s4-sam: don't look in GC NCs for user accounts

We need to exclude GC partial replica naming contexts from SAM lookups

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 24a40fc2927d22131050cac90fb7768cccb70308..767e44c45ddc2ccc0776b48652ff2c250d3ec0c7 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -493,7 +493,9 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
        
        /* pull the user attributes */
        ret = dsdb_search_one(sam_ctx, tmp_ctx, msg, user_dn,
-                             LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+                             LDB_SCOPE_BASE, attrs,
+                             DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+                             "(objectClass=*)");
        if (ret != LDB_SUCCESS) {
                talloc_free(tmp_ctx);
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -540,7 +542,9 @@ NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
                int ret;
                /* pull the user attributes */
                ret = dsdb_search_one(sam_ctx, tmp_ctx, &msg, user_dn,
-                                     LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+                                     LDB_SCOPE_BASE, user_attrs,
+                                     DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+                                     "(objectClass=*)");
                if (ret == LDB_ERR_NO_SUCH_OBJECT) {
                        talloc_free(tmp_ctx);
                        return NT_STATUS_NO_SUCH_USER;