From e031f8ae6aee266c0ebf0b53465906e215ac9561 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Oct 2010 15:28:23 -0700
Subject: Fix "force unknown ACL user" to strip out foreign SIDs from POSIX
 ACLs if they can't be mapped.

---
 source3/smbd/posix_acls.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'source3/smbd/posix_acls.c')

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index fa715fb673..05f6439957 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1753,6 +1753,14 @@ static bool create_canon_ace_lists(files_struct *fsp,
 				continue;
 			}
 
+			if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
+				DEBUG(10, ("create_canon_ace_lists: ignoring "
+					"unknown or foreign SID %s\n",
+					sid_string_dbg(&psa->trustee)));
+				SAFE_FREE(current_ace);
+				continue;
+			}
+
 			free_canon_ace_list(file_ace);
 			free_canon_ace_list(dir_ace);
 			DEBUG(0, ("create_canon_ace_lists: unable to map SID "
-- 
cgit