From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 8 Jun 2017 16:01:59 +0000 (+0200)
Subject: s4:rpc_server: Do some checks of LogonSamLogon flags
X-Git-Tag: ldb-1.1.31~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f180b1c21ccc3ba0097e61eac7b6b7560736bdc3;p=thirdparty%2Fsamba.git

s4:rpc_server: Do some checks of LogonSamLogon flags

This matches a Windows Server, at least if it is itself a
DC of the forest root and the requested domain is the local domain of the DC.
Both constraints are true on a Samba AD DC, as we don't really support
trusts yet.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  9 17:06:04 CEST 2017 on sn-devel-144
---

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9392a3975d0..0932eb0d36c 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -856,6 +856,20 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 
 	*r->out.authoritative = 1;
 
+	if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT) {
+		/*
+		 * Currently we're always the forest root ourself.
+		 */
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP) {
+		/*
+		 * Currently we don't support trusts correctly yet.
+		 */
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
 	user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
 	NT_STATUS_HAVE_NO_MEMORY(user_info);