From 8675d2e3010f6b2af7934d32868d417bb46ae2cb Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Mon, 10 Jun 2013 15:33:12 +0000 Subject: [PATCH] * sec_auth.cc (get_user_groups): Don't handle ERROR_ACCESS_DENIED as error. Explain why. --- winsup/cygwin/ChangeLog | 5 +++++ winsup/cygwin/sec_auth.cc | 10 ++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 0cfe39381..7a11e5464 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,8 @@ +2013-06-10 Corinna Vinschen + + * sec_auth.cc (get_user_groups): Don't handle ERROR_ACCESS_DENIED as + error. Explain why. + 2013-06-08 Christopher Faylor * exceptions.cc (try_to_debug): Don't use yield() when waiting for diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index dd5ee0627..d6f3bb5d8 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cygsidlist &grp_list, if (ret) { __seterrno_from_win_error (ret); - /* It's no error when the user name can't be found. */ - return ret == NERR_UserNotFound; + /* It's no error when the user name can't be found. + It's also no error if access has been denied. Yes, sounds weird, but + keep in mind that ERROR_ACCESS_DENIED means the current user has no + permission to access the AD user information. However, if we return + an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set + to ask for another server. This is not only time consuming, it's also + useless; the next server will return access denied again. */ + return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED; } len = wcslen (domain);