summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/kdc/db-glue.c23
-rw-r--r--source4/kdc/kpasswdd.c16
2 files changed, 23 insertions, 16 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 2ed32192f8..6d13584694 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1042,9 +1042,11 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
return ret;
}
- lret = ldb_search(ldb_ctx, mem_ctx, &res,
- ldb_get_default_basedn(ldb_ctx),
- LDB_SCOPE_SUBTREE, attrs, "%s", filter);
+ lret = dsdb_search(ldb_ctx, mem_ctx, &res,
+ ldb_get_default_basedn(ldb_ctx),
+ LDB_SCOPE_SUBTREE, attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ "%s", filter);
if (lret != LDB_SUCCESS) {
DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
return HDB_ERR_NOENTRY;
@@ -1149,7 +1151,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
&msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
- krbtgt_attrs, 0,
+ krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(objectClass=user)");
} else {
/* We need to look up an RODC krbtgt (perhaps
@@ -1158,7 +1160,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
&msg, realm_dn, LDB_SCOPE_SUBTREE,
krbtgt_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number));
}
@@ -1517,9 +1519,10 @@ krb5_error_code samba_kdc_firstkey(krb5_context context,
return ret;
}
- lret = ldb_search(ldb_ctx, priv, &res,
- priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
- "(objectClass=user)");
+ lret = dsdb_search(ldb_ctx, priv, &res,
+ priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ "(objectClass=user)");
if (lret != LDB_SUCCESS) {
TALLOC_FREE(priv);
@@ -1873,7 +1876,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
&msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
secondary_keytab,
- 0,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))");
if (ldb_ret != LDB_SUCCESS) {
DEBUG(1, ("hdb_samba4_create: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n",
@@ -1900,7 +1903,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
ldb_get_default_basedn(kdc_db_ctx->samdb),
LDB_SCOPE_SUBTREE,
krbtgt_attrs,
- 0,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(samAccountName=krbtgt))");
if (ldb_ret != LDB_SUCCESS) {
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 478dcaf573..0763e92498 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -30,6 +30,7 @@
#include "libcli/security/security.h"
#include "param/param.h"
#include "kdc/kdc-glue.h"
+#include "dsdb/common/util.h"
/* Return true if there is a valid error packet formed in the error_blob */
static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
@@ -160,24 +161,27 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
struct samr_Password *oldLmHash, *oldNtHash;
struct ldb_context *samdb;
const char * const attrs[] = { "dBCSPwd", "unicodePwd", NULL };
- struct ldb_message **res;
+ struct ldb_message *msg;
int ret;
/* Fetch the old hashes to get the old password in order to perform
* the password change operation. Naturally it would be much better to
* have a password hash from an authentication around but this doesn't
* seem to be the case here. */
- ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
- "(&(objectClass=user)(sAMAccountName=%s))",
- session_info->info->account_name);
- if (ret != 1) {
+ ret = dsdb_search_one(kdc->samdb, mem_ctx, &msg, ldb_get_default_basedn(kdc->samdb),
+ LDB_SCOPE_SUBTREE,
+ attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ "(&(objectClass=user)(sAMAccountName=%s))",
+ session_info->info->account_name);
+ if (ret != LDB_SUCCESS) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
"No such user when changing password",
reply);
}
- status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, res[0],
+ status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg,
&oldLmHash, &oldNtHash);
if (!NT_STATUS_IS_OK(status)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,