From b61da675c4b957f4e6ae562651ad098091b37af2 Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Tue, 18 Jun 2013 18:42:47 +0200
Subject: [PATCH] s4:rpc_server: pick CN=System CriticalSystemObject

---
 source4/rpc_server/backupkey/dcesrv_backupkey.c |    4 ++--
 source4/rpc_server/lsa/lsa_init.c               |    2 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c   |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 87799db..7f9ecdd 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -85,7 +85,7 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx,
 	 * * taillor the function to the particular needs of backup protocol
 	 */
 
-	system_dn = samdb_search_dn(ldb, msg, domain_dn, "(&(objectClass=container)(cn=System))");
+	system_dn = samdb_search_dn(ldb, msg, domain_dn, "(&(objectClass=container)(cn=System)(isCriticalSystemObject=True))");
 	if (system_dn == NULL) {
 		talloc_free(msg);
 		return NT_STATUS_NO_MEMORY;
@@ -199,7 +199,7 @@ static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	system_dn = samdb_search_dn(ldb, tmp_mem, domain_dn, "(&(objectClass=container)(cn=System))");
+	system_dn = samdb_search_dn(ldb, tmp_mem, domain_dn, "(&(objectClass=container)(cn=System)(isCriticalSystemObject=True))");
 	if (system_dn == NULL) {
 		talloc_free(tmp_mem);
 		return NT_STATUS_NO_MEMORY;
diff --git a/source4/rpc_server/lsa/lsa_init.c b/source4/rpc_server/lsa/lsa_init.c
index bee6556..26c0683 100644
--- a/source4/rpc_server/lsa/lsa_init.c
+++ b/source4/rpc_server/lsa/lsa_init.c
@@ -118,7 +118,7 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 	/* work out the system_dn - useful for so many calls its worth
 	   fetching here */
 	state->system_dn = samdb_search_dn(state->sam_ldb, state,
-					   state->domain_dn, "(&(objectClass=container)(cn=System))");
+					   state->domain_dn, "(&(objectClass=container)(cn=System)(isCriticalSystemObject=True))");
 	if (!state->system_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index d463e85..fa9c171 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2129,7 +2129,7 @@ static WERROR fill_trusted_domains_array(TALLOC_CTX *mem_ctx,
 
 	system_dn = samdb_search_dn(sam_ctx, mem_ctx,
 				    ldb_get_default_basedn(sam_ctx),
-				    "(&(objectClass=container)(cn=System))");
+				    "(&(objectClass=container)(cn=System)(isCriticalSystemObject=True))");
 	if (!system_dn) {
 		return WERR_GENERAL_FAILURE;
 	}
-- 
1.7.10.4