winbindd: transitive trust logic in trust_is_transitive()

trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.

This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.

Logic taken from dsdb_trust_routing_by_name().

Signed-off-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
index c80e7844bc2a1a94a66223ab0dc9f7160cf7dd39..51c8799de327e2d995ddc815eda322fe23feb9c3 100644 (file)
--- a/source3/winbindd/winbindd_misc.c
+++ b/source3/winbindd/winbindd_misc.c
@@ -78,11 +78,33 @@ static bool trust_is_outbound(struct winbindd_tdc_domain *domain)
 
 static bool trust_is_transitive(struct winbindd_tdc_domain *domain)
 {
-       if ((domain->trust_attribs == LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) ||
-           (domain->trust_attribs == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) ||
-           (domain->trust_attribs == LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL))
-               return False;
-       return True;
+       bool transitive = false;
+
+       /*
+        * Beware: order matters
+        */
+
+       if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+               transitive = true;
+       }
+
+       if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+               transitive = true;
+       }
+
+       if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
+               transitive = false;
+       }
+
+       if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
+               transitive = false;
+       }
+
+       if (domain->trust_flags & NETR_TRUST_FLAG_PRIMARY) {
+               transitive = true;
+       }
+
+       return transitive;
 }
 
 void winbindd_list_trusted_domains(struct winbindd_cli_state *state)