From 2c9254545224bec3ace135603388f19f1e02ea71 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 15 Dec 2014 16:33:38 +0100
Subject: [PATCH] s4:rpc_server/lsa: remove trustAuthIncoming/trustAuthOutgoing
 when the related flag is removed.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is cleared
we should also remove the related credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 32 ++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 40867dd4da0..0aad375ccd9 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1779,10 +1779,14 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 		}
 
 		if (info_ex->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
-			add_incoming = true;
+			if (auth_info != NULL && trustAuthIncoming.length > 0) {
+				add_incoming = true;
+			}
 		}
 		if (info_ex->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
-			add_outgoing = true;
+			if (auth_info != NULL && trustAuthOutgoing.length > 0) {
+				add_outgoing = true;
+			}
 		}
 
 		if ((origdir & LSA_TRUST_DIRECTION_INBOUND) &&
@@ -1830,28 +1834,32 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 		}
 	}
 
-	if (add_incoming && trustAuthIncoming.data) {
+	if (add_incoming || del_incoming) {
 		ret = ldb_msg_add_empty(msg, "trustAuthIncoming",
 					LDB_FLAG_MOD_REPLACE, NULL);
 		if (ret != LDB_SUCCESS) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		ret = ldb_msg_add_value(msg, "trustAuthIncoming",
-					&trustAuthIncoming, NULL);
-		if (ret != LDB_SUCCESS) {
-			return NT_STATUS_NO_MEMORY;
+		if (add_incoming) {
+			ret = ldb_msg_add_value(msg, "trustAuthIncoming",
+						&trustAuthIncoming, NULL);
+			if (ret != LDB_SUCCESS) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 	}
-	if (add_outgoing && trustAuthOutgoing.data) {
+	if (add_outgoing || del_outgoing) {
 		ret = ldb_msg_add_empty(msg, "trustAuthOutgoing",
 					LDB_FLAG_MOD_REPLACE, NULL);
 		if (ret != LDB_SUCCESS) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		ret = ldb_msg_add_value(msg, "trustAuthOutgoing",
-					&trustAuthOutgoing, NULL);
-		if (ret != LDB_SUCCESS) {
-			return NT_STATUS_NO_MEMORY;
+		if (add_outgoing) {
+			ret = ldb_msg_add_value(msg, "trustAuthOutgoing",
+						&trustAuthOutgoing, NULL);
+			if (ret != LDB_SUCCESS) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 	}
 
-- 
2.34.1