This is the mail archive of the
cygwin-cvs@cygwin.com
mailing list for the Cygwin project.
[newlib-cygwin] Don't call LsaLookupSids if we're not utilizing Windows account DBs
- From: Corinna Vinschen <corinna at sourceware dot org>
- To: cygwin-cvs at sourceware dot org
- Date: 17 Aug 2015 20:45:11 -0000
- Subject: [newlib-cygwin] Don't call LsaLookupSids if we're not utilizing Windows account DBs
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=4cb24051f4dc5080dfc7f5cf4acb778a79744f45
commit 4cb24051f4dc5080dfc7f5cf4acb778a79744f45
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Mon Aug 17 22:45:02 2015 +0200
Don't call LsaLookupSids if we're not utilizing Windows account DBs
* grp.cc (internal_getgrfull): Drop asking caches. Explain why.
(internal_getgroups): In case we're not utilizing the Windows account
DBs, don't call LsaLookupSids but iterate over the group SIDs in the
token and call internal_getgrsid for each of them. Explain why.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/ChangeLog | 7 +++++++
winsup/cygwin/grp.cc | 49 +++++++++++++++++++++++++++++----------------
winsup/cygwin/release/2.2.1 | 5 +++--
3 files changed, 42 insertions(+), 19 deletions(-)
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 6696d50..a4d68b2 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,12 @@
2015-08-17 Corinna Vinschen <corinna@vinschen.de>
+ * grp.cc (internal_getgrfull): Drop asking caches. Explain why.
+ (internal_getgroups): In case we're not utilizing the Windows account
+ DBs, don't call LsaLookupSids but iterate over the group SIDs in the
+ token and call internal_getgrsid for each of them. Explain why.
+
+2015-08-17 Corinna Vinschen <corinna@vinschen.de>
+
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange
to fall back to myself uid/gid in case we don't utilize Windows
account DBs, just as prior to 1.7.34.
diff --git a/winsup/cygwin/grp.cc b/winsup/cygwin/grp.cc
index f850210..501db1a 100644
--- a/winsup/cygwin/grp.cc
+++ b/winsup/cygwin/grp.cc
@@ -152,17 +152,8 @@ internal_getgrfull (fetch_acc_t &full_acc, cyg_ldap *pldap)
struct group *ret;
cygheap->pg.nss_init ();
- /* Check caches first. */
- if (cygheap->pg.nss_cygserver_caching ()
- && (ret = cygheap->pg.grp_cache.cygserver.find_group (full_acc.sid)))
- return ret;
- if (cygheap->pg.nss_grp_files ()
- && (ret = cygheap->pg.grp_cache.file.find_group (full_acc.sid)))
- return ret;
- if (cygheap->pg.nss_grp_db ()
- && (ret = cygheap->pg.grp_cache.win.find_group (full_acc.sid)))
- return ret;
- /* Ask sources afterwards. */
+ /* Skip local caches, internal_getgroups already called
+ internal_getgrsid_cachedonly. */
if (cygheap->pg.nss_cygserver_caching ()
&& (ret = cygheap->pg.grp_cache.cygserver.add_group_from_cygserver
(full_acc.sid)))
@@ -598,7 +589,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
&size);
if (!NT_SUCCESS (status))
{
- system_printf ("token group list > 64K? status = %u", status);
+ debug_printf ("NtQueryInformationToken(TokenGroups) %y", status);
goto out;
}
/* Iterate over the group list and check which of them are already cached.
@@ -627,16 +618,40 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
else
sidp_buf[scnt++] = sid;
}
- /* If there are non-cached groups left, call LsaLookupSids and call
- internal_getgrfull on the returned groups. This performs a lot
- better than calling internal_getgrsid on each group. */
+ /* If there are non-cached groups left, try to fetch them. */
if (scnt > 0)
{
+ /* Don't call LsaLookupSids if we're not utilizing the Windows account
+ DBs. If we don't have access to the AD, which is one good reason to
+ disable passwd/group: db in nsswitch.conf, then the subsequent call
+ to LsaLookupSids will take 5 - 10 seconds in some environments. */
+ if (!cygheap->pg.nss_grp_db ())
+ {
+ for (DWORD pg = 0; pg < scnt; ++pg)
+ {
+ cygpsid sid = sidp_buf[pg];
+ if ((grp = internal_getgrsid (sid, NULL)))
+ {
+ if (cnt < gidsetsize)
+ grouplist[cnt] = grp->gr_gid;
+ ++cnt;
+ if (gidsetsize && cnt > gidsetsize)
+ {
+ cnt = -1;
+ break;
+ }
+ }
+ }
+ goto out;
+ }
+ /* Otherwise call LsaLookupSids and call internal_getgrfull on the
+ returned groups. This performs a lot better than calling
+ internal_getgrsid on each group. */
status = STATUS_ACCESS_DENIED;
HANDLE lsa = lsa_open_policy (NULL, POLICY_LOOKUP_NAMES);
if (!lsa)
{
- system_printf ("POLICY_LOOKUP_NAMES not given?");
+ debug_printf ("POLICY_LOOKUP_NAMES right not given?");
goto out;
}
status = LsaLookupSids (lsa, scnt, sidp_buf, &dlst, &nlst);
@@ -664,7 +679,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
if (gidsetsize && cnt > gidsetsize)
{
cnt = -1;
- goto out;
+ break;
}
}
}
diff --git a/winsup/cygwin/release/2.2.1 b/winsup/cygwin/release/2.2.1
index 86546cd..c16a3de 100644
--- a/winsup/cygwin/release/2.2.1
+++ b/winsup/cygwin/release/2.2.1
@@ -11,8 +11,9 @@ Bug Fixes
modern CPUs and modern Windows OSes supporting more than 64 logical CPUs.
Addresses: https://cygwin.com/ml/cygwin/2015-06/msg00345.html
-- Don't try to perform RFC2307 owner/group mapping on Samba/NFS if account
- info is only fetched from local passwd/group files.
+- Don't call LsaLookupSids to fetch group information and don't perform RFC2307
+ owner/group mapping on Samba/NFS if account info is only fetched from local
+ passwd/group files.
Addresses: https://cygwin.com/ml/cygwin/2015-07/msg00270.html
- Precautionally fix a potential data corruption problem in pipe I/O, only