Created attachment 871827
Log snippet for samba (I forget which log file it was from, I apologise)

Description of problem:
With ipa-server-trust-ad installed, ipa-adtrust-install --setsids run, and the
sidgen task registered and run, users cannot connect a share in the local samba
server if it is locked to specific groups via "valid users", even if the user
is a member of one of those groups.

Logs at level 10 show the following: (see attached for full snippet)
[2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)]
ipa_sam.c:309(get_single_attribute)
Attribute [uidNumber] not found.
[2014/03/06 15:32:55.659667,  1, pid=28139, effective(0, 0), real(0, 0)]
ipa_sam.c:717(ldapsam_sid_to_id)
Could not find uidNumber in
cn=groupname,cn=groups,cn=accounts,dc=example,dc=com

Examining code I found that ldapsam_sid_to_id was determining between user and
group by looking for ipaNTGroupAttr objectClass and comparing case sensitively.
However, sidgen task adds it as ipantgroupattr in lower case. Thus the
objectClass is not found and it assumes the object to be user and proceeds to
look for uidNumber - thus the error. This results in the group missing from the
user's security token list within samba, and thus access rejected to the share.

A simple patch is required to ipa-sam to adjust the strncmp in
ldapsam_sid_to_id to a strncasecmp. I've attached a patch for the master branch
at git.fedorahosted.org (as of commit prefix 4048d41) and also a patch that
I've applied to the ipa-3.0.0-37 package.

I'm aware the file sharing is not currently supported according to
documentation - but I had a strong need for this due a mixture of Windows and
Mac machines needing a central file server (thus samba) with single sign on
too. Existing was samba with local users.

Thanks and be proud of FreeIPA! It's awesome! Hopefully we can get support for
the samba file server soon and maybe a separate package for the ipa-sam.so! :)

Version-Release number of selected component (if applicable):
3.0.0-37
Also current master has same issue

How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server-trust-ad and run ipa-adtrust-install --setsids, and then
register to run the sidgen task.
After that, create a share with "net conf setparm" with open access:

[Share]
path = /data
read only = no

2. Users from the IPA domain can connect successfully. Now add the following
extra share config with "net conf setparm", where @groupname is a group that
"user" is a member of

valid users = @groupname

3. Attempt to connect to the samba share as "user"

Actual results:
Cannot connect - error will be one that points to no access to the share

Expected results:
Connect successfully

Additional info:
Patches attached and log attached