From 6bafb4ac25989fd5d637db0da4afab5ae36bad1c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 16 May 2012 13:07:17 -0700
Subject: s3-smbd: Avoid creating a UID ACL entry for SIDs that are mapped as
 ID_TYPE_BOTH The GID ACL entry is what will be mapped in most cases, and so
 is sufficient.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu May 17 05:08:44 CEST 2012 on sn-devel-104
---
 source3/smbd/posix_acls.c | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

(limited to 'source3')

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 99e915678a..e2571ff248 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1535,6 +1535,37 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 			}
 		}
 
+		/* If the SID is equal for the user and group that we need
+		   to add the duplicate for, add only the group */
+		if (!got_duplicate_user && !got_duplicate_group
+				&& dom_sid_equal(&pace_group->trustee,
+						&pace_user->trustee)) {
+			/* Add a duplicate SMB_ACL_GROUP entry, this
+			 * will cover the owning SID as well, as it
+			 * will always be mapped to both a uid and
+			 * gid. */
+
+			if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
+				DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
+				return false;
+			}
+
+			ZERO_STRUCTP(pace);
+			pace->type = SMB_ACL_GROUP;;
+			pace->owner_type = GID_ACE;
+			pace->unix_ug.gid = pace_group->unix_ug.gid;
+			pace->trustee = pace_group->trustee;
+			pace->attr = pace_group->attr;
+			pace->perms = pace_group->perms;
+
+			DLIST_ADD(*pp_ace, pace);
+
+			/* We're done here, make sure the
+			   statements below are not executed. */
+			got_duplicate_user = true;
+			got_duplicate_group = true;
+		}
+
 		if (!got_duplicate_user) {
 			/* Add a duplicate SMB_ACL_USER entry. */
 			if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
@@ -1551,6 +1582,8 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 			pace->perms = pace_user->perms;
 
 			DLIST_ADD(*pp_ace, pace);
+
+			got_duplicate_user = true;
 		}
 
 		if (!got_duplicate_group) {
@@ -1569,6 +1602,8 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 			pace->perms = pace_group->perms;
 
 			DLIST_ADD(*pp_ace, pace);
+
+			got_duplicate_group = true;
 		}
 
 	}
-- 
cgit