r9930: Use a single samdb_base_dn() function rather than lots of silly

searches all over the place.

This can be extended to cover an NT4 (no ADS) mode in future as well.

Andrew Bartlett
(This used to be commit 0761b22f99a128bd9634a191adc88b0e30982a3a)

source4/dsdb/samdb/samdb.c

@@ -969,3 +969,37 @@ struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ct
 
 	return sd;
 }
+
+struct ldb_dn *samdb_base_dn(TALLOC_CTX *mem_ctx) 
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	int server_role = lp_server_role();
+	const char **split_realm;
+	struct ldb_dn *dn;
+	
+	if (!tmp_ctx) {
+		return NULL;
+	}
+
+	if ((server_role == ROLE_DOMAIN_PDC)
+	    || (server_role == ROLE_DOMAIN_BDC)) {
+		int i;
+		split_realm = str_list_make(tmp_ctx, lp_realm(), ".");
+		if (!split_realm) {
+			talloc_free(tmp_ctx);
+			return NULL;
+		}
+		dn = NULL;
+		i = str_list_length(split_realm);
+		i--;
+		for (; i >= 0; i--) {
+			dn = ldb_dn_build_child(tmp_ctx, "dc", split_realm[i], dn);
+			if (!dn) {
+				talloc_free(tmp_ctx);
+				return NULL;
+			}
+		}
+		return dn;
+	}
+	return ldb_dn_string_compose(mem_ctx, NULL, "cn=%s", lp_netbios_name());
+}

source4/rpc_server/lsa/dcesrv_lsa.c

@@ -240,9 +240,15 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
+	/* work out the domain_dn - useful for so many calls its worth
+	   fetching here */
+	state->domain_dn = samdb_base_dn(state);
+	if (!state->domain_dn) {
+		return NT_STATUS_NO_MEMORY;		
+	}
+
 	ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
-				  "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
-				  lp_workgroup());
+				  "(&(objectclass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, state->domain_dn));
 	
 	if (ret_domain == -1) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -252,16 +258,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	/* work out the domain_dn - useful for so many calls its worth
-	   fetching here */
-	state->domain_dn = samdb_result_dn(state, msgs_domain[0], "nCName", NULL);
-	if (!state->domain_dn) {
-		return NT_STATUS_NO_SUCH_DOMAIN;		
-	}
-
 	/* work out the builtin_dn - useful for so many calls its worth
 	   fetching here */
-	state->builtin_dn = samdb_search_dn(state->sam_ldb, mem_ctx, NULL, "objectClass=builtinDomain");
+	state->builtin_dn = samdb_search_dn(state->sam_ldb, mem_ctx, state->domain_dn, "(objectClass=builtinDomain)");
 	if (!state->builtin_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
@@ -1062,9 +1061,9 @@ static NTSTATUS lsa_authority_list(struct lsa_policy_state *state, TALLOC_CTX *m
 	}
 
 	domains->domains = talloc_realloc(domains, 
-					    domains->domains,
-					    struct lsa_TrustInformation,
-					    domains->count+1);
+					  domains->domains,
+					  struct lsa_TrustInformation,
+					  domains->count+1);
 	if (domains->domains == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1301,9 +1300,9 @@ static NTSTATUS lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *
 	}
 	
 	/* check it really exists */
-	astate->account_dn = samdb_search_string(state->sam_ldb, astate,
-						 NULL, "(&(objectSid=%s)(objectClass=group))", 
-						 ldap_encode_ndr_dom_sid(mem_ctx, astate->account_sid));
+	astate->account_dn = samdb_search_dn(state->sam_ldb, astate,
+					     NULL, "(&(objectSid=%s)(objectClass=group))", 
+					     ldap_encode_ndr_dom_sid(mem_ctx, astate->account_sid));
 	if (astate->account_dn == NULL) {
 		talloc_free(astate);
 		return NT_STATUS_NO_SUCH_USER;
@@ -1446,7 +1445,6 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
 	struct ldb_message *msg;
 	struct ldb_message_element el;
 	int i, ret;
-	const char *dn;
 	struct lsa_EnumAccountRights r2;
 
 	sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
@@ -1459,14 +1457,9 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	dn = samdb_search_dn(state->sam_ldb, mem_ctx, NULL, "objectSid=%s", sidstr);
-	if (dn == NULL) {
-		return NT_STATUS_NO_SUCH_USER;
-	}
-
-	msg->dn = ldb_dn_explode(mem_ctx, dn);
+	msg->dn = samdb_search_dn(state->sam_ldb, mem_ctx, NULL, "objectSid=%s", sidstr);
 	if (msg->dn == NULL) {
-		return NT_STATUS_NO_MEMORY;
+		return NT_STATUS_NO_SUCH_USER;
 	}
 
 	if (ldb_msg_add_empty(state->sam_ldb, msg, "privilege", ldb_flag)) {

source4/rpc_server/samr/dcesrv_samr.c

@@ -192,7 +192,7 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX
 		
 		ret = gendb_search_dn(c_state->sam_ctx, mem_ctx, 
 				      samdb_result_dn(mem_ctx,
-					ref_msgs[0], "ncName", NULL), 
+						      ref_msgs[0], "ncName", NULL), 
 				      &dom_msgs, dom_attrs);
 	}
 
@@ -319,34 +319,27 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
 
 	ret = gendb_search(c_state->sam_ctx,
 			   mem_ctx, NULL, &dom_msgs, dom_attrs,
-			   "(&(objectSid=%s)(&(objectclass=domain)(!(objectClass=builtinDomain))))",
+			   "(&(objectSid=%s)(&(objectclass=domain)))",
 			   ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
-	if (ret == -1) {
+	if (ret != 1) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	} else if (ret == 0) {
-		ret = gendb_search(c_state->sam_ctx,
-				   mem_ctx, NULL, &dom_msgs, dom_attrs,
-				   "(&(objectSid=%s)(objectClass=builtinDomain))", 
-				   ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
-		if (ret != 1) {
-			return NT_STATUS_NO_SUCH_DOMAIN;
-		}
-
-		domain_name = ldb_msg_find_string(dom_msgs[0], "cn", NULL);
-		if (domain_name == NULL) {
-			return NT_STATUS_NO_SUCH_DOMAIN;
-		}
 	} else {
 		ret = gendb_search(c_state->sam_ctx,
 				   mem_ctx, NULL, &ref_msgs, ref_attrs,
 				   "(&(&(nETBIOSName=*)(objectclass=crossRef))(ncName=%s))", 
 				   ldb_dn_linearize(mem_ctx, dom_msgs[0]->dn));
-		if (ret != 1) {
-			return NT_STATUS_NO_SUCH_DOMAIN;
-		}
+		if (ret == 0) {
+			domain_name = ldb_msg_find_string(dom_msgs[0], "cn", NULL);
+			if (domain_name == NULL) {
+				return NT_STATUS_NO_SUCH_DOMAIN;
+			}
+		} else if (ret == 1) {
 		
-		domain_name = ldb_msg_find_string(ref_msgs[0], "nETBIOSName", NULL);
-		if (domain_name == NULL) {
+			domain_name = ldb_msg_find_string(ref_msgs[0], "nETBIOSName", NULL);
+			if (domain_name == NULL) {
+				return NT_STATUS_NO_SUCH_DOMAIN;
+			}
+		} else {
 			return NT_STATUS_NO_SUCH_DOMAIN;
 		}
 	}
@@ -1769,7 +1762,7 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO
   samr_QueryGroupMember 
 */
 static NTSTATUS samr_QueryGroupMember(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-		       struct samr_QueryGroupMember *r)
+				      struct samr_QueryGroupMember *r)
 {
 	struct dcesrv_handle *h;
 	struct samr_account_state *a_state;
@@ -3317,9 +3310,9 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
-	ret = gendb_search(sam_ctx, 
-			   mem_ctx, NULL, &msgs, attrs, 
-			   "(&(!(objectClass=builtinDomain))(objectclass=domain))");
+	/* The domain name in this call is ignored */
+	ret = gendb_search_dn(sam_ctx, 
+			   mem_ctx, samdb_base_dn(mem_ctx), &msgs, attrs);
 	if (ret <= 0) {
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}