From dcf38dd4e4d81bec78c02e81fcaf339f19ed896e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 19 Dec 2024 20:43:18 +0100
Subject: [PATCH] s4:rpc_server/lsa: a PIM trust requires FOREST_TRANSITIVE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 83661b068f0..207e0a62ca8 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1190,6 +1190,12 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_precheck(
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if ((info->trust_attributes & LSA_TRUST_ATTRIBUTE_PIM_TRUST) &&
+	    !(info->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE))
+	{
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (info->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
 		/*
 		 * We don't allow additional domains in our forest yet.
-- 
2.47.2