From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 27 Nov 2024 09:59:58 +0000 (+0100)
Subject: s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust credentials for netlogon
X-Git-Tag: tdb-1.4.13~177
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04d78cc7ce876f3bdb9ad2e1ffaf91c6771ca316;p=thirdparty%2Fsamba.git

s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust credentials for netlogon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 2a2eb3da72b..a967abae181 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -655,6 +655,12 @@ NTSTATUS winbindd_get_trust_credentials(struct winbindd_domain *domain,
 		goto ipc_fallback;
 	}
 
+	if (netlogon) {
+		cli_credentials_add_gensec_features(creds,
+						    GENSEC_FEATURE_NO_DELEGATION,
+						    CRED_SPECIFIED);
+	}
+
 	if (creds_domain != domain) {
 		/*
 		 * We can only use schannel against a direct trust