From 9035519215c95286690c8e9c29bc9dc97583ab5c Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Wed, 9 Jul 2008 15:45:08 +0000
Subject: 	* sec_auth.cc (verify_token): Allow builtin groups missing in
 a token 	and it's still valid.  Explain why.

---
 winsup/cygwin/sec_auth.cc | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'winsup/cygwin/sec_auth.cc')

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index b2f1fe77d..db76fcd79 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 		  goto done;
 #endif
 	      }
-	  /* user.sgsids groups must be in the token */
+	  /* user.sgsids groups must be in the token, except for builtin groups.
+	     These can be different on domain member machines compared to
+	     domain controllers, so these builtin groups may be validly missing
+	     from a token created through password or lsaauth logon. */
 	  for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
-	    if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
+	    if (!saw[gidx]
+	    	&& !groups.sgsids.sids[gidx].is_well_known_sid ()
+		&& !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
 	      goto done;
 	}
       /* The primary group must be in the token */
-- 
cgit v1.2.3