From 0c944d07dc534694729a1ae85d3f28206c6c0c40 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 29 Sep 2011 17:43:25 +1000
Subject: s4-sam: don't look in GC NCs for user accounts

We need to exclude GC partial replica naming contexts from SAM lookups

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/sam.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'source4')

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 24a40fc292..767e44c45d 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -493,7 +493,9 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
 	
 	/* pull the user attributes */
 	ret = dsdb_search_one(sam_ctx, tmp_ctx, msg, user_dn,
-			      LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+			      LDB_SCOPE_BASE, attrs,
+			      DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+			      "(objectClass=*)");
 	if (ret != LDB_SUCCESS) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -540,7 +542,9 @@ NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
 		int ret;
 		/* pull the user attributes */
 		ret = dsdb_search_one(sam_ctx, tmp_ctx, &msg, user_dn,
-				      LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+				      LDB_SCOPE_BASE, user_attrs,
+				      DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+				      "(objectClass=*)");
 		if (ret == LDB_ERR_NO_SUCH_OBJECT) {
 			talloc_free(tmp_ctx);
 			return NT_STATUS_NO_SUCH_USER;
-- 
cgit