From 745da165de8a18f3737394a7cd1ff2ae1084bce3 Mon Sep 17 00:00:00 2001
From: Andrew Walker <awalker@ixsystems.com>
Date: Thu, 11 Jan 2024 07:40:27 -0800
Subject: [PATCH] s3/lib/idmap_cache - don't cache Unix account sids

Local unix users and groups are implicitly mapped with
a special samba SID prefix. This means that queries
for instance for S-1-22-1-3000 will resolve to UID 3000
and generate a reverse UID to SID mapping that overwrites
any prior one retrieved via passdb. This commit prevents
us from storing the reverse mapping for these account
SIDs in gencache to avoid pollution.
---
 source3/lib/idmap_cache.c | 11 ++++++++++-
 source3/wscript_build     |  1 +
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c
index a4b8861f466..e06a2649197 100644
--- a/source3/lib/idmap_cache.c
+++ b/source3/lib/idmap_cache.c
@@ -23,6 +23,7 @@
 #include "../librpc/gen_ndr/idmap.h"
 #include "lib/gencache.h"
 #include "lib/util/string_wrappers.h"
+#include "util_unixsids.h"
 
 /**
  * Find a sid2xid mapping
@@ -281,6 +282,7 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 	time_t now = time(NULL);
 	time_t timeout;
 	fstring key, value;
+	bool is_implicit_sid = false;
 
 	if (!is_null_sid(sid)) {
 		struct dom_sid_buf sidstr;
@@ -306,8 +308,15 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 			? lp_idmap_negative_cache_time()
 			: lp_idmap_cache_time();
 		gencache_set(key, value, now + timeout);
+
+		if (sid_check_is_in_unix_groups(sid) ||
+		    sid_check_is_in_unix_users(sid)) {
+			// Avoid setting IDMAP/UID2SID cache entry for local
+			// users and groups to avoid cache pollution
+			is_implicit_sid = true;
+		}
 	}
-	if (unix_id->id != -1) {
+	if ((unix_id->id != -1) && !is_implicit_sid) {
 		if (is_null_sid(sid)) {
 			/* negative xid mapping */
 			fstrcpy(value, "-");
diff --git a/source3/wscript_build b/source3/wscript_build
index a27537b5d6b..b6057496e65 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -384,6 +384,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core',
                           lib/idmap_cache.c
                           lib/namemap_cache.c
                           lib/util_ea.c
+                          lib/util_unixsids.c
                           lib/background.c
                           ''',
                    deps='''