When a user logs in, its primaray group sid mapping
is stored in the gid_sid memcache, but in the sid2uid
idmap cache (gencache.tdb). This wrong cache entry lives
for a while and can leads to strange and erratic errors.
One possible consequence is that a set-security-descriptor
call with an ace for the group sid in question will result
in a broken posix acl on disk with _user_ type ace for the
user with the group's gid as uid.
This results in the user having access rights he is not
supposed to have.
This bug applies to master, 3.5.3 and also in 3.4.8.
The fix is minimal and will follow next.
I have pushed the fix to master in commit ba809ecb8ab217e4376bf75d2300e146b62b88eb.
The commit cherry-picks cleanly to v3-4-test and v3-5-test.
Unfortunately, I have made a silly typo in the commit message,
in writing 7505 instead of 7507 :-/
Patch looks good, but for the release branches we should fix that commit message typo. Karolin, do you want me to provide fixed patches?
(In reply to comment #2)
> Patch looks good, but for the release branches we should fix that commit
> message typo. Karolin, do you want me to provide fixed patches?
No, I will correct the typo myself.
Pushed to v3-5-test and v3-4-test.