r7860: switch our ldb storage format to use a NDR encoded objectSid. This is

quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.

metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)

This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:

 - the ltdb index records need to use the string form of the objectSid
   (to keep the DNs sane). Until that it done I have disabled indexing on
   objectSid, which is a big performance hit, but allows us to pass
   all our tests while I rejig the indexing system to use a externally
   supplied conversion function

 - I haven't yet put in place the code that allows client to use the
   "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
   supports this, presumably by looking for the "S-" prefix to
   determine what type of objectSid form is being used by the client. I
   have been working on ways to handle this, but am not happy with
   them yet so they aren't part of this patch

 - I need to change pidl to generate push functions that take a
   "const void *" instead of a "void*" for the data pointer. That will
   fix the couple of new warnings this code generates.

Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)

1 files changed, 7 insertions, 8 deletions

diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 1ad9087bfe..3318238fda 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -257,7 +257,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
 	}
 
 	if (!domain_name) {
-		const char *domain_sid;
+		struct dom_sid *domain_sid;
 
 		domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
 		if (!domain_sid) {
@@ -267,20 +267,20 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
 		/* find the domain's DN */
 		ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL,
 				   "(&(objectSid=%s)(objectclass=domain))", 
-				   domain_sid);
+				   ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
 		if (ret == -1) {
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
 		}
 		
 		if (ret == 0) {
 			DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n",
-				 domain_sid));
+				 dom_sid_string(mem_ctx, domain_sid)));
 			return NT_STATUS_NO_SUCH_USER;
 		}
 		
 		if (ret > 1) {
 			DEBUG(0,("Found %d records matching domain_sid [%s]\n", 
-				 ret, domain_sid));
+				 ret, dom_sid_string(mem_ctx, domain_sid)));
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
 		}
 
@@ -400,15 +400,14 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
 
 	/* Need to unroll some nested groups, but not aliases */
 	for (i = 0; i < group_ret; i++) {
-		str = ldb_msg_find_string(group_msgs[i], "objectSid", NULL);
-		groupSIDs[i] = dom_sid_parse_talloc(groupSIDs, str);
+		groupSIDs[i] = samdb_result_dom_sid(groupSIDs, 
+						    group_msgs[i], "objectSid");
 		NT_STATUS_HAVE_NO_MEMORY(groupSIDs[i]);
 	}
 
 	talloc_free(tmp_ctx);
 
-	str = ldb_msg_find_string(msgs[0], "objectSid", NULL);
-	account_sid = dom_sid_parse_talloc(server_info, str);
+	account_sid = samdb_result_dom_sid(server_info, msgs[0], "objectSid");
 	NT_STATUS_HAVE_NO_MEMORY(account_sid);
 
 	primary_group_sid = dom_sid_dup(server_info, account_sid);