From c42aeb7872c89983ea274d72b7ef8d9c7a59bc08 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Wed, 22 Jun 2011 17:07:39 +1000
Subject: s4-dsdb: prioritise GUID in extended_dn_in

if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'source4/dsdb/samdb/ldb_modules/extended_dn_in.c')

diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index e2bb0de054..9a70d9a3db 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -315,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
 		guid_val = ldb_dn_get_extended_component(dn, "GUID");
 		wkguid_val = ldb_dn_get_extended_component(dn, "WKGUID");
 
-		if (sid_val) {
+		/*
+		  prioritise the GUID - we have had instances of
+		  duplicate SIDs in the database in the
+		  ForeignSecurityPrinciples due to provision errors
+		 */
+		if (guid_val) {
 			all_partitions = true;
 			base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module));
-			base_dn_filter = talloc_asprintf(req, "(objectSid=%s)", 
-							 ldb_binary_encode(req, *sid_val));
+			base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)",
+							 ldb_binary_encode(req, *guid_val));
 			if (!base_dn_filter) {
 				return ldb_oom(ldb_module_get_ctx(module));
 			}
 			base_dn_scope = LDB_SCOPE_SUBTREE;
 			base_dn_attrs = no_attr;
 
-		} else if (guid_val) {
-
+		} else if (sid_val) {
 			all_partitions = true;
 			base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module));
-			base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)", 
-							 ldb_binary_encode(req, *guid_val));
+			base_dn_filter = talloc_asprintf(req, "(objectSid=%s)",
+							 ldb_binary_encode(req, *sid_val));
 			if (!base_dn_filter) {
 				return ldb_oom(ldb_module_get_ctx(module));
 			}
 			base_dn_scope = LDB_SCOPE_SUBTREE;
 			base_dn_attrs = no_attr;
 
-
 		} else if (wkguid_val) {
 			char *wkguid_dup;
 			char *tail_str;
-- 
cgit