s4-dsdb: Require that the NTDS object is an nTDSDSA objectclass

This should avoid a user being able to specify the GUID of a different
type of object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

source4/dsdb/common/util.c

@@ -3574,7 +3574,7 @@ int samdb_get_ntds_obj_by_guid(TALLOC_CTX *mem_ctx,
 			  LDB_SCOPE_SUBTREE,
 			  attrs,
 			  DSDB_SEARCH_ONE_ONLY,
-			  "objectGUID=%s",
+			  "(&(objectGUID=%s)(objectClass=nTDSDSA))",
 			  guid_str);
 	if (ret != LDB_SUCCESS) {
 		return ret;