* sec_auth.cc (get_user_groups): Don't handle ERROR_ACCESS_DENIED as

	error.  Explain why.

2 files changed, 13 insertions, 2 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 0cfe39381..7a11e5464 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2013-06-10  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (get_user_groups): Don't handle ERROR_ACCESS_DENIED as
+	error.  Explain why.
+
 2013-06-08  Christopher Faylor  <me.cygwin2013@cgf.cx>
 
 	* exceptions.cc (try_to_debug): Don't use yield() when waiting for
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index dd5ee0627..d6f3bb5d8 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -259,8 +259,14 @@ get_user_groups (WCHAR *logonserver, cygsidlist &grp_list,
   if (ret)
     {
       __seterrno_from_win_error (ret);
-      /* It's no error when the user name can't be found. */
-      return ret == NERR_UserNotFound;
+      /* It's no error when the user name can't be found.
+	 It's also no error if access has been denied.  Yes, sounds weird, but
+	 keep in mind that ERROR_ACCESS_DENIED means the current user has no
+	 permission to access the AD user information.  However, if we return
+	 an error, Cygwin will call DsGetDcName with DS_FORCE_REDISCOVERY set
+	 to ask for another server.  This is not only time consuming, it's also
+	 useless; the next server will return access denied again. */
+      return ret == NERR_UserNotFound || ret == ERROR_ACCESS_DENIED;
     }
 
   len = wcslen (domain);