s4-dsdb: minimise the DN in group expansion

this DN we have came from an extended DN search, which means it may
have multiple extended components. We need to minimise the DN before
AD will accept it

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index 07d761167d02f49104aa4202e2ea715a555099d1..d41305577c817155376b75c5b82bda188a6cc49a 100644 (file)
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -104,6 +104,11 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
                return status;
        }
 
+       if (!ldb_dn_minimise(dn)) {
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+
        if (only_childs) {
                ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
                                     DSDB_SEARCH_SHOW_EXTENDED_DN);