From e0deeddc948cbf2a32ac5ca99962827001102025 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 9 Aug 2016 18:25:12 +0200
Subject: [PATCH] idmap: centrally check that unix IDs returned by the idmap
 backends are in range

Note: in the long run, it might be good to move this kind of
exit check (before handing the result back to the client)
to the parent winbindd code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155

Signed-off-by: Michael Adam <obnox@samba.org>

(Backported from master commit b2bf61307cffd8ff7b6fb9852c107ab763653119.)
---
 source3/winbindd/winbindd_dual_srv.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index cdd9bbd6168..630d28af3bd 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -203,6 +203,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p,
 		for (j=0; j<num_ids; j++) {
 			struct wbint_TransID *id = &r->in.ids->ids[id_idx[j]];
 
+			if (!idmap_unix_id_is_in_range(ids[j].xid.id, dom)) {
+				ids[j].status = ID_UNMAPPED;
+			}
+
 			if (ids[j].status != ID_MAPPED) {
 				id->xid.id = UINT32_MAX;
 				id->xid.type = ID_TYPE_NOT_SPECIFIED;
-- 
2.11.4.GIT