* sec_auth.cc (get_user_groups): Don't handle ERROR_ACCESS_DENIED as

error. Explain why.
2013-06-10 15:33:12 +00:00 · 2013-06-10 15:33:12 +00:00 · 8675d2e301
commit 8675d2e301
parent e9c0122ec0
2 changed files with 13 additions and 2 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,8 @@
+2013-06-10  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (get_user_groups): Don't handle ERROR_ACCESS_DENIED as
+	error.  Explain why.
+
 2013-06-08  Christopher Faylor  <me.cygwin2013@cgf.cx>

 	* exceptions.cc (try_to_debug): Don't use yield() when waiting for
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cygsidlist &grp_list,
  if (ret)
    {
      __seterrno_from_win_error (ret);
-      /* It's no error when the user name can't be found. */
-      return ret == NERR_UserNotFound;
+      /* It's no error when the user name can't be found.
+	 It's also no error if access has been denied.  Yes, sounds weird, but
+	 keep in mind that ERROR_ACCESS_DENIED means the current user has no
+	 permission to access the AD user information.  However, if we return
+	 an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
+	 to ask for another server.  This is not only time consuming, it's also
+	 useless; the next server will return access denied again. */
+      return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
    }

  len = wcslen (domain);