From 173f818a294d89cc97ba22856c334c451772fbe5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 14 May 2012 12:34:39 -0700
Subject: This covers a case where an ID_TYPE_BOTH mapping creates group
 permissions, but must own the file. Based on an original patch by Andrew
 Bartlett.

---
 source3/smbd/posix_acls.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'source3')

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index a313190fd2..d58c7c0b8b 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1420,7 +1420,8 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 
 		if (setting_acl) {
 			/* See if the owning user is in any of the other groups in
-			   the ACE, or if there's a matching user entry.
+			   the ACE, or if there's a matching user entry (by uid
+			   or in the case of ID_TYPE_BOTH by SID).
 			   If so, OR in the permissions from that entry. */
 
 			canon_ace *pace_iter;
@@ -1430,7 +1431,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 						pace_iter->unix_ug.uid == pace->unix_ug.uid) {
 					pace->perms |= pace_iter->perms;
 				} else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
-					if (uid_entry_in_group(conn, pace, pace_iter)) {
+					if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
+						pace->perms |= pace_iter->perms;
+					} else if (uid_entry_in_group(conn, pace, pace_iter)) {
 						pace->perms |= pace_iter->perms;
 					}
 				}
-- 
cgit