auth: Split out fetching trusted domain into sam_get_results_trust()

[amitay/samba.git] / source4 / auth / sam.c

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f7bc6939dd71febd70fe0d456c238e94f190dc78..6e9e63b4d461a92081b198187e0cc7a5e4c99946 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -560,6 +560,80 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
        return NT_STATUS_OK;
 }
 
+NTSTATUS sam_get_results_trust(struct ldb_context *sam_ctx,
+                              TALLOC_CTX *mem_ctx, const char *domain,
+                              const char *realm, const char * const *attrs,
+                              struct ldb_message **msg)
+{
+       TALLOC_CTX *frame = talloc_stackframe();
+       int lret;
+       struct ldb_dn *system_dn;
+       char *filter;
+       struct ldb_result *res = NULL;
+       char *domain_encoded;
+
+       system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx));
+       if (system_dn == NULL) {
+               TALLOC_FREE(frame);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) {
+               TALLOC_FREE(frame);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       domain_encoded = ldb_binary_encode_string(mem_ctx, domain);
+       if (!domain_encoded) {
+               TALLOC_FREE(frame);
+               return NT_STATUS_NO_MEMORY;
+       }
+       if (realm == NULL) {
+               filter = talloc_asprintf(mem_ctx,
+                               "(&(objectClass=trustedDomain)(flatname=%s))",
+                               domain_encoded);
+               if (!filter) {
+                       TALLOC_FREE(frame);
+                       return NT_STATUS_NO_MEMORY;
+               }
+       } else {
+               char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
+               if (!realm_encoded) {
+                       TALLOC_FREE(frame);
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               filter = talloc_asprintf(mem_ctx,
+                               "(&(objectClass=trustedDomain)"
+                                 "(|(trustPartner=%s)(flatname=%s))"
+                               ")",
+                               realm_encoded, domain_encoded);
+               if (!filter) {
+                       TALLOC_FREE(frame);
+                       return NT_STATUS_NO_MEMORY;
+               }
+       }
+
+       lret = dsdb_search(sam_ctx, frame, &res,
+                          system_dn,
+                          LDB_SCOPE_ONELEVEL, attrs,
+                          DSDB_SEARCH_NO_GLOBAL_CATALOG|DSDB_SEARCH_ONE_ONLY,
+                          "%s", filter);
+       if (lret == LDB_ERR_NO_SUCH_OBJECT) {
+               DEBUG(3, ("Failed to find result for %s: %s\n", filter, ldb_errstring(sam_ctx)));
+               TALLOC_FREE(frame);
+               return NT_STATUS_NOT_FOUND;
+       } else if (lret != LDB_SUCCESS) {
+               DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(sam_ctx)));
+               TALLOC_FREE(frame);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+       talloc_steal(mem_ctx, res->msgs);
+       *msg = res->msgs[0];
+       TALLOC_FREE(frame);
+       return NT_STATUS_OK;
+}
+
 /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
 
  Supply either a principal or a DN