s4:SID handling - always encode the SID using "ldap_encode_ndr_dom_sid" for LDAP...

This makes also lookups through special backends as "samba3sam" work.

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index d52590cd663e82c4b1a195d2f9dba801984a3ba2..0e371082bea99f473b392b5f7f7c52a982f33a79 100644 (file)
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2560,7 +2560,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb,
        int ret;
        struct ldb_result *res;
        const char *attrs[] = { NULL };
-       char *sid_str = dom_sid_string(mem_ctx, sid);
+       char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
 
        if (!sid_str) {
                return ldb_operr(ldb);

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index acf796f20fe62eac06b02b36164996711ca2d37e..dca6ece9eefb283fabde04c183d77ef707ff56ac 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -276,8 +276,8 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
                return ldb_operr(ldb);
        }
 
-       prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-                                       dom_sid_string(ac, sid));
+       prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+                                       ldap_encode_ndr_dom_sid(ac, sid));
        if (prim_group_dn == NULL) {
                ldb_asprintf_errstring(ldb,
                                       "Failed to find primary group with RID %u!",
@@ -929,8 +929,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
                return ldb_operr(ldb);
        }
 
-       prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-                                            dom_sid_string(ac, sid));
+       prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+                                            ldap_encode_ndr_dom_sid(ac, sid));
        if (prev_prim_group_dn == NULL) {
                return ldb_operr(ldb);
        }
@@ -948,8 +948,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
                return ldb_operr(ldb);
        }
 
-       new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-                                           dom_sid_string(ac, sid));
+       new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+                                           ldap_encode_ndr_dom_sid(ac, sid));
        if (new_prim_group_dn == NULL) {
                /* Here we know if the specified new primary group candidate is
                 * valid or not. */
@@ -1041,8 +1041,8 @@ static int samldb_member_check(struct samldb_ctx *ac)
                        return ldb_operr(ldb);
                }
 
-               group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
-                                          dom_sid_string(ac, sid));
+               group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+                                          ldap_encode_ndr_dom_sid(ac, sid));
                if (group_dn == NULL) {
                        return ldb_operr(ldb);
                }

diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index 87fde9dbd78f4d22c6c129f0308954d44bf5f93e..d612cf87699e07fbd8ac71bf52fc6ef5a0d54e10 100644 (file)
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -28,6 +28,7 @@
 #include "../librpc/gen_ndr/ndr_security.h"
 #include "../libcli/security/dom_sid.h"
 #include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
 #include "../lib/talloc/talloc.h"
 #include "lib/policy/policy.h"
 
@@ -425,7 +426,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
        TALLOC_CTX *mem_ctx;
        const char **gpos;
        struct ldb_result *result;
-       const char *sid;
+       char *sid;
        struct ldb_dn *dn;
        struct ldb_message_element *element;
        bool inherit;
@@ -443,7 +444,9 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
        mem_ctx = talloc_new(gp_ctx);
        NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 
-       sid = dom_sid_string(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX]);
+       sid = ldap_encode_ndr_dom_sid(mem_ctx,
+                                     &token->sids[PRIMARY_USER_SID_INDEX]);
+       NT_STATUS_HAVE_NO_MEMORY(sid);
 
        /* Find the user DN and objectclass via the sid from the security token */
        rv = ldb_search(gp_ctx->ldb_ctx,

diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c
index 029071e2c24afdb20175ce2f75f65b855d36f57a..0147c12d9e4f83073799574789b325a59f5ff413 100644 (file)
--- a/source4/ntp_signd/ntp_signd.c
+++ b/source4/ntp_signd/ntp_signd.c
@@ -34,6 +34,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "auth/auth.h"
 #include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
 #include "lib/ldb/include/ldb.h"
 #include "lib/ldb/include/ldb_errors.h"
 #include "../lib/crypto/md5.h"
@@ -164,7 +165,7 @@ static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
                                 LDB_SCOPE_SUBTREE,
                                 attrs,
                                 "(&(objectSid=%s)(objectClass=user))",
-                                dom_sid_string(mem_ctx, sid));
+                                ldap_encode_ndr_dom_sid(mem_ctx, sid));
        if (ret != LDB_SUCCESS) {
                DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
                          "%s\n",