timeout in LDAP access

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Jul 14 13:48:00 GMT 2014 

On Jul 14 11:51, Corinna Vinschen wrote:
> On Jul 12 15:39, Denis Excoffier wrote:
> > On 2014年07月09日 12:12 Corinna Vinschen wrote:
> > >> 
> > >> I have encountered this case in real life. The domain admins have set
> > >> the trustPosixOffset of the secondary domain to zero. This value is therefore
> > >> never recorded and the cldap->open occurs again and again.
> > > 
> > > Ouch. Why on earth are admins doing this? There's no way to
> > > workaround this reliably.
> > > 
> > Reliably i don’t know. I’ve modified uinfo.cc in order that the special value
> > for td->PosixOffset is no longer 0. Taking into account that LDAP_SERVER_DOWN
> > is now recognized, my ‘getent passwd’ executes gracefully in 40 minutes
> > (instead of 60) and ‘getent group’ in 25 minutes (instead of 90). Also quicker
> > is ‘mkpasswd -d secondary_domain’ of course. Patch attached.
>> That won't work. It works around your immediate problem by defining
> a non-0 start value, no doubt about that, but it doesn't fix the
> underlying problem.
>> A POSIX offset of 0 is bad. If other trusted domains have no functional
> POSIX offset value, but are set to 0 instead, they won't have different
> UID values for accounts of different domains. Two users from different
> domains, both with RID 1000 will both have UID 1000 in Cygwin. Also,
> the lower UID numbers are reserved for special accounts.
>> There is no guarantee that there won't be a collision at some point of
> the 32 bit UID spectrum, but a POSIX offset of 0 will almost guarantee
> the collision.
>> There are two ways to workaround that.
>> - The better solution is to inform your IT of the problem.
>> - The not so well one is to enhance /etc/nsswitch.conf to allow to
> define POSIX offsets for domains indepedent of the AD setting.

I tried the third solution for the time being, which is, generating the
fake POSIX offset a bit differently. Fake offsets are a bit dangerous
in that there's no guarantee that you get a stable mapping between SID
and UID/GID, but it's *hopefully* a border situation we're trying to
workaround. Please give the latest developer snashot from
http://cygwin.com/snapshots/ a try.
Thanks,
Corinna
-- 
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140714/c875f3fe/attachment.sig>

More information about the Cygwin mailing list

AltStyle によって変換されたページ (->オリジナル) /