s4:kdc: disable support for CROSS_ORGANIZATION domains

We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 9d633a6e528393bfbbb973efbf05b093e3082e68..8ccc34cd665c96d978487bf89250522155614da5 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1225,6 +1225,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
                goto out;
        }
 
+       if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+               /*
+                * We don't support selective authentication yet.
+                */
+               krb5_clear_error_message(context);
+               ret = SDB_ERR_NOENTRY;
+               goto out;
+       }
+
        if (tdo->domain_name.string == NULL) {
                krb5_clear_error_message(context);
                ret = SDB_ERR_NOENTRY;