s4:rpc_server/lsa: a PIM trust requires FOREST_TRANSITIVE

author Stefan Metzmacher <metze@samba.org>

Thu, 19 Dec 2024 19:43:18 +0000 (20:43 +0100)

committer Ralph Boehme <slow@samba.org>

Sat, 8 Feb 2025 15:26:38 +0000 (15:26 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 19 Dec 2024 19:43:18 +0000 (20:43 +0100)
committer Ralph Boehme <slow@samba.org>
Sat, 8 Feb 2025 15:26:38 +0000 (15:26 +0000)
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c

index 83661b068f0bf73f41d26ebf6a89deb1f8382a43..207e0a62ca8eda606b8b89b724c75b16fc20f122 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1190,6 +1190,12 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_precheck(
                 return NT_STATUS_INVALID_PARAMETER;
         }
  
+       if ((info->trust_attributes & LSA_TRUST_ATTRIBUTE_PIM_TRUST) &&
+           !(info->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE))
+       {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
         if (info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
                 /*
                  * We don't allow additional domains in our forest yet.
author	Stefan Metzmacher <metze@samba.org>
	Thu, 19 Dec 2024 19:43:18 +0000 (20:43 +0100)
committer	Ralph Boehme <slow@samba.org>
	Sat, 8 Feb 2025 15:26:38 +0000 (15:26 +0000)