From 80be6993c9d21c91ce8b3d9941b93a7f1c6ba579 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 15 Aug 2014 15:00:25 +1200
Subject: [PATCH] auth: Split out fetching trusted domain into
 sam_get_results_trust()

This new helper function will also be used by pdb_samba_dsdb.

Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/auth/sam.c    | 74 +++++++++++++++++++++++++++++++++++++++++++
 source4/kdc/db-glue.c | 52 +++++++++---------------------
 2 files changed, 89 insertions(+), 37 deletions(-)

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f7bc6939dd71..6e9e63b4d461 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -560,6 +560,80 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS sam_get_results_trust(struct ldb_context *sam_ctx,
+			       TALLOC_CTX *mem_ctx, const char *domain,
+			       const char *realm, const char * const *attrs,
+			       struct ldb_message **msg)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	int lret;
+	struct ldb_dn *system_dn;
+	char *filter;
+	struct ldb_result *res = NULL;
+	char *domain_encoded;
+
+	system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx));
+	if (system_dn == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	domain_encoded = ldb_binary_encode_string(mem_ctx, domain);
+	if (!domain_encoded) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+	if (realm == NULL) {
+		filter = talloc_asprintf(mem_ctx,
+				"(&(objectClass=trustedDomain)(flatname=%s))",
+				domain_encoded);
+		if (!filter) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+	} else {
+		char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
+		if (!realm_encoded) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		filter = talloc_asprintf(mem_ctx,
+				"(&(objectClass=trustedDomain)"
+				  "(|(trustPartner=%s)(flatname=%s))"
+				")",
+				realm_encoded, domain_encoded);
+		if (!filter) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	lret = dsdb_search(sam_ctx, frame, &res,
+			   system_dn,
+			   LDB_SCOPE_ONELEVEL, attrs,
+			   DSDB_SEARCH_NO_GLOBAL_CATALOG|DSDB_SEARCH_ONE_ONLY,
+			   "%s", filter);
+	if (lret == LDB_ERR_NO_SUCH_OBJECT) {
+		DEBUG(3, ("Failed to find result for %s: %s\n", filter, ldb_errstring(sam_ctx)));
+		TALLOC_FREE(frame);
+		return NT_STATUS_NOT_FOUND;
+	} else if (lret != LDB_SUCCESS) {
+		DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(sam_ctx)));
+		TALLOC_FREE(frame);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	talloc_steal(mem_ctx, res->msgs);
+	*msg = res->msgs[0];
+	TALLOC_FREE(frame);
+	return NT_STATUS_OK;
+}
+
 /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
 
  Supply either a principal or a DN
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index e64fae956524..b0c3e7a05cca 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1079,47 +1079,25 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
 					struct ldb_dn *realm_dn,
 					struct ldb_message **pmsg)
 {
-	int lret;
-	krb5_error_code ret;
-	char *filter = NULL;
+	NTSTATUS status;
 	const char * const *attrs = trust_attrs;
 
-	struct ldb_result *res = NULL;
-	char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
-	if (!realm_encoded) {
-		if (!filter) {
-			ret = ENOMEM;
-			krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
-			return ret;
-		}
-	}
-	filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))", 
-				 realm_encoded, realm_encoded);
-
-	if (!filter) {
-		talloc_free(realm_encoded);
-		ret = ENOMEM;
-		krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
-		return ret;
-	}
-
-	lret = dsdb_search(ldb_ctx, mem_ctx, &res,
-			   ldb_get_default_basedn(ldb_ctx),
-			   LDB_SCOPE_SUBTREE, attrs,
-			   DSDB_SEARCH_NO_GLOBAL_CATALOG,
-			   "%s", filter);
-	if (lret != LDB_SUCCESS) {
-		DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
-		return HDB_ERR_NOENTRY;
-	} else if (res->count == 0 || res->count > 1) {
-		DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
-		talloc_free(res);
+	status = sam_get_results_trust(ldb_ctx,
+				       mem_ctx, realm, realm, attrs,
+				       pmsg);
+	if (NT_STATUS_IS_OK(status)) {
+		return 0;
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
 		return HDB_ERR_NOENTRY;
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+		int ret = ENOMEM;
+		krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
+		return ret;
+	} else {
+		int ret = EINVAL;
+		krb5_set_error_message(context, ret, "get_sam_result_trust: %s", nt_errstr(status));
+		return ret;
 	}
-	talloc_steal(mem_ctx, res->msgs);
-	*pmsg = res->msgs[0];
-	talloc_free(res);
-	return 0;
 }
 
 static krb5_error_code samba_kdc_lookup_client(krb5_context context,
-- 
2.34.1