s3/lib/idmap_cache - don't cache Unix account sids

Local unix users and groups are implicitly mapped with
a special samba SID prefix. This means that queries
for instance for S-1-22-1-3000 will resolve to UID 3000
and generate a reverse UID to SID mapping that overwrites
any prior one retrieved via passdb. This commit prevents
us from storing the reverse mapping for these account
SIDs in gencache to avoid pollution.

source3/lib/idmap_cache.c

@@ -23,6 +23,7 @@
 #include "../librpc/gen_ndr/idmap.h"
 #include "lib/gencache.h"
 #include "lib/util/string_wrappers.h"
+#include "util_unixsids.h"
 
 /**
  * Find a sid2xid mapping
@@ -281,6 +282,7 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 	time_t now = time(NULL);
 	time_t timeout;
 	fstring key, value;
+	bool is_implicit_sid = false;
 
 	if (!is_null_sid(sid)) {
 		struct dom_sid_buf sidstr;
@@ -306,8 +308,15 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 			? lp_idmap_negative_cache_time()
 			: lp_idmap_cache_time();
 		gencache_set(key, value, now + timeout);
+
+		if (sid_check_is_in_unix_groups(sid) ||
+		    sid_check_is_in_unix_users(sid)) {
+			// Avoid setting IDMAP/UID2SID cache entry for local
+			// users and groups to avoid cache pollution
+			is_implicit_sid = true;
+		}
 	}
-	if (unix_id->id != -1) {
+	if ((unix_id->id != -1) && !is_implicit_sid) {
 		if (is_null_sid(sid)) {
 			/* negative xid mapping */
 			fstrcpy(value, "-");

source3/wscript_build

@@ -384,6 +384,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core',
                           lib/idmap_cache.c
                           lib/namemap_cache.c
                           lib/util_ea.c
+                          lib/util_unixsids.c
                           lib/background.c
                           ''',
                    deps='''