winbind: let cm_connect_netlogon_transport() only work against direct trust as AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2018-02-22 10:40:19 +0100
committer: Stefan Metzmacher <metze@samba.org> 2018-02-23 12:47:25 +0100
commit: 532a14dc684e7a6d8c584d5671a4ebbad00aa4fc (patch)
tree: 16ed38a715c1ae9f1b28217fd0d8aa1d462ca550
parent: 3e17a3b7cd4083299037ba9377931bea792b2d18 (diff)
download: samba-532a14dc684e7a6d8c584d5671a4ebbad00aa4fc.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index b6a54d0a12b..a88e05cac23 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3212,6 +3212,17 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	*cli = NULL;
 
+	if (IS_AD_DC) {
+		if (domain->secure_channel_type == SEC_CHAN_NULL) {
+			/*
+			 * Make sure we don't even try to
+			 * connect to a foreign domain
+			 * without a direct outbound trust.
+			 */
+			return NT_STATUS_NO_TRUST_LSA_SECRET;
+		}
+	}
+
 	result = init_dc_connection_rpc(domain, domain->rodc);
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
author	Stefan Metzmacher <metze@samba.org>	2018-02-22 10:40:19 +0100
committer	Stefan Metzmacher <metze@samba.org>	2018-02-23 12:47:25 +0100
commit	532a14dc684e7a6d8c584d5671a4ebbad00aa4fc (patch)
tree	16ed38a715c1ae9f1b28217fd0d8aa1d462ca550
parent	3e17a3b7cd4083299037ba9377931bea792b2d18 (diff)
download	samba-532a14dc684e7a6d8c584d5671a4ebbad00aa4fc.tar.gz