From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 19 Dec 2024 18:26:10 +0000 (+0100)
Subject: s4:rpc_server/lsa: don't allow WITHIN_FOREST trusts
X-Git-Tag: tevent-0.17.0~824
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64da8aac4605809696cdd08fe9c06d346a781e70;p=thirdparty%2Fsamba.git

s4:rpc_server/lsa: don't allow WITHIN_FOREST trusts

They are not supported yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index d83bc94e64f..63ffec46c30 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1184,6 +1184,13 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_precheck(
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+		/*
+		 * We don't allow additional domains in our forest yet.
+		 */
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
 	/*
 	 * We expect S-1-5-21-A-B-C, but we don't
 	 * allow S-1-5-21-0-0-0 as this is used