Ignore unmappable (NT Authority, BUILTIN etc.) SIDs in an ACL set.

Jeremy.
(This used to be commit bc7963bd643422cce081b6284e3bdd49ae3a02ab)

2 files changed, 35 insertions, 0 deletions

diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index c89c7c70d9..10813a4605 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -566,3 +566,27 @@ size_t sid_size(DOM_SID *sid)
 
 	return sid->num_auths * sizeof(uint32) + 8;
 }
+
+/*****************************************************************
+ Returns true if SID is internal (and non-mappable).
+*****************************************************************/
+
+BOOL non_mappable_sid(DOM_SID *sid)
+{
+	DOM_SID dom;
+	uint32 rid;
+
+	sid_copy(&dom, sid);
+	sid_split_rid(&dom, &rid);
+
+	if (sid_equal(&dom, &global_sid_Builtin))
+		return True;
+
+    if (sid_equal(&dom, &global_sid_Creator_Owner_Domain))
+		return True;
+ 
+	if (sid_equal(&dom, &global_sid_NT_Authority))
+		return True;
+
+	return False;
+}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 18a635336c..64dd51f193 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -715,6 +715,17 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
 		SEC_ACE *psa = &dacl->ace[i];
 
 		/*
+		 * Ignore non-mappable SIDs (NT Authority, BUILTIN etc).
+		 */
+
+		if (non_mappable_sid(&psa->sid)) {
+			fstring str;
+			DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
+				sid_to_string(str, &psa->sid) ));
+			continue;
+		}
+
+		/*
 		 * Create a cannon_ace entry representing this NT DACL ACE.
 		 */