s4:rpc_server: Do some checks of LogonSamLogon flags

This matches a Windows Server, at least if it is itself a
DC of the forest root and the requested domain is the local domain of the DC.
Both constraints are true on a Samba AD DC, as we don't really support
trusts yet.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  9 17:06:04 CEST 2017 on sn-devel-144

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9392a3975d0f4ec3bd7c7d8848a3f117afb36ced..0932eb0d36c64872dd6e5e4b7e2d91cee2ed6a08 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -856,6 +856,20 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 
        *r->out.authoritative = 1;
 
+       if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT) {
+               /*
+                * Currently we're always the forest root ourself.
+                */
+               return NT_STATUS_NO_SUCH_USER;
+       }
+
+       if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP) {
+               /*
+                * Currently we don't support trusts correctly yet.
+                */
+               return NT_STATUS_NO_SUCH_USER;
+       }
+
        user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(user_info);