s4:rpc_server/lsa: don't allow WITHIN_FOREST together with CROSS_ORGANIZATION

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index c3d4522d4836f21565a4b77a3ba4de643c48ff26..d83bc94e64f54de1fe15581c71411ff191bf59d2 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1178,6 +1178,12 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_precheck(
                return NT_STATUS_INVALID_SID;
        }
 
+       if ((info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) &&
+           (info->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION))
+       {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        /*
         * We expect S-1-5-21-A-B-C, but we don't
         * allow S-1-5-21-0-0-0 as this is used