2 files changed, 11 insertions, 4 deletions

diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index ff11ba4..e0591ac 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -914,6 +914,10 @@ static uint8_t get_flags_to_propagate(bool is_container,
 	/* Assume we are not propagating the ACE */
 
 	newflags &= ~SEC_ACE_FLAG_INHERITED_ACE;
+
+	/* Inherit-only flag is not propagated to children */
+
+	newflags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
 	/* all children need to have the SEC_ACE_FLAG_INHERITED_ACE set */
 	if (acl_cntrinherit || acl_objinherit) {
 		/*
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 7e572e5..7d63240 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
 }
 
 static NTSTATUS add_primary_group_members(
-	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname,
 	char ***all_members, size_t *num_all_members)
 {
 	char *filter;
@@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members(
 	char **members;
 	size_t num_members;
 	ads_control args;
+	bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false);
 
 	filter = talloc_asprintf(
-		mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
-		(unsigned)rid);
+		mem_ctx,
+		"(&(objectCategory=user)(primaryGroupID=%u)%s)",
+		(unsigned)rid,
+		all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))");
 	if (filter == NULL) {
 		goto done;
 	}
@@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 
 	DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
 
-	status = add_primary_group_members(ads, mem_ctx, rid,
+	status = add_primary_group_members(ads, mem_ctx, rid, domain->name,
 					   &members, &num_members);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("%s: add_primary_group_members failed: %s\n",