This covers a case where an ID_TYPE_BOTH mapping creates group permissions, but must...

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index a313190fd220ff1ac76c51d21f5d787cae2d395b..d58c7c0b8b287d8ca01b76e9cf9f80ff043b5c60 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1420,7 +1420,8 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 
                if (setting_acl) {
                        /* See if the owning user is in any of the other groups in
-                          the ACE, or if there's a matching user entry.
+                          the ACE, or if there's a matching user entry (by uid
+                          or in the case of ID_TYPE_BOTH by SID).
                           If so, OR in the permissions from that entry. */
 
                        canon_ace *pace_iter;
@@ -1430,7 +1431,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
                                                pace_iter->unix_ug.uid == pace->unix_ug.uid) {
                                        pace->perms |= pace_iter->perms;
                                } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
-                                       if (uid_entry_in_group(conn, pace, pace_iter)) {
+                                       if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
+                                               pace->perms |= pace_iter->perms;
+                                       } else if (uid_entry_in_group(conn, pace, pace_iter)) {
                                                pace->perms |= pace_iter->perms;
                                        }
                                }