From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23955 invoked by alias); 8 Jun 2013 08:32:57 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 23944 invoked by uid 89); 8 Jun 2013 08:32:56 -0000 X-Spam-SWARE-Status: No, score=-5.8 required=5.0 tests=AWL,BAYES_00,KHOP_PGP_SIGNED,KHOP_THREADED,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,TW_VK autolearn=ham version=3.3.1 Received: from dancol.org (HELO dancol.org) (96.126.100.184) by sourceware.org (qpsmtpd/0.84/v0.84-167-ge50287c) with ESMTP; Sat, 08 Jun 2013 08:32:55 +0000 Received: from [131.107.147.9] (helo=[10.57.156.150]) by dancol.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1UlEZx-0002FE-Na for cygwin@cygwin.com; Sat, 08 Jun 2013 01:32:53 -0700 Message-ID: <51B2EC44.30102@dancol.org> Date: Sat, 08 Jun 2013 08:32:00 -0000 From: Daniel Colascione User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: DS_FORCE_REDISCOVERY lookup slows ssh logon References: <51B2D55B.3020904@dancol.org> In-Reply-To: <51B2D55B.3020904@dancol.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2JWTGCELBJMTQTFKHNICV" X-Virus-Found: No X-SW-Source: 2013-06/txt/msg00143.txt.bz2 ------enig2JWTGCELBJMTQTFKHNICV Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-length: 4003 On 6/7/2013 11:55 PM, Daniel Colascione wrote: > (By the way: how on earth does logon eventually succeed if group enumerat= ion > fails? I'm using the stored-password authentication method, and when sshd > eventually connects, my user (according to whoami.exe /priv) is a member = of the > groups I expect.) Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just getting a truncated group list from initgroups while checking ~/.ssh permissions, which still happens to work fine in my case, the logon delay a= side. Changing openssh to call setgroups only after calling seteuid might help (so we'd retrieve the group list in the context of our new user), but because get_groups calls deimpersonate before talking to the server, that wouldn't actually work. What about something like this? Index: sec_auth.cc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v retrieving revision 1.47 diff -u -r1.47 sec_auth.cc --- sec_auth.cc 23 Apr 2013 09:44:33 -0000 1.47 +++ sec_auth.cc 8 Jun 2013 08:31:16 -0000 @@ -246,7 +246,8 @@ static bool get_user_groups (WCHAR *logonserver, cygsidlist &grp_list, - PWCHAR user, PWCHAR domain) + PWCHAR user, PWCHAR domain, + struct passwd *pw) { WCHAR dgroup[MAX_DOMAIN_NAME_LEN + GNLEN + 2]; LPGROUP_USERS_INFO_0 buf; @@ -256,6 +257,33 @@ /* Look only on logonserver */ ret =3D NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf, MAX_PREFERRED_LENGTH, &cnt, &tot); + + if (ret =3D=3D ERROR_ACCESS_DENIED) + { + /* If we can't list the user's groups as ourselves, try + impersonating the user and trying again. If the user is a + domain account and we're just a privileged local account, the + user might have more access than we do. Only try + lsaprivkeyauth because other methods for creating user tokens + don't give us network credentials anyway. + */ + + HANDLE user_token =3D lsaprivkeyauth (pw); + + if (user_token) + { + if (ImpersonateLoggedOnUser (user_token)) + { + ret =3D NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf, + MAX_PREFERRED_LENGTH, &cnt, &tot); + + RevertToSelf (); + } + + CloseHandle (user_token); + } + } + if (ret) { __seterrno_from_win_error (ret); @@ -292,7 +320,8 @@ static bool get_user_local_groups (PWCHAR logonserver, PWCHAR domain, - cygsidlist &grp_list, PWCHAR user) + cygsidlist &grp_list, PWCHAR user, + struct passwd *pw) { LPLOCALGROUP_INFO_0 buf; DWORD cnt, tot; @@ -301,6 +330,29 @@ ret =3D NetUserGetLocalGroups (logonserver, user, 0, LG_INCLUDE_INDIRECT, (LPBYTE *) &buf, MAX_PREFERRED_LENGTH, &cnt, &tot); + + if (ret =3D=3D ERROR_ACCESS_DENIED) + { + /* See the ERROR_ACCESS_DENIED comment in get_user_groups */ + + HANDLE user_token =3D lsaprivkeyauth (pw); + + if (user_token) + { + if (ImpersonateLoggedOnUser (user_token)) + { + ret =3D NetUserGetLocalGroups ( + logonserver, user, 0, LG_INCLUDE_INDIRECT, + (LPBYTE *) &buf, MAX_PREFERRED_LENGTH, + &cnt, &tot); + + RevertToSelf (); + } + + CloseHandle (user_token); + } + } + if (ret) { __seterrno_from_win_error (ret); @@ -482,10 +534,10 @@ return false; } if (get_logon_server (domain, server, false) - && !get_user_groups (server, grp_list, user, domain) + && !get_user_groups (server, grp_list, user, domain, pw) && get_logon_server (domain, server, true)) - get_user_groups (server, grp_list, user, domain); - get_user_local_groups (server, domain, grp_list, user); + get_user_groups (server, grp_list, user, domain, pw); + get_user_local_groups (server, domain, grp_list, user, pw); get_unix_group_sidlist (pw, grp_list); return true; } ------enig2JWTGCELBJMTQTFKHNICV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" Content-length: 260 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGy7EYACgkQ17c2LVA10Vsf6QCfV2ULaiRxjKvWhTfbGzxLiz/+ i4kAoK2/vR+pJ9VF4/4L+7bXJE0GjA3C =tMXe -----END PGP SIGNATURE----- ------enig2JWTGCELBJMTQTFKHNICV--