From 6e720ecd259742d274d6281088c5052070c955e6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <mdw@samba.org>
Date: Mon, 13 Sep 2010 22:41:06 +0200
Subject: [PATCH] s4:SID handling - always encode the SID using
 "ldap_encode_ndr_dom_sid" for LDAP filters

This makes also lookups through special backends as "samba3sam" work.
---
 source4/dsdb/common/util.c              |  2 +-
 source4/dsdb/samdb/ldb_modules/samldb.c | 16 ++++++++--------
 source4/lib/policy/gp_ldap.c            |  7 +++++--
 source4/ntp_signd/ntp_signd.c           |  3 ++-
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index d52590cd663..0e371082bea 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2560,7 +2560,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb,
 	int ret;
 	struct ldb_result *res;
 	const char *attrs[] = { NULL };
-	char *sid_str = dom_sid_string(mem_ctx, sid);
+	char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
 
 	if (!sid_str) {
 		return ldb_operr(ldb);
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index acf796f20fe..dca6ece9eef 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -276,8 +276,8 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
 		return ldb_operr(ldb);
 	}
 
-	prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-					dom_sid_string(ac, sid));
+	prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+					ldap_encode_ndr_dom_sid(ac, sid));
 	if (prim_group_dn == NULL) {
 		ldb_asprintf_errstring(ldb,
 				       "Failed to find primary group with RID %u!",
@@ -929,8 +929,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 		return ldb_operr(ldb);
 	}
 
-	prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-					     dom_sid_string(ac, sid));
+	prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+					     ldap_encode_ndr_dom_sid(ac, sid));
 	if (prev_prim_group_dn == NULL) {
 		return ldb_operr(ldb);
 	}
@@ -948,8 +948,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 		return ldb_operr(ldb);
 	}
 
-	new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-					    dom_sid_string(ac, sid));
+	new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+					    ldap_encode_ndr_dom_sid(ac, sid));
 	if (new_prim_group_dn == NULL) {
 		/* Here we know if the specified new primary group candidate is
 		 * valid or not. */
@@ -1041,8 +1041,8 @@ static int samldb_member_check(struct samldb_ctx *ac)
 			return ldb_operr(ldb);
 		}
 
-		group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-					   dom_sid_string(ac, sid));
+		group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+					   ldap_encode_ndr_dom_sid(ac, sid));
 		if (group_dn == NULL) {
 			return ldb_operr(ldb);
 		}
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index 87fde9dbd78..d612cf87699 100644
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -28,6 +28,7 @@
 #include "../librpc/gen_ndr/ndr_security.h"
 #include "../libcli/security/dom_sid.h"
 #include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
 #include "../lib/talloc/talloc.h"
 #include "lib/policy/policy.h"
 
@@ -425,7 +426,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
 	TALLOC_CTX *mem_ctx;
 	const char **gpos;
 	struct ldb_result *result;
-	const char *sid;
+	char *sid;
 	struct ldb_dn *dn;
 	struct ldb_message_element *element;
 	bool inherit;
@@ -443,7 +444,9 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
 	mem_ctx = talloc_new(gp_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 
-	sid = dom_sid_string(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX]);
+	sid = ldap_encode_ndr_dom_sid(mem_ctx,
+				      &token->sids[PRIMARY_USER_SID_INDEX]);
+	NT_STATUS_HAVE_NO_MEMORY(sid);
 
 	/* Find the user DN and objectclass via the sid from the security token */
 	rv = ldb_search(gp_ctx->ldb_ctx,
diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c
index 029071e2c24..0147c12d9e4 100644
--- a/source4/ntp_signd/ntp_signd.c
+++ b/source4/ntp_signd/ntp_signd.c
@@ -34,6 +34,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "auth/auth.h"
 #include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
 #include "lib/ldb/include/ldb.h"
 #include "lib/ldb/include/ldb_errors.h"
 #include "../lib/crypto/md5.h"
@@ -164,7 +165,7 @@ static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
 				 LDB_SCOPE_SUBTREE,
 				 attrs,
 				 "(&(objectSid=%s)(objectClass=user))",
-				 dom_sid_string(mem_ctx, sid));
+				 ldap_encode_ndr_dom_sid(mem_ctx, sid));
 	if (ret != LDB_SUCCESS) {
 		DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
 			  "%s\n",
-- 
2.34.1