s4:rpc_server/lsa: don't allow WITHIN_FOREST trusts

author Stefan Metzmacher <metze@samba.org>

Thu, 19 Dec 2024 18:26:10 +0000 (19:26 +0100)

committer Ralph Boehme <slow@samba.org>

Sat, 8 Feb 2025 15:26:38 +0000 (15:26 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 19 Dec 2024 18:26:10 +0000 (19:26 +0100)
committer Ralph Boehme <slow@samba.org>
Sat, 8 Feb 2025 15:26:38 +0000 (15:26 +0000)
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c

index d83bc94e64f54de1fe15581c71411ff191bf59d2..63ffec46c3067a2d0c57b3ba272caeb62ec22dcb 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1184,6 +1184,13 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_precheck(
                 return NT_STATUS_INVALID_PARAMETER;
         }
  
+       if (info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+               /*
+                * We don't allow additional domains in our forest yet.
+                */
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
         /*
          * We expect S-1-5-21-A-B-C, but we don't
          * allow S-1-5-21-0-0-0 as this is used
author	Stefan Metzmacher <metze@samba.org>
	Thu, 19 Dec 2024 18:26:10 +0000 (19:26 +0100)
committer	Ralph Boehme <slow@samba.org>
	Sat, 8 Feb 2025 15:26:38 +0000 (15:26 +0000)