This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: DS_FORCE_REDISCOVERY lookup slows ssh logon
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Tue, 11 Jun 2013 09:44:08 +0200
- Subject: Re: DS_FORCE_REDISCOVERY lookup slows ssh logon
- References: <51B2D55B dot 3020904 at dancol dot org> <51B2EC44 dot 30102 at dancol dot org> <20130608184726 dot GA9607 at calimero dot vinschen dot de> <20130608190214 dot GC9607 at calimero dot vinschen dot de>
- Reply-to: cygwin at cygwin dot com
Daniel? Ping?
On Jun 8 21:02, Corinna Vinschen wrote:
> On Jun 8 20:47, Corinna Vinschen wrote:
> > Actually, the problem you have is based on the fact that you're using a
> > machine-local cyg_server account to run sshd. In domain environments
> > it's prudent to create such an account in AD and add a matching group
> > policy to make sure that account has the required rights on the machines
> > which are supposed to run sshd. I created a short FAQ entry once,
> > http://cygwin.com/faq.html#faq.using.sshd-in-domain
> >
> > What probably *does* make sense is not to call get_logon_server twice
> > if the first call returned with ERROR_ACCESS_DENIED. That requires
> > only a bit of minor code rearranging. I'll prepare something today
> > or tomorrow.
>
> In facxt, this tiny patch should fix the 3 second timeout:
>
> Index: sec_auth.cc
> ===================================================================
> RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
> retrieving revision 1.47
> diff -u -p -r1.47 sec_auth.cc
> --- sec_auth.cc 23 Apr 2013 09:44:33 -0000 1.47
> +++ sec_auth.cc 8 Jun 2013 19:00:46 -0000
> @@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cyg
> if (ret)
> {
> __seterrno_from_win_error (ret);
> - /* It's no error when the user name can't be found. */
> - return ret == NERR_UserNotFound;
> + /* It's no error when the user name can't be found.
> + It's also no error if access has been denied. Yes, sounds weird, but
> + keep in mind that ERROR_ACCESS_DENIED means the current user has no
> + permission to access the AD user information. However, if we return
> + an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
> + to ask for another server. This is not only time consuming, it's also
> + useless; the next server will return access denied again. */
> + return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
> }
>
> len = wcslen (domain);
>
> Would you mind to give it a try in your environment?
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple