7 files changed, 51 insertions, 56 deletions

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 88c8afd6cc..1220a5c855 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -445,13 +445,12 @@ NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME def
  * Consolidate that logic here to allow clearer logic for account expiry in
  * the rest of the code.
  */
-NTTIME samdb_result_account_expires(struct ldb_message *msg,
-				    NTTIME default_value)
+NTTIME samdb_result_account_expires(struct ldb_message *msg)
 {
 	NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
-						 default_value);
+						 0);
 
-	if (ret == (NTTIME)0)
+	if (ret == 0)
 		ret = 0x7FFFFFFFFFFFFFFFULL;
 
 	return ret;
@@ -1004,7 +1003,13 @@ struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct dom_sid *domain_sid;
+	const struct dom_sid *domain_sid;
+	const char *attrs[] = {
+		"objectSid",
+		NULL
+	};
+	struct ldb_result *res;
+	int ret;
 
 	/* see if we have a cached copy */
 	domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
@@ -1017,9 +1022,17 @@ const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
 		goto failed;
 	}
 
-	/* find the domain_sid */
-	domain_sid = samdb_search_dom_sid(ldb, tmp_ctx, ldb_get_default_basedn(ldb),
-					  "objectSid", "objectClass=domainDNS");
+	ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
+
+	if (ret != LDB_SUCCESS) {
+		goto failed;
+	}
+	
+	if (res->count != 1) {
+		goto failed;
+	}
+
+	domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
 	if (domain_sid == NULL) {
 		goto failed;
 	}
@@ -1464,7 +1477,7 @@ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
 	
 	while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
 		ret = ldb_search(ldb, sdn, LDB_SCOPE_BASE, 
-				 "(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res);
+				 "(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain))", attrs, &res);
 		if (ret == LDB_SUCCESS) {
 			talloc_steal(local_ctx, res);
 			if (res->count == 1) {
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 93da46d5bd..b9333e451b 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -329,7 +329,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 	result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))", 
 					ldb_binary_encode_string(mem_ctx, unparsed_name_short));
 
-	domain_filter = talloc_asprintf(mem_ctx, "(dn=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
+	domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
 
 	if (!result_filter || !domain_filter) {
 		free(unparsed_name_short);
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index e3e1f7ac88..e418031271 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -46,42 +46,15 @@
  *
  */
 
-enum user_is {
-	ANONYMOUS,
-	USER,
-	ADMINISTRATOR,
-	SYSTEM
-};
-
 struct kludge_private_data {
 	const char **password_attrs;
 };
 
-static enum user_is what_is_user(struct ldb_module *module) 
+static enum security_user_level what_is_user(struct ldb_module *module) 
 {
 	struct auth_session_info *session_info
 		= (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
-	if (!session_info) {
-		return ANONYMOUS;
-	}
-	
-	if (security_token_is_system(session_info->security_token)) {
-		return SYSTEM;
-	}
-
-	if (security_token_is_anonymous(session_info->security_token)) {
-		return ANONYMOUS;
-	}
-
-	if (security_token_has_builtin_administrators(session_info->security_token)) {
-		return ADMINISTRATOR;
-	}
-
-	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
-		return USER;
-	}
-
-	return ANONYMOUS;
+	return security_session_user_level(session_info);
 }
 
 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) 
@@ -104,7 +77,7 @@ struct kludge_acl_context {
 	void *up_context;
 	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
 
-	enum user_is user_type;
+	enum security_user_level user_type;
 	bool allowedAttributes;
 	bool allowedAttributesEffective;
 	bool allowedChildClasses;
@@ -272,8 +245,8 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
 	if (data && data->password_attrs) /* if we are not initialized just get through */
 	{
 		switch (ac->user_type) {
-		case SYSTEM:
-		case ADMINISTRATOR:
+		case SECURITY_SYSTEM:
+		case SECURITY_ADMINISTRATOR:
 			if (ac->allowedAttributesEffective) {
 				ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
 				if (ret != LDB_SUCCESS) {
@@ -359,7 +332,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 	   so we don't allow a search for 'sambaPassword=penguin',
 	   just as we would not allow that attribute to be returned */
 	switch (ac->user_type) {
-	case SYSTEM:
+	case SECURITY_SYSTEM:
 		break;
 	default:
 		/* remove password attributes */
@@ -391,10 +364,10 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 /* ANY change type */
 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
 {
-	enum user_is user_type = what_is_user(module);
+	enum security_user_level user_type = what_is_user(module);
 	switch (user_type) {
-	case SYSTEM:
-	case ADMINISTRATOR:
+	case SECURITY_SYSTEM:
+	case SECURITY_ADMINISTRATOR:
 		return ldb_next_request(module, req);
 	default:
 		ldb_asprintf_errstring(module->ldb,
diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c
index a0eff43534..8de9e33002 100644
--- a/source4/dsdb/samdb/ldb_modules/normalise.c
+++ b/source4/dsdb/samdb/ldb_modules/normalise.c
@@ -117,7 +117,7 @@ static int normalise_search_callback(struct ldb_context *ldb, void *context, str
 				talloc_free(mem_ctx);
 				return LDB_ERR_OPERATIONS_ERROR;
 			}
-			ret = fix_dn(ares->message->dn);
+			ret = fix_dn(dn);
 			if (ret != LDB_SUCCESS) {
 				talloc_free(mem_ctx);
 				return ret;
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index e63ad4de56..4d4ef585cb 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -257,12 +257,18 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
 	DATA_BLOB *linear_sd;
 	struct auth_session_info *session_info
 		= ldb_get_opaque(module->ldb, "sessionInfo");
-	struct security_descriptor *sd
-		= sddl_decode(mem_ctx, 
-			      objectclass->defaultSecurityDescriptor,
-			      samdb_domain_sid(module->ldb));
+	struct security_descriptor *sd;
+	struct dom_sid *domain_sid = samdb_domain_sid(module->ldb);
 
-	if (!session_info || !session_info->security_token) {
+	if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
+		return NULL;
+	}
+	
+	sd = sddl_decode(mem_ctx, 
+			 objectclass->defaultSecurityDescriptor,
+			 domain_sid);
+
+	if (!sd || !session_info || !session_info->security_token) {
 		return NULL;
 	}
 	
@@ -538,7 +544,9 @@ static int objectclass_do_add(struct ldb_handle *h)
 				}
 				if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) {
 					DATA_BLOB *sd = get_sd(ac->module, mem_ctx, current->objectclass);
-					ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
+					if (sd) {
+						ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
+					}
 				}
 			}
 		}
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index aa64700f2f..1d2bdd988e 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1220,7 +1220,8 @@ static int build_domain_data_request(struct ph_context *ac)
 	ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
 	ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
 
-	filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))", 
+	filter = talloc_asprintf(ac->dom_req,
+				 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 				 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
 	if (filter == NULL) {
 		ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 905cd4a995..5407db9956 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -293,7 +293,7 @@ int samldb_notice_sid(struct ldb_module *module,
 	/* find the domain DN */
 	ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &dom_res,
 				 NULL, LDB_SCOPE_SUBTREE, attrs,
-				 "(&(objectSid=%s)(objectclass=domain))",
+				 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 				 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
 	if (ret == LDB_SUCCESS) {
 		if (dom_res->count == 0) {
@@ -369,7 +369,7 @@ static int samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX
 	/* Format: $000000-000000000000 */
 	
 	do {
-		*name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)random(), (unsigned int)random(), (unsigned int)random());
+		*name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)generate_random(), (unsigned int)generate_random(), (unsigned int)generate_random());
 		/* TODO: Figure out exactly what this is meant to conflict with */
 		ret = ldb_search_exp_fmt(module->ldb,
 					 mem_ctx, &res, dom_dn, LDB_SCOPE_SUBTREE, attrs,