From 04d78cc7ce876f3bdb9ad2e1ffaf91c6771ca316 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 27 Nov 2024 10:59:58 +0100
Subject: [PATCH] s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust
 credentials for netlogon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---
 source3/winbindd/winbindd_cm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 2a2eb3da72b..a967abae181 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -655,6 +655,12 @@ NTSTATUS winbindd_get_trust_credentials(struct winbindd_domain *domain,
 		goto ipc_fallback;
 	}
 
+	if (netlogon) {
+		cli_credentials_add_gensec_features(creds,
+						    GENSEC_FEATURE_NO_DELEGATION,
+						    CRED_SPECIFIED);
+	}
+
 	if (creds_domain != domain) {
 		/*
 		 * We can only use schannel against a direct trust
-- 
2.47.3