From: Andrew Bartlett Date: Thu, 27 Jul 2023 05:18:45 +0000 (+1200) Subject: dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() X-Git-Tag: samba-4.17.11~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9313ebba32b650f31957a8ad6e2b36ac84fba0a3;p=thirdparty%2Fsamba.git dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() This makes more calls to add children, but avoids the cn=system string in the codebase which makes it easier to audit that this is always being built correctly. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224 (cherry picked from commit 5571ce9619d856d3c9545099366f4e0259aee8ef) RN: A second container with name CN=System would disable the operation of the Samba AD DC. Samba now finds the CN=System container by exact DN and not a search. Autobuild-User(v4-17-test): Jule Anger Autobuild-Date(v4-17-test): Tue Aug 1 10:57:31 UTC 2023 on sn-devel-184 --- diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index d9c31e57186..c5be5c03526 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -3305,9 +3305,13 @@ static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *methods, goto out; } - msg->dn = ldb_dn_copy(tmp_ctx, base_dn); + msg->dn = samdb_system_container_dn(state->ldb, tmp_ctx); + if (msg->dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } - ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s,cn=System", td->domain_name); + ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s", td->domain_name); if (!ok) { status = NT_STATUS_NO_MEMORY; goto out; @@ -3532,13 +3536,13 @@ static NTSTATUS pdb_samba_dsdb_del_trusted_domain(struct pdb_methods *methods, return NT_STATUS_OK; } - tdo_dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->ldb)); + tdo_dn = samdb_system_container_dn(state->ldb, tmp_ctx); if (tdo_dn == NULL) { status = NT_STATUS_NO_MEMORY; goto out; } - ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s,cn=System", domain); + ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s", domain); if (!ok) { TALLOC_FREE(tmp_ctx); status = NT_STATUS_NO_MEMORY;