From f38638d4511814e2b541665df2f56c7ce357682f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 10 May 2012 11:05:41 +1000
Subject: [PATCH] s3-smbd: Consider a group with the same SID as sufficient
 duplication

This code is to ensure that the user does not loose rights when their file
ownership is taken away.  If the owner (an IDMAP_BOTH SID) appears as a group
then a duplicate user is not required.

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/posix_acls.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 6e97dcf873e..99e915678ab 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1525,6 +1525,13 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 					pace->unix_ug.gid == pace_user->unix_ug.gid) {
 				/* Already got one. */
 				got_duplicate_group = true;
+			} else if ((pace->type == SMB_ACL_GROUP)
+				   && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
+				/* If the SID owning the file appears
+				 * in a group entry, then we have
+				 * enough duplication, they will still
+				 * have access */
+				got_duplicate_user = true;
 			}
 		}
 
-- 
2.34.1