diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index f3c6bad29..eb1489b11 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,14 @@
+2008-07-10  Corinna Vinschen  <corinna@vinschen.de>
+
+	* cyglsa.h (SECURITY_STRING): Define.
+	(enum _SECPKG_NAME_TYPE): Define.
+	(struct _SECPKG_CALL_INFO): Define.
+	(struct _LSA_SECPKG_FUNCS): Extend to full size.  Define unused
+	functions lazily.
+	(cygprf_t): Define.
+	* sec_auth.cc (lsaauth): Use actual primary group if no admins group.
+	Add (disabled) code to fetch token from profil data.
+
 2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
 
 	* sec_auth.cc (verify_token): Allow builtin groups missing in a token
diff --git a/winsup/cygwin/cyglsa.h b/winsup/cygwin/cyglsa.h
index b9da92b61..4349de8cd 100644
--- a/winsup/cygwin/cyglsa.h
+++ b/winsup/cygwin/cyglsa.h
@@ -23,6 +23,8 @@ extern "C" {
 /* Datastructures not defined in w32api. */
 typedef PVOID *PLSA_CLIENT_REQUEST;
 
+typedef UNICODE_STRING SECURITY_STRING, *PSECURITY_STRING;
+
 typedef struct _SECPKG_CLIENT_INFO
 {
   LUID LogonId;
@@ -33,6 +35,23 @@ typedef struct _SECPKG_CLIENT_INFO
   BOOLEAN Restricted;
 } SECPKG_CLIENT_INFO, *PSECPKG_CLIENT_INFO;
 
+typedef enum _SECPKG_NAME_TYPE
+{
+  SecNameSamCompatible,
+  SecNameAlternateId,
+  SecNameFlat,
+  SecNameDN,
+  SecNameSPN
+} SECPKG_NAME_TYPE, *PSECPKG_NAME_TYPE;
+
+typedef struct _SECPKG_CALL_INFO
+{
+  ULONG ProcessId;
+  ULONG ThreadId;
+  ULONG Attributes;
+  ULONG CallCount;
+} SECPKG_CALL_INFO, *PSECPKG_CALL_INFO;
+
 /* The table returned by LsaApInitializePackage is actually a
    LSA_SECPKG_FUNCTION_TABLE even though that's not documented.
    We need only a subset of this table, basically the LSA_DISPATCH_TABLE
@@ -41,7 +60,7 @@ typedef struct _LSA_SECPKG_FUNCS
 {
   NTSTATUS (NTAPI *CreateLogonSession)(PLUID);
   NTSTATUS (NTAPI *DeleteLogonSession)(PLUID);
-  NTSTATUS (NTAPI *AddCredentials)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *AddCredentials)(PLUID, ULONG, PLSA_STRING, PLSA_STRING);
   NTSTATUS (NTAPI *GetCredentials)(PVOID); /* wrong prototype, unused */
   NTSTATUS (NTAPI *DeleteCredentials)(PVOID); /* wrong prototype, unused */
   PVOID (NTAPI *AllocateLsaHeap)(ULONG);
@@ -54,10 +73,41 @@ typedef struct _LSA_SECPKG_FUNCS
 					 PVOID, PVOID);
   NTSTATUS (NTAPI *ImpersonateClient)(VOID);
   NTSTATUS (NTAPI *UnloadPackage)(VOID);
-  NTSTATUS (NTAPI *DuplicateHandle)(HANDLE,PHANDLE);
+  NTSTATUS (NTAPI *DuplicateHandle)(HANDLE, PHANDLE);
   NTSTATUS (NTAPI *SaveSupplementalCredentials)(VOID);
   NTSTATUS (NTAPI *CreateThread)(PVOID); /* wrong prototype, unused */
   NTSTATUS (NTAPI *GetClientInfo)(PSECPKG_CLIENT_INFO);
+  NTSTATUS (NTAPI *RegisterNotification)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *CancelNotification)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *MapBuffer)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *CreateToken)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *AuditLogon)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *CallPackage)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *FreeReturnBuffer)(PVOID); /* wrong prototype, unused */
+  BOOLEAN  (NTAPI *GetCallInfo)(PSECPKG_CALL_INFO);
+  NTSTATUS (NTAPI *CallPackageEx)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *CreateSharedMemory)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *AllocateSharedMemory)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *FreeSharedMemory)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *DeleteSharedMemory)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *OpenSamUser)(PSECURITY_STRING, SECPKG_NAME_TYPE,
+				PSECURITY_STRING, BOOLEAN, ULONG, PVOID *);
+  NTSTATUS (NTAPI *GetUserCredentials)(PVOID, PVOID, PULONG, PVOID *, PULONG);
+  NTSTATUS (NTAPI *GetUserAuthData)(PVOID, PUCHAR *, PULONG);
+  NTSTATUS (NTAPI *CloseSamUser)(PVOID);
+  NTSTATUS (NTAPI *ConvertAuthDataToToken)(PVOID, ULONG,
+					   SECURITY_IMPERSONATION_LEVEL,
+					   PTOKEN_SOURCE, SECURITY_LOGON_TYPE,
+					   PUNICODE_STRING, PHANDLE, PLUID,
+					   PUNICODE_STRING, PNTSTATUS);
+  NTSTATUS (NTAPI *ClientCallback)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *UpdateCredentials)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *GetAuthDataForUser)(PSECURITY_STRING, SECPKG_NAME_TYPE,
+				       PSECURITY_STRING, PUCHAR *, PULONG,
+				       PUNICODE_STRING);
+  NTSTATUS (NTAPI *CrackSingleName)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *AuditAccountLogon)(PVOID); /* wrong prototype, unused */
+  NTSTATUS (NTAPI *CallPackagePassthrough)(PVOID); /* wrong prototype, unused */
 } LSA_SECPKG_FUNCS, *PLSA_SECPKG_FUNCS;
 
 typedef enum _LSA_TOKEN_INFORMATION_TYPE
@@ -142,6 +192,16 @@ typedef struct
   BYTE data[1];
 } cyglsa_t;
 
+typedef struct
+{
+  DWORD magic_pre;
+  HANDLE token;
+  DWORD magic_post;
+} cygprf_t;
+
+#define MAGIC_PRE  0x12345678UL
+#define MAGIC_POST 0x87654321UL
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index db76fcd79..99fe7076c 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1016,10 +1016,13 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
   authinf_size += gsize;			    /* Groups + Group SIDs */
   /* When trying to define the admins group as primary group on Vista,
      LsaLogonUser fails with error STATUS_INVALID_OWNER.  As workaround
-     we define "Local" as primary group here.  First, this adds the otherwise
-     missing "Local" group to the group list and second, seteuid32
-     sets the primary group to the group set in /etc/passwd anyway. */
-  pgrpsid = well_known_local_sid;
+     we define "Local" as primary group here.  Seteuid32 sets the primary
+     group to the group set in /etc/passwd anyway. */
+  if (new_groups.pgsid == well_known_admins_sid)
+    pgrpsid = well_known_local_sid;
+  else
+    pgrpsid = new_groups.pgsid;
+
   authinf_size += GetLengthSid (pgrpsid);	    /* Primary Group SID */
 
   authinf_size += psize;			    /* Privileges */
@@ -1104,7 +1107,20 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
       goto out;
     }
   if (profile)
-    LsaFreeReturnBuffer (profile);
+    {
+#ifdef JUST_ANOTHER_NONWORKING_SOLUTION
+      /* See ../lsaauth/cyglsa.c. */
+      cygprf_t *prf = (cygprf_t *) profile;
+      if (prf->magic_pre == MAGIC_PRE && prf->magic_post == MAGIC_POST
+	  && prf->token)
+	{
+	  CloseHandle (user_token);
+	  user_token = prf->token;
+	  system_printf ("Got token through profile: %p", user_token);
+	}
+#endif /* JUST_ANOTHER_NONWORKING_SOLUTION */
+      LsaFreeReturnBuffer (profile);
+    }
 
   if (wincap.has_mandatory_integrity_control ())
     {