This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: timeout in LDAP access
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Denis Excoffier <cygwin at Denis-Excoffier dot org>, cygwin at cygwin dot com
- Date: Tue, 15 Jul 2014 22:13:17 +0400
- Subject: Re: timeout in LDAP access
- Authentication-results: sourceware.org; auth=none
- References: <20140624155851 dot GJ1803 at calimero dot vinschen dot de> <20140625101526 dot GO1803 at calimero dot vinschen dot de> <E760D646-FFCB-434C-B990-7783DC011326 at Denis-Excoffier dot org> <20140625211355 dot GA25116 at calimero dot vinschen dot de> <E3509AAC-C4A0-4293-988F-E94BF2421180 at free dot fr> <20140707110714 dot GJ1803 at calimero dot vinschen dot de> <19B9F8D8-7FD6-4A7B-AC83-BBF8D152319D at Denis-Excoffier dot org> <20140709101256 dot GD26447 at calimero dot vinschen dot de> <BA09D7D8-96E6-431F-9434-8BA8A2AB4952 at Denis-Excoffier dot org> <20140714095107 dot GB10401 at calimero dot vinschen dot de> <20140714134836 dot GA2637 at calimero dot vinschen dot de> <79A8CE40-E412-4479-B058-378823313FA8 at Denis-Excoffier dot org>
- Reply-to: cygwin at cygwin dot com
Greetings, Denis Excoffier!
>>> A POSIX offset of 0 is bad. If other trusted domains have no functional
>>> POSIX offset value, but are set to 0 instead, they won't have different
>>> UID values for accounts of different domains. Two users from different
>>> domains, both with RID 1000 will both have UID 1000 in Cygwin. Also,
>>> the lower UID numbers are reserved for special accounts.
>>>
>>> There is no guarantee that there won't be a collision at some point of
>>> the 32 bit UID spectrum, but a POSIX offset of 0 will almost guarantee
>>> the collision.
> Independently, i’m still not sure we have to workaround IT "madness" at all. First, IT
> people might set PosixOffset to 1 for each domain and you cannot catch this kind
> of alternate madness. Also, be sure that if some user someday suffers from a duplicate
> UID situation, this will be reported to them and hopefully addressed (or not because
> this might be expected), but most probably for a single domain. We have to live with
> PosixOffset=0.
I'd say, setting up your AD with zero offset is as bad, as using
192.168.0.1/24 network (or any other well known range) for VPN connections.
I don't think this is a situation that should be attempted to fix from client
side.
What we really need here is a comprehensive explanation of the issue and a
suggested way to remedy it at the root.
--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 15.07.2014, <22:08>
Sorry for my terrible english...