1 files changed, 25 insertions, 0 deletions

diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index b5aecbafe91..6a96ce89d1a 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
 				  filter);
 	}
 
+	/*
+	 * We have the problem with the caller creating a <SID=S-....>
+	 * DN for ForeignSecurityPrincipals as they also have
+	 * duplicate objects with the SAME SID under CN=Configuration.
+	 * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba
+	 * and on Windows.  So, we allow this to fail, and
+	 * double-check if we can find it with a search in the main
+	 * domain partition.
+	 */
+	if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) {
+		char *sid_string = dom_sid_string(tmp_ctx,
+						  &sid);
+		if (!sid_string) {
+			talloc_free(tmp_ctx);
+			return NT_STATUS_OK;
+		}
+
+		ret = dsdb_search(sam_ctx, tmp_ctx, &res,
+				  ldb_get_default_basedn(sam_ctx),
+				  LDB_SCOPE_SUBTREE,
+				  attrs, DSDB_SEARCH_SHOW_EXTENDED_DN,
+				  "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))",
+				  sid_string);
+	}
+
 	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_OK;