dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*()

This makes more calls to add children, but avoids the cn=system string in the
codebase which makes it easier to audit that this is always being built
correctly.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224

(cherry picked from commit 5571ce9619d856d3c9545099366f4e0259aee8ef)

RN: A second container with name CN=System would disable the operation
 of the Samba AD DC.  Samba now finds the CN=System container by exact
 DN and not a search.

Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Tue Aug  1 10:57:31 UTC 2023 on sn-devel-184

source3/passdb/pdb_samba_dsdb.c

@@ -3305,9 +3305,13 @@ static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *methods,
 		goto out;
 	}
 
-	msg->dn = ldb_dn_copy(tmp_ctx, base_dn);
+	msg->dn = samdb_system_container_dn(state->ldb, tmp_ctx);
+	if (msg->dn == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto out;
+	}
 
-	ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s,cn=System", td->domain_name);
+	ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s", td->domain_name);
 	if (!ok) {
 		status = NT_STATUS_NO_MEMORY;
 		goto out;
@@ -3532,13 +3536,13 @@ static NTSTATUS pdb_samba_dsdb_del_trusted_domain(struct pdb_methods *methods,
 		return NT_STATUS_OK;
 	}
 
-	tdo_dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->ldb));
+	tdo_dn = samdb_system_container_dn(state->ldb, tmp_ctx);
 	if (tdo_dn == NULL) {
 		status = NT_STATUS_NO_MEMORY;
 		goto out;
 	}
 
-	ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s,cn=System", domain);
+	ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s", domain);
 	if (!ok) {
 		TALLOC_FREE(tmp_ctx);
 		status = NT_STATUS_NO_MEMORY;