1 diff --git a/source/include/smb.h b/source/include/smb.h
2 index a98d151..56d9461 100644
3 --- a/source/include/smb.h
4 +++ b/source/include/smb.h
5 @@ -597,6 +597,12 @@ typedef struct connection_struct {
7 struct auth_serversupplied_info *server_info;
10 + * If the "force group" parameter is set, this is the primary gid that
11 + * may be used in the users token, depending on the vuid using this tid.
13 + gid_t force_group_gid;
15 char client_address[INET6_ADDRSTRLEN]; /* String version of client IP address. */
17 uint16 vuid; /* vuid of user who *opened* this connection, or UID_FIELD_INVALID */
18 diff --git a/source/smbd/conn.c b/source/smbd/conn.c
19 index 7f34d2b..a6eafcf 100644
20 --- a/source/smbd/conn.c
21 +++ b/source/smbd/conn.c
22 @@ -145,6 +145,7 @@ find_again:
26 + conn->force_group_gid = (gid_t)-1;
30 diff --git a/source/smbd/service.c b/source/smbd/service.c
31 index c39584a..5e75fce 100644
32 --- a/source/smbd/service.c
33 +++ b/source/smbd/service.c
34 @@ -834,6 +834,14 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
40 + * We need to cache this gid, to use within
41 + * change_to_user() separately from the conn->server_info
42 + * struct. We only use conn->server_info directly if
43 + * "force_user" was set.
45 + conn->force_group_gid = conn->server_info->utok.gid;
48 conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
49 diff --git a/source/smbd/uid.c b/source/smbd/uid.c
50 index 119a155..02f8cc9 100644
51 --- a/source/smbd/uid.c
52 +++ b/source/smbd/uid.c
53 @@ -256,6 +256,8 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
55 if((group_c = *lp_force_group(snum))) {
57 + SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
62 @@ -268,15 +270,18 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
64 for (i = 0; i < num_groups; i++) {
66 - == conn->server_info->utok.gid) {
67 - gid = conn->server_info->utok.gid;
68 + == conn->force_group_gid) {
69 + conn->server_info->utok.gid =
70 + conn->force_group_gid;
71 + gid = conn->force_group_gid;
72 gid_to_sid(&conn->server_info->ptok
78 - gid = conn->server_info->utok.gid;
79 + conn->server_info->utok.gid = conn->force_group_gid;
80 + gid = conn->force_group_gid;
81 gid_to_sid(&conn->server_info->ptok->user_sids[1],