* cygheap.h (class cygheap_domain_info): Remove lowest_tdo_posix_offset.

* ldap.cc (cyg_ldap::fetch_posix_offset_for_domain): Return UINT32_MAX
	in case of error.
	* security.h (PRIMARY_POSIX_OFFSET): Define.
	(NOACCESS_POSIX_OFFSET): Define.
	(UNUSABLE_POSIX_OFFSET): Define.
	* uinfo.cc (cygheap_domain_info::init): Drop initializing
	lowest_tdo_posix_offset.
	(pwdgrp::fetch_account_from_file): Set PosixOffset to either
	UNUSABLE_POSIX_OFFSET or NOACCESS_POSIX_OFFSET in case we don't get a
	sensible offset from AD.  Explain why.  Drop setting ch
	lowest_tdo_posix_offset.
	(pwdgrp::fetch_account_from_windows): Replace constant 0x100000 with
	PRIMARY_POSIX_OFFSET throughout.

winsup/cygwin/security.h

@@ -24,6 +24,16 @@ void uinfo_init ();
 #define ILLEGAL_UID ((uid_t)-1)
 #define ILLEGAL_GID ((gid_t)-1)
 
+/* Offset for accounts in the primary domain of the machine. */
+#define PRIMARY_POSIX_OFFSET		(0x00100000)
+
+/* Fake POSIX offsets used in scenarios in which the account has no permission
+   to fetch the POSIX offset, or when the admins have set the offset to an
+   unreasonable low value.  The values are chosen in the hope that they won't
+   collide with "real" offsets. */
+#define NOACCESS_POSIX_OFFSET		(0xfe500000)
+#define UNUSABLE_POSIX_OFFSET		(0xfea00000)
+
 /* For UNIX accounts not mapped to Windows accounts via winbind, Samba returns
    SIDs of the form S-1-22-x-y, with x == 1 for users and x == 2 for groups,
    and y == UNIX uid/gid.  NFS returns no SIDs at all, but the plain UNIX