From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 19 Dec 2024 18:34:59 +0000 (+0100)
Subject: s4:rpc_server/lsa: WITHIN_FOREST together with FOREST_TRANSITIVE is invalid
X-Git-Tag: tevent-0.17.0~823
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01d545fcea82bdf4637aa2ee1f71d3d4d6e3f37a;p=thirdparty%2Fsamba.git

s4:rpc_server/lsa: WITHIN_FOREST together with FOREST_TRANSITIVE is invalid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 63ffec46c30..83661b068f0 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1178,6 +1178,12 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_precheck(
 		return NT_STATUS_INVALID_SID;
 	}
 
+	if ((info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) &&
+	    (info->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE))
+	{
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if ((info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) &&
 	    (info->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION))
 	{