From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 20 Dec 2024 18:50:53 +0000 (+0100)
Subject: s4:kdc: let samba_kdc_trust_message2entry don't support WITHIN_FOREST and PIM_TRUST
X-Git-Tag: tevent-0.17.0~819
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d5147119fcd2c3a4420a838c3b18b56cdfd4c0d;p=thirdparty%2Fsamba.git

s4:kdc: let samba_kdc_trust_message2entry don't support WITHIN_FOREST and PIM_TRUST

These are not supported yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb  8 16:23:30 UTC 2025 on atb-devel-224
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index e626f230684..9fad9934058 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2272,6 +2272,24 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 		goto out;
 	}
 
+	if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+		/*
+		 * We don't support WITHIN_FOREST yet
+		 */
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
+	if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_PIM_TRUST) {
+		/*
+		 * We don't support PIM_TRUST yet
+		 */
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
 	if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
 		/*
 		 * We don't support selective authentication yet.