From f180b1c21ccc3ba0097e61eac7b6b7560736bdc3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 8 Jun 2017 18:01:59 +0200
Subject: [PATCH] s4:rpc_server: Do some checks of LogonSamLogon flags

This matches a Windows Server, at least if it is itself a
DC of the forest root and the requested domain is the local domain of the DC.
Both constraints are true on a Samba AD DC, as we don't really support
trusts yet.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  9 17:06:04 CEST 2017 on sn-devel-144
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9392a3975d0..0932eb0d36c 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -856,6 +856,20 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 
 	*r->out.authoritative = 1;
 
+	if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT) {
+		/*
+		 * Currently we're always the forest root ourself.
+		 */
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP) {
+		/*
+		 * Currently we don't support trusts correctly yet.
+		 */
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
 	user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
 	NT_STATUS_HAVE_NO_MEMORY(user_info);
 
-- 
2.47.2