diff options
author | Stefan Metzmacher <metze@samba.org> | 2018-02-22 10:40:19 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2018-02-23 12:47:25 +0100 |
commit | 532a14dc684e7a6d8c584d5671a4ebbad00aa4fc (patch) | |
tree | 16ed38a715c1ae9f1b28217fd0d8aa1d462ca550 | |
parent | 3e17a3b7cd4083299037ba9377931bea792b2d18 (diff) | |
download | samba-532a14dc684e7a6d8c584d5671a4ebbad00aa4fc.tar.gz |
winbind: let cm_connect_netlogon_transport() only work against direct trust as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index b6a54d0a12b..a88e05cac23 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -3212,6 +3212,17 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, *cli = NULL; + if (IS_AD_DC) { + if (domain->secure_channel_type == SEC_CHAN_NULL) { + /* + * Make sure we don't even try to + * connect to a foreign domain + * without a direct outbound trust. + */ + return NT_STATUS_NO_TRUST_LSA_SECRET; + } + } + result = init_dc_connection_rpc(domain, domain->rodc); if (!NT_STATUS_IS_OK(result)) { return result; |