Security issue : net_groupmap doesn't update users' sambaPrimaryGroupSID when adding/modifying/deleting a mapping that involves the users' Unix primary group. Users keep getting rights provided by the "old" sambaPrimaryGroupSID. We should scan the users to update their sambaPrimaryGroupSIDs (this will unfortunately decrease performances).
Created attachment 374 [details] Activates users' primary group SID update when adding/modifying/deleting a group mapping. !!!WARNING!!! : THIS PATCH DOESNT WORK WITH TDB BACKEND, but it works perfectly with ldap backend. Since I'm not a Samba guru, I couldn't make this patch work with TDB backend. I think it is very simple to fix : the problem is pdb_ldap and pdb_tdb doesn't update sam account the same way : pdb_tdb.c invalidates the iterator during a sam update (while pdb_ldap doesn't), so the main loop crashes after the first pdb_update_sam_account while trying to use pdb_getsampwent. The patch may be easy to fix and can be a good start for an final bugfix.
moving to 3.0
resetting component
database cleanup
Closing. In 3.0.22, the primaryGroupSID attribute will be ignored and generated at run time directly from the Unix primary gid.