2014 13:48:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: timeout in LDAP access Message-ID: <20140714134836.GA2637@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20140624155851.GJ1803@calimero.vinschen.de> <20140625101526.GO1803@calimero.vinschen.de> <20140625211355.GA25116@calimero.vinschen.de> <20140707110714.GJ1803@calimero.vinschen.de> <19B9F8D8-7FD6-4A7B-AC83-BBF8D152319D@Denis-Excoffier.org> <20140709101256.GD26447@calimero.vinschen.de> <20140714095107.GB10401@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline In-Reply-To: <20140714095107.GB10401@calimero.vinschen.de> User-Agent: Mutt/1.5.23 (2014-03-12) X-SW-Source: 2014-07/txt/msg00147.txt.bz2 --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2440 On Jul 14 11:51, Corinna Vinschen wrote: > On Jul 12 15:39, Denis Excoffier wrote: > > On 2014-07-09 12:12 Corinna Vinschen wrote: > > >>=20 > > >> I have encountered this case in real life. The domain admins have set > > >> the trustPosixOffset of the secondary domain to zero. This value is = therefore > > >> never recorded and the cldap->open occurs again and again. > > >=20 > > > Ouch. Why on earth are admins doing this? There's no way to > > > workaround this reliably. > > >=20 > > Reliably i don=E2=80=99t know. I=E2=80=99ve modified uinfo.cc in order = that the special value > > for td->PosixOffset is no longer 0. Taking into account that LDAP_SERVE= R_DOWN > > is now recognized, my =E2=80=98getent passwd=E2=80=99 executes graceful= ly in 40 minutes > > (instead of 60) and =E2=80=98getent group=E2=80=99 in 25 minutes (inste= ad of 90). Also quicker > > is =E2=80=98mkpasswd -d secondary_domain=E2=80=99 of course. Patch atta= ched. >=20 > That won't work. It works around your immediate problem by defining > a non-0 start value, no doubt about that, but it doesn't fix the > underlying problem. >=20 > A POSIX offset of 0 is bad. If other trusted domains have no functional > POSIX offset value, but are set to 0 instead, they won't have different > UID values for accounts of different domains. Two users from different > domains, both with RID 1000 will both have UID 1000 in Cygwin. Also, > the lower UID numbers are reserved for special accounts. >=20 > There is no guarantee that there won't be a collision at some point of > the 32 bit UID spectrum, but a POSIX offset of 0 will almost guarantee > the collision. >=20 > There are two ways to workaround that. >=20 > - The better solution is to inform your IT of the problem. >=20 > - The not so well one is to enhance /etc/nsswitch.conf to allow to > define POSIX offsets for domains indepedent of the AD setting. I tried the third solution for the time being, which is, generating the fake POSIX offset a bit differently. Fake offsets are a bit dangerous in that there's no guarantee that you get a stable mapping between SID and UID/GID, but it's *hopefully* a border situation we're trying to workaround. Please give the latest developer snashot from http://cygwin.com/snapshots/ a try. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTw9+0AAoJEPU2Bp2uRE+gyg0P/2OiUKDqXDPdymY0vXXuXrQ/ eDJx1Dve8J9jGbvZeOzrA2STikLPlid5oeeOEbTJFlqtgUtNZnt5MNes4mwce+8X e8nRZkyro3XS+CjAM5uUqE1Ycp75o2uie9pNU0zLgwLotxFFpgj6MxEIg1hws5lb NEexVlr3sneNXc3RKM3aYQ2Fv2xeGtw/ff17Zs6bq+NZKKpkU84PGPwNzUTBicuT sJjRTmyFXliRPMVtv56sR8cJlxCUPD0qiVb30ps3eVTH360d08Gb2Z7/7ZyBaijR L6domHZyuuMHgbiXiq3qh/vEZdV36GS4BqBAoSvWddxa/27WyORb9/Ue7KMvON6k ojqSv30wN/62DdHeYkUmFvpyNrJNOT15kjzMsbKKxfS/KRK45zDkonNAvgftfEJs QtzxkyynbI0Or8IILPfuZCDLIXXTGdqTqLCJvOjFG5AqHZQwXB7UHWT376xSDRSe fWtFl/etYtB41sRMA+kKbsVhIbkZuaHsyy6iqV+1aP7VmkO03+OER2YcVN/hpyel AzJUnmbHkgJtL0TEehkh5XWIEkVR6SevDtzRr4cDQetZSyVurqPnd+gOjPQ6koWq Nh3qdpUUj3/pZeAco62xOFx1OLRqLLHmRDgHYLchwDwiueVMrSQ6qUVrCiOW6FvA us/kA+OB/j5voZynexSJ =aXav -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC--