From aee896ad98edf80a62e586beabffeea02e004585 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 29 Sep 2011 05:23:38 +1000
Subject: s4-kdc: don't look at global catalog NCs in the kdc

the kdc should not be looking for users in GC partial replicas, as
these users do not have all of the attributes needed for the KDC to
operate

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/kpasswdd.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'source4/kdc/kpasswdd.c')

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 478dcaf573..0763e92498 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -30,6 +30,7 @@
 #include "libcli/security/security.h"
 #include "param/param.h"
 #include "kdc/kdc-glue.h"
+#include "dsdb/common/util.h"
 
 /* Return true if there is a valid error packet formed in the error_blob */
 static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
@@ -160,24 +161,27 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
 	struct samr_Password *oldLmHash, *oldNtHash;
 	struct ldb_context *samdb;
 	const char * const attrs[] = { "dBCSPwd", "unicodePwd", NULL };
-	struct ldb_message **res;
+	struct ldb_message *msg;
 	int ret;
 
 	/* Fetch the old hashes to get the old password in order to perform
 	 * the password change operation. Naturally it would be much better to
 	 * have a password hash from an authentication around but this doesn't
 	 * seem to be the case here. */
-	ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
-			   "(&(objectClass=user)(sAMAccountName=%s))",
-			   session_info->info->account_name);
-	if (ret != 1) {
+	ret = dsdb_search_one(kdc->samdb, mem_ctx, &msg, ldb_get_default_basedn(kdc->samdb),
+			      LDB_SCOPE_SUBTREE,
+			      attrs,
+			      DSDB_SEARCH_NO_GLOBAL_CATALOG,
+			      "(&(objectClass=user)(sAMAccountName=%s))",
+			      session_info->info->account_name);
+	if (ret != LDB_SUCCESS) {
 		return kpasswdd_make_error_reply(kdc, mem_ctx,
 						KRB5_KPASSWD_ACCESSDENIED,
 						"No such user when changing password",
 						reply);
 	}
 
-	status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, res[0],
+	status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg,
 					&oldLmHash, &oldNtHash);
 	if (!NT_STATUS_IS_OK(status)) {
 		return kpasswdd_make_error_reply(kdc, mem_ctx,
-- 
cgit