s3-smbd: Consider a group with the same SID as sufficient duplication

This code is to ensure that the user does not loose rights when their file
ownership is taken away.  If the owner (an IDMAP_BOTH SID) appears as a group
then a duplicate user is not required.

Signed-off-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 6e97dcf873e13ed0c0feda8f1a86df31c40f407f..99e915678ab1d27d616a1bbc826097e194365e7d 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1525,6 +1525,13 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
                                        pace->unix_ug.gid == pace_user->unix_ug.gid) {
                                /* Already got one. */
                                got_duplicate_group = true;
+                       } else if ((pace->type == SMB_ACL_GROUP)
+                                  && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
+                               /* If the SID owning the file appears
+                                * in a group entry, then we have
+                                * enough duplication, they will still
+                                * have access */
+                               got_duplicate_user = true;
                        }
                }