This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Still testing needed: New passwd/group AD/SAM integration


Hi folks,


The latest snapshot, 2014-04-10, is a snapshot from CVS HEAD again.
It contains the latest crazy ideas in terms of the user and group
account creation without requiring the /etc/passwd and /etc/group
files.

Not a lot has changed since we made a break to test for 1.7.29,
but there's one important change I'd like to point out:

* cygserver now provides system-wide passwd/group entry caching.

  All processes started *after* cygserver will try to fetch passwd
  and group entries from cygserver.  While this is probably a bit
  slow at the start, the longer cygserver runs, the more information
  is present and later started processes will get the information
  with all due speed.

I attached the latest incarnation of the documentation for this
major change to this mail.

However!

After sweating about some of the details I created in my scrubby mind
back in January/February, I'm not so sure anymore if some if was really
such a bright idea.

Especially two problems cropped up in discussions with local Cygwin
users:


* Support for Cygwin user names different from the Windows username.

  This is a really fat problem.  Assuming you have a Windows user called
  "yoghurt".  Using one of the methods outlined in the chapter "Cygwin
  user names, home dirs, login shells" in the attached document, you
  defined the Cygwin account name for this account as "kefir".

  If so, getpwnam() will be broken for this account.  The problem is
  this:  When your process calls getpwnam ("kefir"), the code has to ask
  Windows for the account name.  This leads to a call LookupAccountName
  ("kefir", ...).  But, obviously there is no Windows account "kefir",
  there's only "yoghurt".

  Fixing this problem leads to terrible performance.  Obviously Cygwin
  doesn't know if "yoghurt" is a local or an AD account.  Or, FWIW, an
  account in some trusted domain.  Finding "kefir" in the SAM of the
  local machine requires to enumerate *all* accounts, until the account
  with
  
    <cygwin name="kefir" .../>

  is found.  Even worse in AD.  An ldap query is required which searches
  for an account with uid="kefir".  The uid attribute is not indexed by
  default.  Same for all trusted domains.

  This would also have to be done for all non-existing user accounts.
  And thus every time you just mistyped a user name.

  Therefore I think it would be better to remove this functionality.
  If you really think you have to use a username different from the
  Windows username, you should probably use a tiny /etc/passwd file
  with just this entry.  The new mkpasswd will create a default entry
  for you with just needs minor tweaking.


* db_separator in /etc/nsswitch.conf

  Is it really such a good idea to have a configurable separator
  char in user and group names?  Is it important that it is
  configurable?  Is '+' a good choice for the default separator?
  Wouldn't the backslash a better and, perhaps, only choice?


Thanks for your testing and thanks for your input in terms of the
above two problems.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pwdgrp-doc
Description: Text document

Attachment: pgp2YVMsVpbTn.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]