From a38854f74b9ab0e54647e1fe28fd85be345766dc Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 13 Jan 2011 12:26:24 +1100
Subject: [PATCH] s4-dsdb: minimise the DN in group expansion

this DN we have came from an extended DN search, which means it may
have multiple extended components. We need to minimise the DN before
AD will accept it

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/common/util_groups.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index 07d761167d02..d41305577c81 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -104,6 +104,11 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
 		return status;
 	}
 
+	if (!ldb_dn_minimise(dn)) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
 	if (only_childs) {
 		ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
 				     DSDB_SEARCH_SHOW_EXTENDED_DN);
-- 
2.34.1