Imported Upstream version 4.0.3+dfsg1

[abartlet/samba-debian.git] / source4 / dsdb / common / util_groups.c

diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index b5aecbafe916fe81f5659e7c64dba04a77715cb3..6a96ce89d1ad47f843c732d232ddab6f577dbdef 100644 (file)
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
                                  filter);
        }
 
+       /*
+        * We have the problem with the caller creating a <SID=S-....>
+        * DN for ForeignSecurityPrincipals as they also have
+        * duplicate objects with the SAME SID under CN=Configuration.
+        * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba
+        * and on Windows.  So, we allow this to fail, and
+        * double-check if we can find it with a search in the main
+        * domain partition.
+        */
+       if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) {
+               char *sid_string = dom_sid_string(tmp_ctx,
+                                                 &sid);
+               if (!sid_string) {
+                       talloc_free(tmp_ctx);
+                       return NT_STATUS_OK;
+               }
+
+               ret = dsdb_search(sam_ctx, tmp_ctx, &res,
+                                 ldb_get_default_basedn(sam_ctx),
+                                 LDB_SCOPE_SUBTREE,
+                                 attrs, DSDB_SEARCH_SHOW_EXTENDED_DN,
+                                 "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))",
+                                 sid_string);
+       }
+
        if (ret == LDB_ERR_NO_SUCH_OBJECT) {
                talloc_free(tmp_ctx);
                return NT_STATUS_OK;