+ }
+
+ /*
+ * First check against our local DB, to see if this user has a
+ * mapping there. This means that the Samba4 AD DC behaves
+ * much like a winbindd member server running idmap_ad
+ */
+
+ if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+ ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg,
+ ldb_get_default_basedn(idmap_ctx->samdb),
+ LDB_SCOPE_SUBTREE, sam_attrs, 0,
+ "(&(objectSid=%s)"
+ "(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u)"
+ "(sAMaccountType=%u)(sAMaccountType=%u))"
+ "(|(uidNumber=*)(gidNumber=*))"
+ "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+ dom_sid_string(tmp_ctx, sid),
+ ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
+ ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+ } else {
+ /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+ ret = LDB_ERR_NO_SUCH_OBJECT;
+ }
+
+ if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
+ DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n",
+ dom_sid_string(tmp_ctx, sid)));
+ status = NT_STATUS_NONE_MAPPED;
+ goto failed;
+ } else if (ret == LDB_SUCCESS) {
+ uint32_t account_type = ldb_msg_find_attr_as_uint(sam_msg, "sAMaccountType", 0);
+ if ((account_type == ATYPE_ACCOUNT) || (account_type == ATYPE_WORKSTATION_TRUST ) || (account_type == ATYPE_INTERDOMAIN_TRUST )) {
+ const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg, "uidNumber");
+ if (v) {
+ unixid->type = ID_TYPE_UID;
+ unixid->id = ldb_msg_find_attr_as_uint(sam_msg, "uidNumber", -1);
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ } else if ((account_type == ATYPE_SECURITY_GLOBAL_GROUP) || (account_type == ATYPE_SECURITY_LOCAL_GROUP)) {
+ const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg, "gidNumber");
+ if (v) {
+ unixid->type = ID_TYPE_GID;
+ unixid->id = ldb_msg_find_attr_as_uint(sam_msg, "gidNumber", -1);
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+ }
+ } else if (ret != LDB_ERR_NO_SUCH_OBJECT) {
+ DEBUG(1, ("Search for objectSid=%s gave '%s', failing to map to a SID!\n",
+ dom_sid_string(tmp_ctx, sid), ldb_errstring(idmap_ctx->samdb)));
+
+ status = NT_STATUS_NONE_MAPPED;
+ goto failed;
+ }