[continued from previous message]

/* if it is indexed, then fixing the string DN will do
no good here, as we will not find the attribute in
the index. So for now fall through to a standard DN
@@ -515,11 +524,14 @@
*/
static int extended_dn_fix_filter(struct ldb_module *module,
struct ldb_request *req,
- uint32_t default_dsdb_flags)
+ uint32_t default_dsdb_flags,
+ struct ldb_parse_tree **down_tree)
{
struct extended_dn_filter_ctx *filter_ctx;
int ret;

+ *down_tree = NULL;
+
filter_ctx = talloc_zero(req, struct extended_dn_filter_ctx);
if (filter_ctx == NULL) {
return ldb_module_oom(module);
@@ -550,12 +562,12 @@
filter_ctx->test_only = false;
filter_ctx->matched = false;

- req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
- if (req->op.search.tree == NULL) {
+ *down_tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
+ if (*down_tree == NULL) {
return ldb_oom(ldb_module_get_ctx(module));
}

- ret = ldb_parse_tree_walk(req->op.search.tree, extended_dn_filter_callback, filter_ctx);
+ ret = ldb_parse_tree_walk(*down_tree, extended_dn_filter_callback, filter_ctx);
if (ret != LDB_SUCCESS) {
talloc_free(filter_ctx);
return ret;
@@ -572,7 +584,8 @@
static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req, struct ldb_dn *dn)
{
struct extended_search_context *ac;
- struct ldb_request *down_req;
+ struct ldb_request *down_req = NULL;
+ struct ldb_parse_tree *down_tree = NULL;
int ret;
struct ldb_dn *base_dn = NULL;
enum ldb_scope base_dn_scope = LDB_SCOPE_BASE;
@@ -595,7 +608,7 @@
}

if (req->operation == LDB_SEARCH) {
- ret = extended_dn_fix_filter(module, req, dsdb_flags);
+ ret = extended_dn_fix_filter(module, req, dsdb_flags, &down_tree);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -603,7 +616,25 @@

if (!ldb_dn_has_extended(dn)) {
/* Move along there isn't anything to see here */
- return ldb_next_request(module, req);
+ if (down_tree == NULL) {
+ down_req = req;
+ } else {
+ ret = ldb_build_search_req_ex(&down_req,
+ ldb_module_get_ctx(module), req,
+ req->op.search.base,
+ req->op.search.scope,
+ down_tree,
+ req->op.search.attrs,
+ req->controls,
+ req, dsdb_next_callback, + req);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ LDB_REQ_SET_LOCATION(down_req);
+ }
+
+ return ldb_next_request(module, down_req);
} else {
/* It looks like we need to map the DN */
const struct ldb_val *sid_val, *guid_val, *wkguid_val;
@@ -690,6 +721,7 @@

ac->module = module;
ac->req = req;
+ ac->tree = (down_tree != NULL) ? down_tree : req->op.search.tree;
ac->dn = dn;
ac->basedn = NULL; /* Filled in if the search finds the DN by SID/GUID etc */
ac->wellknown_object = wellknown_object;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c 2022-08-08 17:15:39.552193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c 2023-03-20 12:03:44.487649200 +0300
@@ -104,7 +104,7 @@
* If we are a GC let's remove the control,
* if there is a specified GC check that is us.
*/
- struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data;
+ struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control);
if (samdb_is_gc(ldb)) {
/* Because we can't easily talloc a struct ldb_dn*/
struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1); diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2022-10-19 15:14:56.036195800 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2023-03-20 1