s4:SID handling - always encode the SID using "ldap_encode_ndr_dom_sid" for LDAP filters

This makes also lookups through special backends as "samba3sam" work.

source4/dsdb/common/util.c

@@ -2560,7 +2560,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb,
 	int ret;
 	struct ldb_result *res;
 	const char *attrs[] = { NULL };
-	char *sid_str = dom_sid_string(mem_ctx, sid);
+	char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
 
 	if (!sid_str) {
 		return ldb_operr(ldb);

source4/dsdb/samdb/ldb_modules/samldb.c

@@ -276,8 +276,8 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
 		return ldb_operr(ldb);
 	}
 
-	prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
+	prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
-					dom_sid_string(ac, sid));
+					ldap_encode_ndr_dom_sid(ac, sid));
 	if (prim_group_dn == NULL) {
 		ldb_asprintf_errstring(ldb,
 				       "Failed to find primary group with RID %u!",
@@ -929,8 +929,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 		return ldb_operr(ldb);
 	}
 
-	prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
+	prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
-					     dom_sid_string(ac, sid));
+					     ldap_encode_ndr_dom_sid(ac, sid));
 	if (prev_prim_group_dn == NULL) {
 		return ldb_operr(ldb);
 	}
@@ -948,8 +948,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 		return ldb_operr(ldb);
 	}
 
-	new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
+	new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
-					    dom_sid_string(ac, sid));
+					    ldap_encode_ndr_dom_sid(ac, sid));
 	if (new_prim_group_dn == NULL) {
 		/* Here we know if the specified new primary group candidate is
 		 * valid or not. */
@@ -1041,8 +1041,8 @@ static int samldb_member_check(struct samldb_ctx *ac)
 			return ldb_operr(ldb);
 		}
 
-		group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
+		group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
-					   dom_sid_string(ac, sid));
+					   ldap_encode_ndr_dom_sid(ac, sid));
 		if (group_dn == NULL) {
 			return ldb_operr(ldb);
 		}

source4/lib/policy/gp_ldap.c

@@ -28,6 +28,7 @@
 #include "../librpc/gen_ndr/ndr_security.h"
 #include "../libcli/security/dom_sid.h"
 #include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
 #include "../lib/talloc/talloc.h"
 #include "lib/policy/policy.h"
 
@@ -425,7 +426,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
 	TALLOC_CTX *mem_ctx;
 	const char **gpos;
 	struct ldb_result *result;
-	const char *sid;
+	char *sid;
 	struct ldb_dn *dn;
 	struct ldb_message_element *element;
 	bool inherit;
@@ -443,7 +444,9 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
 	mem_ctx = talloc_new(gp_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 
-	sid = dom_sid_string(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX]);
+	sid = ldap_encode_ndr_dom_sid(mem_ctx,
+				      &token->sids[PRIMARY_USER_SID_INDEX]);
+	NT_STATUS_HAVE_NO_MEMORY(sid);
 
 	/* Find the user DN and objectclass via the sid from the security token */
 	rv = ldb_search(gp_ctx->ldb_ctx,

source4/ntp_signd/ntp_signd.c

@@ -34,6 +34,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "auth/auth.h"
 #include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
 #include "lib/ldb/include/ldb.h"
 #include "lib/ldb/include/ldb_errors.h"
 #include "../lib/crypto/md5.h"
@@ -164,7 +165,7 @@ static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
 				 LDB_SCOPE_SUBTREE,
 				 attrs,
 				 "(&(objectSid=%s)(objectClass=user))",
-				 dom_sid_string(mem_ctx, sid));
+				 ldap_encode_ndr_dom_sid(mem_ctx, sid));
 	if (ret != LDB_SUCCESS) {
 		DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
 			  "%s\n",