Bug#320010: winbind: Erroneous retrieving/mapping of user secondary groups

[Abajo Duran, Mario]

Package: winbind
Version: 3.0.14a-3
Severity: grave
Justification: user security hole

I have found an error in a similar way to the bug 2776 in the samba bugzilla
https://bugzilla.samba.org/show_bug.cgi?id=2776  i'm configuring a samba
server in an ADS domain (not in native mode but with security = ADS) and
sharing a directory with acl's and found that some privileged users get
access denied when trying to access.
Searching inside the logs i found that samba retrieves different group
id's. Then i try this after seeing the bug in the samba bugzilla:

# wbinfo -r "DOMAIN\my_user"
10001
10002
10022
10023
10024
10025
10026

# id "DOMAIN\my_user"
uid=13204(DOMAIN\my_user) gid=10002(DOMAIN\group1)
grupos=10002(DOMAIN\group2),10022(DOMAIN\group3),10026(DOMAIN\group4),
10001(DOMAIN\group5),10171(DOMAIN\group6),10245(DOMAIN\group7),
10251(DOMAIN\group8),10311(DOMAIN\group9)

As you can see the user groups vary, this also works with "getent
groups" instead of id.
This happens with newly created users, old ones, etc.... and makes a
user have a set of different privileges, i've made a test in other
machine with a clean sarge r0a intalled and updated with the same
results.

smb.conf:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.ES
        netbios name = TEST-SAMBA
        server string = Esto esta pa'cer pruebas :)
        security = ADS
        passdb backend = tdbsam,guest
        passwd program = /usr/bin/passwd %u
        password server = server1, server2
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
        log level = 2
        syslog = 0
        os level = 65
        log file = /var/log/samba/log.%m
        max log size = 1000
        smb ports = 139 445
        ldap ssl = start tls
        panic action = /usr/share/samba/panic-action %d
        allow trusted domains = no
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        winbind cache time = 600
[prueba]
        path = /mnt/backup/prueba
        writable = yes
        map acl inherit = yes
        inherit acls = yes

any other information that you need, please tell me
Thanks for all

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages winbind depends on:
ii  libc6                      2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libcomerr2                 1.37-2sarge1  common error description library
ii  libkrb53                   1.3.6-2sarge1 MIT Kerberos runtime libraries
ii  libldap2                   2.1.30-8      OpenLDAP libraries
ii  libpam0g                   0.76-22       Pluggable Authentication Modules l
ii  libpopt0                   1.7-5         lib for parsing cmdline parameters