From 7a36cb30b716d56b84e894851c1a18e9eb3a0964 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 24 Aug 2018 15:33:49 +0200
Subject: [PATCH] s4:samldb: internally use extended dns while changing the
 primaryGroupID field

This is important, otherwise we'll loose the <SID=> component of the
linked attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 .../knownfail.d/samba4.blackbox.test_primary_group |  2 --
 source4/dsdb/samdb/ldb_modules/samldb.c            | 29 ++++++++++++++++------
 2 files changed, 21 insertions(+), 10 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba4.blackbox.test_primary_group

diff --git a/selftest/knownfail.d/samba4.blackbox.test_primary_group b/selftest/knownfail.d/samba4.blackbox.test_primary_group
deleted file mode 100644
index 779f6808c97..00000000000
--- a/selftest/knownfail.d/samba4.blackbox.test_primary_group
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.blackbox.test_primary_group.dbcheck.*run1
-^samba4.blackbox.test_primary_group.dbcheck.*run2
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 30741f5cb7a..e69228c32c7 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1680,9 +1680,14 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	struct ldb_result *res, *group_res;
 	struct ldb_message_element *el;
 	struct ldb_message *msg;
+	uint32_t search_flags =
+		DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_EXTENDED_DN;
 	uint32_t prev_rid, new_rid, uac;
 	struct dom_sid *prev_sid, *new_sid;
 	struct ldb_dn *prev_prim_group_dn, *new_prim_group_dn;
+	const char *new_prim_group_dn_ext_str = NULL;
+	struct ldb_dn *user_dn = NULL;
+	const char *user_dn_ext_str = NULL;
 	int ret;
 	const char * const noattrs[] = { NULL };
 
@@ -1696,10 +1701,15 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	/* Fetch information from the existing object */
 
 	ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs,
-				    DSDB_FLAG_NEXT_MODULE, ac->req);
+				    search_flags, ac->req);
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
+	user_dn = res->msgs[0]->dn;
+	user_dn_ext_str = ldb_dn_get_extended_linearized(ac, user_dn, 1);
+	if (user_dn_ext_str == NULL) {
+		return ldb_operr(ldb);
+	}
 
 	uac = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0);
 
@@ -1763,7 +1773,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	ret = dsdb_module_search(ac->module, ac, &group_res,
 				 ldb_get_default_basedn(ldb),
 				 LDB_SCOPE_SUBTREE,
-				 noattrs, DSDB_FLAG_NEXT_MODULE,
+				 noattrs, search_flags,
 				 ac->req,
 				 "(objectSid=%s)",
 				 ldap_encode_ndr_dom_sid(ac, prev_sid));
@@ -1783,7 +1793,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	ret = dsdb_module_search(ac->module, ac, &group_res,
 				 ldb_get_default_basedn(ldb),
 				 LDB_SCOPE_SUBTREE,
-				 noattrs, DSDB_FLAG_NEXT_MODULE,
+				 noattrs, search_flags,
 				 ac->req,
 				 "(objectSid=%s)",
 				 ldap_encode_ndr_dom_sid(ac, new_sid));
@@ -1796,11 +1806,16 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
 	new_prim_group_dn = group_res->msgs[0]->dn;
+	new_prim_group_dn_ext_str = ldb_dn_get_extended_linearized(ac,
+							new_prim_group_dn, 1);
+	if (new_prim_group_dn_ext_str == NULL) {
+		return ldb_operr(ldb);
+	}
 
 	/* We need to be already a normal member of the new primary
 	 * group in order to be successful. */
 	el = samdb_find_attribute(ldb, res->msgs[0], "memberOf",
-				  ldb_dn_get_linearized(new_prim_group_dn));
+				  new_prim_group_dn_ext_str);
 	if (el == NULL) {
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
@@ -1812,8 +1827,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	}
 	msg->dn = new_prim_group_dn;
 
-	ret = samdb_msg_add_delval(ldb, msg, msg, "member",
-				   ldb_dn_get_linearized(ac->msg->dn));
+	ret = samdb_msg_add_delval(ldb, msg, msg, "member", user_dn_ext_str);
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
@@ -1831,8 +1845,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	}
 	msg->dn = prev_prim_group_dn;
 
-	ret = samdb_msg_add_addval(ldb, msg, msg, "member",
-				   ldb_dn_get_linearized(ac->msg->dn));
+	ret = samdb_msg_add_addval(ldb, msg, msg, "member", user_dn_ext_str);
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
-- 
2.11.4.GIT