From: Andrew Bartlett Date: Thu, 27 Jul 2023 05:18:45 +0000 (+1200) Subject: dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() X-Git-Tag: samba-4.19.0rc2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68db9b7390bab3f94cb8a81af57186f4602c8df9;p=thirdparty%2Fsamba.git dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() This makes more calls to add children, but avoids the cn=system string in the codebase which makes it easier to audit that this is always being built correctly. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224 (cherry picked from commit 5571ce9619d856d3c9545099366f4e0259aee8ef) RN: A second container with name CN=System would disable the operation of the Samba AD DC. Samba now finds the CN=System container by exact DN and not a search. Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Tue Aug 1 12:12:30 UTC 2023 on atb-devel-224 --- diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 8ed5799ac89..dee40bf2175 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -3317,9 +3317,13 @@ static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *methods, goto out; } - msg->dn = ldb_dn_copy(tmp_ctx, base_dn); + msg->dn = samdb_system_container_dn(state->ldb, tmp_ctx); + if (msg->dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } - ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s,cn=System", td->domain_name); + ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s", td->domain_name); if (!ok) { status = NT_STATUS_NO_MEMORY; goto out; @@ -3544,13 +3548,13 @@ static NTSTATUS pdb_samba_dsdb_del_trusted_domain(struct pdb_methods *methods, return NT_STATUS_OK; } - tdo_dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->ldb)); + tdo_dn = samdb_system_container_dn(state->ldb, tmp_ctx); if (tdo_dn == NULL) { status = NT_STATUS_NO_MEMORY; goto out; } - ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s,cn=System", domain); + ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s", domain); if (!ok) { TALLOC_FREE(tmp_ctx); status = NT_STATUS_NO_MEMORY;