Don't call LsaLookupSids if we're not utilizing Windows account DBs

* grp.cc (internal_getgrfull): Drop asking caches. Explain why. (internal_getgroups): In case we're not utilizing the Windows account DBs, don't call LsaLookupSids but iterate over the group SIDs in the token and call internal_getgrsid for each of them. Explain why. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-17 22:45:02 +02:00 · 2015-08-17 22:45:02 +02:00 · 4cb24051f4
parent 88dce3abd8
commit 4cb24051f4
3 changed files with 42 additions and 19 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,10 @@
+2015-08-17  Corinna Vinschen  <corinna@vinschen.de>
+
+	* grp.cc (internal_getgrfull): Drop asking caches.  Explain why.
+	(internal_getgroups): In case we're not utilizing the Windows account
+	DBs, don't call LsaLookupSids but iterate over the group SIDs in the
+	token and call internal_getgrsid for each of them.  Explain why.
+
 2015-08-17  Corinna Vinschen  <corinna@vinschen.de>

 	* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange
--- a/winsup/cygwin/grp.cc
+++ b/winsup/cygwin/grp.cc
@ -152,17 +152,8 @@ internal_getgrfull (fetch_acc_t &full_acc, cyg_ldap *pldap)
  struct group *ret;

  cygheap->pg.nss_init ();
-  /* Check caches first. */
-  if (cygheap->pg.nss_cygserver_caching ()
-      && (ret = cygheap->pg.grp_cache.cygserver.find_group (full_acc.sid)))
-    return ret;
-  if (cygheap->pg.nss_grp_files ()
-      && (ret = cygheap->pg.grp_cache.file.find_group (full_acc.sid)))
-    return ret;
-  if (cygheap->pg.nss_grp_db ()
-      && (ret = cygheap->pg.grp_cache.win.find_group (full_acc.sid)))
-    return ret;
-  /* Ask sources afterwards. */
+  /* Skip local caches, internal_getgroups already called
+     internal_getgrsid_cachedonly. */
  if (cygheap->pg.nss_cygserver_caching ()
      && (ret = cygheap->pg.grp_cache.cygserver.add_group_from_cygserver
      							(full_acc.sid)))
@ -598,7 +589,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
 				    &size);
  if (!NT_SUCCESS (status))
    {
-      system_printf ("token group list > 64K?  status = %u", status);
+      debug_printf ("NtQueryInformationToken(TokenGroups) %y", status);
      goto out;
    }
  /* Iterate over the group list and check which of them are already cached.
@ -627,16 +618,40 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
      else 
 	sidp_buf[scnt++] = sid;
    }
-  /* If there are non-cached groups left, call LsaLookupSids and call
-     internal_getgrfull on the returned groups.  This performs a lot
-     better than calling internal_getgrsid on each group. */
+  /* If there are non-cached groups left, try to fetch them. */
  if (scnt > 0)
    {
+      /* Don't call LsaLookupSids if we're not utilizing the Windows account
+	 DBs.  If we don't have access to the AD, which is one good reason to
+	 disable passwd/group: db in nsswitch.conf, then the subsequent call
+	 to LsaLookupSids will take 5 - 10 seconds in some environments. */
+      if (!cygheap->pg.nss_grp_db ())
+	{
+	  for (DWORD pg = 0; pg < scnt; ++pg)
+	    {
+	      cygpsid sid = sidp_buf[pg];
+	      if ((grp = internal_getgrsid (sid, NULL)))
+		{
+		  if (cnt < gidsetsize)
+		    grouplist[cnt] = grp->gr_gid;
+		  ++cnt;
+		  if (gidsetsize && cnt > gidsetsize)
+		    {
+		      cnt = -1;
+		      break;
+		    }
+		}
+	    }
+	  goto out;
+	}
+      /* Otherwise call LsaLookupSids and call internal_getgrfull on the
+	 returned groups.  This performs a lot better than calling
+	 internal_getgrsid on each group. */
      status = STATUS_ACCESS_DENIED;
      HANDLE lsa = lsa_open_policy (NULL, POLICY_LOOKUP_NAMES);
      if (!lsa)
 	{
-	  system_printf ("POLICY_LOOKUP_NAMES not given?");
+	  debug_printf ("POLICY_LOOKUP_NAMES right not given?");
 	  goto out;
 	}
      status = LsaLookupSids (lsa, scnt, sidp_buf, &dlst, &nlst);
@ -664,7 +679,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
 		  if (gidsetsize && cnt > gidsetsize)
 		    {
 		      cnt = -1;
-		      goto out;
+		      break;
 		    }
 		}
 	    }
--- a/winsup/cygwin/release/2.2.1
+++ b/winsup/cygwin/release/2.2.1
@ -11,8 +11,9 @@ Bug Fixes
  modern CPUs and modern Windows OSes supporting more than 64 logical CPUs.
  Addresses: https://cygwin.com/ml/cygwin/2015-06/msg00345.html

- Don't try to perform RFC2307 owner/group mapping on Samba/NFS if account
-  info is only fetched from local passwd/group files.
+- Don't call LsaLookupSids to fetch group information and don't perform RFC2307
+  owner/group mapping on Samba/NFS if account info is only fetched from local
+  passwd/group files.
  Addresses: https://cygwin.com/ml/cygwin/2015-07/msg00270.html

 - Precautionally fix a potential data corruption problem in pipe I/O, only