When a user logs in, its primaray group sid mapping is stored in the gid_sid memcache, but in the sid2uid idmap cache (gencache.tdb). This wrong cache entry lives for a while and can leads to strange and erratic errors. One possible consequence is that a set-security-descriptor call with an ace for the group sid in question will result in a broken posix acl on disk with _user_ type ace for the user with the group's gid as uid. This results in the user having access rights he is not supposed to have. This bug applies to master, 3.5.3 and also in 3.4.8. The fix is minimal and will follow next.
I have pushed the fix to master in commit ba809ecb8ab217e4376bf75d2300e146b62b88eb. http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=ba809ecb8ab217e4376bf75d2300e146b62b88eb The commit cherry-picks cleanly to v3-4-test and v3-5-test. Unfortunately, I have made a silly typo in the commit message, in writing 7505 instead of 7507 :-/ Michael
Patch looks good, but for the release branches we should fix that commit message typo. Karolin, do you want me to provide fixed patches? Thanks, Volker
(In reply to comment #2) > Patch looks good, but for the release branches we should fix that commit > message typo. Karolin, do you want me to provide fixed patches? No, I will correct the typo myself.
Pushed to v3-5-test and v3-4-test.