diff options
| author | Andrew Tridgell <tridge@samba.org> | 2011-09-29 05:23:38 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2011-10-04 15:08:57 +1100 |
| commit | aee896ad98edf80a62e586beabffeea02e004585 (patch) | |
| tree | b954a7a4622569c98f9abf986207e6f05eb5452f /source4/kdc/db-glue.c | |
| parent | 5717da34b92cfb9385d9275df5b48c70254ce78f (diff) | |
| download | samba-aee896ad98edf80a62e586beabffeea02e004585.tar.gz samba-aee896ad98edf80a62e586beabffeea02e004585.tar.bz2 samba-aee896ad98edf80a62e586beabffeea02e004585.zip | |
s4-kdc: don't look at global catalog NCs in the kdc
the kdc should not be looking for users in GC partial replicas, as
these users do not have all of the attributes needed for the KDC to
operate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/kdc/db-glue.c')
| -rw-r--r-- | source4/kdc/db-glue.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 2ed32192f8..6d13584694 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1042,9 +1042,11 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c return ret; } - lret = ldb_search(ldb_ctx, mem_ctx, &res, - ldb_get_default_basedn(ldb_ctx), - LDB_SCOPE_SUBTREE, attrs, "%s", filter); + lret = dsdb_search(ldb_ctx, mem_ctx, &res, + ldb_get_default_basedn(ldb_ctx), + LDB_SCOPE_SUBTREE, attrs, + DSDB_SEARCH_NO_GLOBAL_CATALOG, + "%s", filter); if (lret != LDB_SUCCESS) { DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx))); return HDB_ERR_NOENTRY; @@ -1149,7 +1151,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) { lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE, - krbtgt_attrs, 0, + krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG, "(objectClass=user)"); } else { /* We need to look up an RODC krbtgt (perhaps @@ -1158,7 +1160,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, &msg, realm_dn, LDB_SCOPE_SUBTREE, krbtgt_attrs, - DSDB_SEARCH_SHOW_EXTENDED_DN, + DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number)); } @@ -1517,9 +1519,10 @@ krb5_error_code samba_kdc_firstkey(krb5_context context, return ret; } - lret = ldb_search(ldb_ctx, priv, &res, - priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs, - "(objectClass=user)"); + lret = dsdb_search(ldb_ctx, priv, &res, + priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs, + DSDB_SEARCH_NO_GLOBAL_CATALOG, + "(objectClass=user)"); if (lret != LDB_SUCCESS) { TALLOC_FREE(priv); @@ -1873,7 +1876,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx, &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE, secondary_keytab, - 0, + DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))"); if (ldb_ret != LDB_SUCCESS) { DEBUG(1, ("hdb_samba4_create: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n", @@ -1900,7 +1903,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte ldb_get_default_basedn(kdc_db_ctx->samdb), LDB_SCOPE_SUBTREE, krbtgt_attrs, - 0, + DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user)(samAccountName=krbtgt))"); if (ldb_ret != LDB_SUCCESS) { |