2 files changed, 23 insertions, 16 deletions

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 2ed32192f8..6d13584694 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1042,9 +1042,11 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
 		return ret;
 	}
 
-	lret = ldb_search(ldb_ctx, mem_ctx, &res,
-			  ldb_get_default_basedn(ldb_ctx),
-			  LDB_SCOPE_SUBTREE, attrs, "%s", filter);
+	lret = dsdb_search(ldb_ctx, mem_ctx, &res,
+			   ldb_get_default_basedn(ldb_ctx),
+			   LDB_SCOPE_SUBTREE, attrs,
+			   DSDB_SEARCH_NO_GLOBAL_CATALOG,
+			   "%s", filter);
 	if (lret != LDB_SUCCESS) {
 		DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
 		return HDB_ERR_NOENTRY;
@@ -1149,7 +1151,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 		if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
 			lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
 					       &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
-					       krbtgt_attrs, 0,
+					       krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG,
 					       "(objectClass=user)");
 		} else {
 			/* We need to look up an RODC krbtgt (perhaps
@@ -1158,7 +1160,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 			lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
 					       &msg, realm_dn, LDB_SCOPE_SUBTREE,
 					       krbtgt_attrs,
-					       DSDB_SEARCH_SHOW_EXTENDED_DN,
+					       DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
 					       "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number));
 		}
 
@@ -1517,9 +1519,10 @@ krb5_error_code samba_kdc_firstkey(krb5_context context,
 		return ret;
 	}
 
-	lret = ldb_search(ldb_ctx, priv, &res,
-			  priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
-			  "(objectClass=user)");
+	lret = dsdb_search(ldb_ctx, priv, &res,
+			   priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
+			   DSDB_SEARCH_NO_GLOBAL_CATALOG,
+			   "(objectClass=user)");
 
 	if (lret != LDB_SUCCESS) {
 		TALLOC_FREE(priv);
@@ -1873,7 +1876,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
 		ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
 					  &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
 					  secondary_keytab,
-					  0,
+					  DSDB_SEARCH_NO_GLOBAL_CATALOG,
 					  "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))");
 		if (ldb_ret != LDB_SUCCESS) {
 			DEBUG(1, ("hdb_samba4_create: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n",
@@ -1900,7 +1903,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
 					  ldb_get_default_basedn(kdc_db_ctx->samdb),
 					  LDB_SCOPE_SUBTREE,
 					  krbtgt_attrs,
-					  0,
+					  DSDB_SEARCH_NO_GLOBAL_CATALOG,
 					  "(&(objectClass=user)(samAccountName=krbtgt))");
 
 		if (ldb_ret != LDB_SUCCESS) {
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 478dcaf573..0763e92498 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -30,6 +30,7 @@
 #include "libcli/security/security.h"
 #include "param/param.h"
 #include "kdc/kdc-glue.h"
+#include "dsdb/common/util.h"
 
 /* Return true if there is a valid error packet formed in the error_blob */
 static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
@@ -160,24 +161,27 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
 	struct samr_Password *oldLmHash, *oldNtHash;
 	struct ldb_context *samdb;
 	const char * const attrs[] = { "dBCSPwd", "unicodePwd", NULL };
-	struct ldb_message **res;
+	struct ldb_message *msg;
 	int ret;
 
 	/* Fetch the old hashes to get the old password in order to perform
 	 * the password change operation. Naturally it would be much better to
 	 * have a password hash from an authentication around but this doesn't
 	 * seem to be the case here. */
-	ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
-			   "(&(objectClass=user)(sAMAccountName=%s))",
-			   session_info->info->account_name);
-	if (ret != 1) {
+	ret = dsdb_search_one(kdc->samdb, mem_ctx, &msg, ldb_get_default_basedn(kdc->samdb),
+			      LDB_SCOPE_SUBTREE,
+			      attrs,
+			      DSDB_SEARCH_NO_GLOBAL_CATALOG,
+			      "(&(objectClass=user)(sAMAccountName=%s))",
+			      session_info->info->account_name);
+	if (ret != LDB_SUCCESS) {
 		return kpasswdd_make_error_reply(kdc, mem_ctx,
 						KRB5_KPASSWD_ACCESSDENIED,
 						"No such user when changing password",
 						reply);
 	}
 
-	status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, res[0],
+	status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg,
 					&oldLmHash, &oldNtHash);
 	if (!NT_STATUS_IS_OK(status)) {
 		return kpasswdd_make_error_reply(kdc, mem_ctx,