This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: More testing needed: New passwd/group AD/SAM integration


On May 13 22:15, Henry S. Thompson wrote:
> Corinna Vinschen writes:
> > On May 13 18:29, Henry S. Thompson wrote:
> >> Glitch (also true for x86 1.7.29-2):
> >>   id returns effectively immediately for all users and non-users _except_:
> >>    > time id Administrators
> >>     uid=544(+Administrators) gid=544(+Administrators)
> >>     groups=11(+Authenticated Users),544(+Administrators)
> >> 
> >>     real    0m2.296s
> >>     user    0m0.015s
> >>     sys     0m0.015s
> >
> > This shouldn't happen as long as we still have the "+" prepended to
> > BUILTIN accounts(*).  And, as a matter of fact, I can't reproduce this
> > with the latest from CVS (== the snapshot you're testing).  Did you exit
> > your shell and restart it after creating the /etc/nsswitch.conf file as
> > described in my preliminary documentation?
> 
> Yes, and I just re-did that, and I'm still getting the delay.  You did
> notice that it's the plural version (Administrator_s_) that has the
> delay -- Administrator (no 's') is just as fast as all the others.

Yes, I noticed the "s".  But I missed to explain that I wasn't talking
about the delay.  What I can't reproduce is that `id Administrators'
returns a result:

  $ id +Administrators
  uid=544(+Administrators) gid=544(+Administrators) groups=11(+Authenticated Users),544(+Administrators)

but:

  $ id Administrators
  id: Administrators: no such user

But now I understand why this occurs.  It's the different handling of
account names without domain prefix on standalone vs. domain machines.
I applied a patch now which checks the incoming names for validity under
the current naming rules, so, in theory, `id Administrators' should now
return "no such user" for you as well.

> Adding the '+' doesn't change the behaviour.
> 
> Ah, it occured to me to do an strace, and I found the culprit, I
> think:
> 
>    19  392152 [main] id 16856 stat_worker: 0 = (\??\C:\C64\dev,0x1802C2940)
>    26  392178 [main] id 16856 fstat64: 0 = fstat(1, 0x23A4F0)
>    30  392208 [main] id 16856 isatty: 1 = isatty(1)
>  1085  393293 [main] id 16856 pwdgrp::fetch_account_from_windows: line: <+Administrators:*:544:544:,S-1-5-32-544:/:/sbin/nologin>
> 2253178 2646471 [main] id 16856 seterrno_from_win_error: /home/cygnus/vinschen/mknetrel/src/cygwin-snapshot-20140513-1/winsup/cygwin/sec_auth.cc:244 windows error 1355
>   187 2646658 [main] id 16856 geterrno_from_win_error: unknown windows
> error 1355, setting errno to 13
> 
> Does that help?

Yes, thank you, it does.  I tracked it down to the fact that in this
specific scenario, Cygwin asks for a domain controller of the "BUILTIN"
domain.  This request for a domain controller name of a not really
existing domain takes about 2 secs.  I added a check for the user's
SID to make sure the logon server name is only requested if the SID
is a "real" domain SID.

> > (*) I'd be grateful for input to the questions I asked in my OP, too.
> 
> Sorry, I am just a Un*x guy trying to live on a Windows box, I have
> nothing like the necessary Windows sysadmin background to have an
> opinion.  I thought I would try your snapshots precisely _because_ I
> understand almost nothing about all this -- I followed the 'mkpasswd'
> instructions 8 years ago, and never touched things after that, and I
> was just trying to help by seeing if there was anything a trial by a
> naive user could uncover before things got fully released.

That's ok.  The debugging attempts in terms of your above `id' example
already lead me to understand why SFU decided to prefix the builtin
account names.  This really makes sense to be able to check incoming
account names for validity.  It's hard to explain, but I'm getting an
idea that we're better off in the long run to stick to the naming scheme
of SFU, or at least something close.

I just created new snapshots on http://cygwin.com/snapshots/
Please give'em a try.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpJSclXZ8HAk.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]