From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 4 Feb 2025 09:16:15 +0000 (+0100)
Subject: winbindd: let add_trusted_domain() check sid and dns_name are not changed
X-Git-Tag: tevent-0.17.0~850
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a07b5726050f3cb2a032793ce5dc5dc9ec4dbe31;p=thirdparty%2Fsamba.git

winbindd: let add_trusted_domain() check sid and dns_name are not changed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 48f4c9a67cb..1a7c3a30d83 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -150,6 +150,16 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
 	if (domain != NULL) {
 		struct winbindd_domain *check_domain = NULL;
 
+		if (!dom_sid_equal(&domain->sid, sid)) {
+			struct dom_sid_buf buf2;
+			DBG_ERR("SID [%s] changed for domain [%s], "
+				"expected [%s]\n",
+				dom_sid_str_buf(sid, &buf),
+				domain->name,
+				dom_sid_str_buf(sid, &buf2));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
 		for (check_domain = _domain_list;
 		     check_domain != NULL;
 		     check_domain = check_domain->next)
@@ -176,6 +186,14 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
 	if ((domain != NULL) && (dns_name != NULL)) {
 		struct winbindd_domain *check_domain = NULL;
 
+		if (!strequal(domain->alt_name, dns_name)) {
+			DBG_ERR("DNS name [%s] changed for domain [%s], "
+				"expected [%s]\n",
+				dns_name, domain->name,
+				domain->alt_name);
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
 		for (check_domain = _domain_list;
 		     check_domain != NULL;
 		     check_domain = check_domain->next)