This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: timeout in LDAP access


On Jul 15 18:29, Denis Excoffier wrote:
> On 2014-07-14 15:48 Corinna Vinschen wrote:
> > On Jul 14 11:51, Corinna Vinschen wrote:
> >> On Jul 12 15:39, Denis Excoffier wrote:
> >>> On 2014-07-09 12:12 Corinna Vinschen wrote:
> >>>>> 
> >>>>> I have encountered this case in real life. The domain admins have set
> >>>>> the trustPosixOffset of the secondary domain to zero. This value is therefore
> >>>>> never recorded and the cldap->open occurs again and again.
> >>>> 
> >>>> Ouch.  Why on earth are admins doing this?  There's no way to
> >>>> workaround this reliably.
> >>>> 
> >>> Reliably i donât know. Iâve modified uinfo.cc in order that the special value
> >>> for td->PosixOffset is no longer 0. Taking into account that LDAP_SERVER_DOWN
> >>> is now recognized, my âgetent passwdâ executes gracefully in 40 minutes
> >>> (instead of 60) and âgetent groupâ in 25 minutes (instead of 90). Also quicker
> >>> is âmkpasswd -d secondary_domainâ of course. Patch attached.
> >> 
> >> That won't work.  It works around your immediate problem by defining
> >> a non-0 start value, no doubt about that, but it doesn't fix the
> >> underlying problem.
> >> 
> >> A POSIX offset of 0 is bad.  If other trusted domains have no functional
> >> POSIX offset value, but are set to 0 instead, they won't have different
> >> UID values for accounts of different domains.  Two users from different
> >> domains, both with RID 1000 will both have UID 1000 in Cygwin.  Also,
> >> the lower UID numbers are reserved for special accounts.
> >> 
> >> There is no guarantee that there won't be a collision at some point of
> >> the 32 bit UID spectrum, but a POSIX offset of 0 will almost guarantee
> >> the collision.
> >> 
> >> There are two ways to workaround that.
> >> 
> >> - The better solution is to inform your IT of the problem.
> >> 
> >> - The not so well one is to enhance /etc/nsswitch.conf to allow to
> >>  define POSIX offsets for domains indepedent of the AD setting.
> > 
> > I tried the third solution for the time being, which is, generating the
> > fake POSIX offset a bit differently.  Fake offsets are a bit dangerous
> > in that there's no guarantee that you get a stable mapping between SID
> > and UID/GID, but it's *hopefully* a border situation we're trying to
> > workaround.  Please give the latest developer snashot from
> > http://cygwin.com/snapshots/ a try.
> Tried and it works as expected. However there is a design bug. Suppose you
> have a SID from a non-primary domain (with PosixOffset=0). When you enumerate,
> you get a PosixOffset that takes into account the previously encountered
> secondary domains with PosixOffset=0, say you get UNIX_POSIX_OFFSET-3*0x00800000

That was, actually, not a design bug but a deliberate decision.  In some
way we have to work with accounts from a badly defined domain, but for
those getent isn't the problem.  You don't need to enumerate all domains
except in very rare cases.

What should work, though, is to ls -l files and see the correct owner of
a file and to chmod the files.  For everything else I would opt for
kicking your IT.  Keep in mind that AD chooses more or less sane POSIX
offsets for trusted domains by default.  Setting it to 0 is an entirely
gratuitious act by the admin.  A service desk ticket might be helpful.

> Independently, iâm still not sure we have to workaround IT "madness" at all. First, IT
> people might set PosixOffset to 1 for each domain and you cannot catch this kind
> of alternate madness. Also, be sure that if some user someday suffers from a duplicate

Yes, you can.  IT has to know there's software running which needs
sane POSIX offset settings.

Alternatively we can still implement some other workaround at one point.

It occured to me that there's another way to do that.  The problem
you're mentioning above could be alleviated if the first Cygwin process
in a process tree fetches all POSIX offsets of all trusted domains right
at the start, rather than fetching the POSIX offsets only on demand by
whatever process needs it.  This would slow down the startup of the
first process slightly (one LDAP request per trusted domain, but only
asking your primary DC), but this would have two advantages:

- After fetching all POSIX offsets, we could filter out all POSIX
  offsets which don't make sense.  These would be set using the fake
  offset setting mechanism.  "No sense" would include offsets < 0x110000
  or offsets > 0xff000000.  If the first process in the tree 

- The UID/GID values would be stable throughout the process tree.

- The UID/GID values would be stable systemwide when utilizing cygserver.

That's a bit of work, but Cygwin 1.7.31 will still come without this
AD integration code anyway, so we still have time to turn everything
upside down.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpmIoihi1u9w.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]