This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: DS_FORCE_REDISCOVERY lookup slows ssh logon


Daniel?  Ping?

On Jun  8 21:02, Corinna Vinschen wrote:
> On Jun  8 20:47, Corinna Vinschen wrote:
> > Actually, the problem you have is based on the fact that you're using a
> > machine-local cyg_server account to run sshd.  In domain environments
> > it's prudent to create such an account in AD and add a matching group
> > policy to make sure that account has the required rights on the machines
> > which are supposed to run sshd.  I created a short FAQ entry once,
> > http://cygwin.com/faq.html#faq.using.sshd-in-domain
> > 
> > What probably *does* make sense is not to call get_logon_server twice
> > if the first call returned with ERROR_ACCESS_DENIED.  That requires 
> > only a bit of minor code rearranging.  I'll prepare something today
> > or tomorrow.
> 
> In facxt, this tiny patch should fix the 3 second timeout:
> 
> Index: sec_auth.cc
> ===================================================================
> RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
> retrieving revision 1.47
> diff -u -p -r1.47 sec_auth.cc
> --- sec_auth.cc	23 Apr 2013 09:44:33 -0000	1.47
> +++ sec_auth.cc	8 Jun 2013 19:00:46 -0000
> @@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
>    if (ret)
>      {
>        __seterrno_from_win_error (ret);
> -      /* It's no error when the user name can't be found. */
> -      return ret == NERR_UserNotFound;
> +      /* It's no error when the user name can't be found.
> +	 It's also no error if access has been denied.  Yes, sounds weird, but
> +	 keep in mind that ERROR_ACCESS_DENIED means the current user has no
> +	 permission to access the AD user information.  However, if we return
> +	 an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
> +	 to ask for another server.  This is not only time consuming, it's also
> +	 useless; the next server will return access denied again. */
> +      return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
>      }
>  
>    len = wcslen (domain);
> 
> Would you mind to give it a try in your environment?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]