Don't call LsaLookupSids if we're not utilizing Windows account DBs

        * grp.cc (internal_getgrfull): Drop asking caches.  Explain why.
        (internal_getgroups): In case we're not utilizing the Windows account
        DBs, don't call LsaLookupSids but iterate over the group SIDs in the
        token and call internal_getgrsid for each of them.  Explain why.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

3 files changed, 42 insertions, 19 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 6696d5023..a4d68b230 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,12 @@
 2015-08-17  Corinna Vinschen  <corinna@vinschen.de>
 
+	* grp.cc (internal_getgrfull): Drop asking caches.  Explain why.
+	(internal_getgroups): In case we're not utilizing the Windows account
+	DBs, don't call LsaLookupSids but iterate over the group SIDs in the
+	token and call internal_getgrsid for each of them.  Explain why.
+
+2015-08-17  Corinna Vinschen  <corinna@vinschen.de>
+
 	* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange
 	to fall back to myself uid/gid in case we don't utilize Windows
 	account DBs, just as prior to 1.7.34.
diff --git a/winsup/cygwin/grp.cc b/winsup/cygwin/grp.cc
index f8502100a..501db1a2c 100644
--- a/winsup/cygwin/grp.cc
+++ b/winsup/cygwin/grp.cc
@@ -152,17 +152,8 @@ internal_getgrfull (fetch_acc_t &full_acc, cyg_ldap *pldap)
   struct group *ret;
 
   cygheap->pg.nss_init ();
-  /* Check caches first. */
-  if (cygheap->pg.nss_cygserver_caching ()
-      && (ret = cygheap->pg.grp_cache.cygserver.find_group (full_acc.sid)))
-    return ret;
-  if (cygheap->pg.nss_grp_files ()
-      && (ret = cygheap->pg.grp_cache.file.find_group (full_acc.sid)))
-    return ret;
-  if (cygheap->pg.nss_grp_db ()
-      && (ret = cygheap->pg.grp_cache.win.find_group (full_acc.sid)))
-    return ret;
-  /* Ask sources afterwards. */
+  /* Skip local caches, internal_getgroups already called
+     internal_getgrsid_cachedonly. */
   if (cygheap->pg.nss_cygserver_caching ()
       && (ret = cygheap->pg.grp_cache.cygserver.add_group_from_cygserver
       							(full_acc.sid)))
@@ -598,7 +589,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
 				    &size);
   if (!NT_SUCCESS (status))
     {
-      system_printf ("token group list > 64K?  status = %u", status);
+      debug_printf ("NtQueryInformationToken(TokenGroups) %y", status);
       goto out;
     }
   /* Iterate over the group list and check which of them are already cached.
@@ -627,16 +618,40 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
       else 
 	sidp_buf[scnt++] = sid;
     }
-  /* If there are non-cached groups left, call LsaLookupSids and call
-     internal_getgrfull on the returned groups.  This performs a lot
-     better than calling internal_getgrsid on each group. */
+  /* If there are non-cached groups left, try to fetch them. */
   if (scnt > 0)
     {
+      /* Don't call LsaLookupSids if we're not utilizing the Windows account
+	 DBs.  If we don't have access to the AD, which is one good reason to
+	 disable passwd/group: db in nsswitch.conf, then the subsequent call
+	 to LsaLookupSids will take 5 - 10 seconds in some environments. */
+      if (!cygheap->pg.nss_grp_db ())
+	{
+	  for (DWORD pg = 0; pg < scnt; ++pg)
+	    {
+	      cygpsid sid = sidp_buf[pg];
+	      if ((grp = internal_getgrsid (sid, NULL)))
+		{
+		  if (cnt < gidsetsize)
+		    grouplist[cnt] = grp->gr_gid;
+		  ++cnt;
+		  if (gidsetsize && cnt > gidsetsize)
+		    {
+		      cnt = -1;
+		      break;
+		    }
+		}
+	    }
+	  goto out;
+	}
+      /* Otherwise call LsaLookupSids and call internal_getgrfull on the
+	 returned groups.  This performs a lot better than calling
+	 internal_getgrsid on each group. */
       status = STATUS_ACCESS_DENIED;
       HANDLE lsa = lsa_open_policy (NULL, POLICY_LOOKUP_NAMES);
       if (!lsa)
 	{
-	  system_printf ("POLICY_LOOKUP_NAMES not given?");
+	  debug_printf ("POLICY_LOOKUP_NAMES right not given?");
 	  goto out;
 	}
       status = LsaLookupSids (lsa, scnt, sidp_buf, &dlst, &nlst);
@@ -664,7 +679,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
 		  if (gidsetsize && cnt > gidsetsize)
 		    {
 		      cnt = -1;
-		      goto out;
+		      break;
 		    }
 		}
 	    }
diff --git a/winsup/cygwin/release/2.2.1 b/winsup/cygwin/release/2.2.1
index 86546cd31..c16a3de97 100644
--- a/winsup/cygwin/release/2.2.1
+++ b/winsup/cygwin/release/2.2.1
@@ -11,8 +11,9 @@ Bug Fixes
   modern CPUs and modern Windows OSes supporting more than 64 logical CPUs.
   Addresses: https://cygwin.com/ml/cygwin/2015-06/msg00345.html
 
-- Don't try to perform RFC2307 owner/group mapping on Samba/NFS if account
-  info is only fetched from local passwd/group files.
+- Don't call LsaLookupSids to fetch group information and don't perform RFC2307
+  owner/group mapping on Samba/NFS if account info is only fetched from local
+  passwd/group files.
   Addresses: https://cygwin.com/ml/cygwin/2015-07/msg00270.html
 
 - Precautionally fix a potential data corruption problem in pipe I/O, only