winbind: let cm_connect_netlogon_transport() only work against direct trust as AD DC

author Stefan Metzmacher <metze@samba.org>

Thu, 22 Feb 2018 09:40:19 +0000 (10:40 +0100)

committer Stefan Metzmacher <metze@samba.org>

Fri, 23 Feb 2018 11:47:25 +0000 (12:47 +0100)
author Stefan Metzmacher <metze@samba.org>
Thu, 22 Feb 2018 09:40:19 +0000 (10:40 +0100)
committer Stefan Metzmacher <metze@samba.org>
Fri, 23 Feb 2018 11:47:25 +0000 (12:47 +0100)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c

index b6a54d0a12b880d3efa180195ff74121626db273..a88e05cac232d7780c9c2a0fea5899524194e190 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3212,6 +3212,17 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
  
         *cli = NULL;
  
+       if (IS_AD_DC) {
+               if (domain->secure_channel_type == SEC_CHAN_NULL) {
+                       /*
+                        * Make sure we don't even try to
+                        * connect to a foreign domain
+                        * without a direct outbound trust.
+                        */
+                       return NT_STATUS_NO_TRUST_LSA_SECRET;
+               }
+       }
+
         result = init_dc_connection_rpc(domain, domain->rodc);
         if (!NT_STATUS_IS_OK(result)) {
                 return result;
author	Stefan Metzmacher <metze@samba.org>
	Thu, 22 Feb 2018 09:40:19 +0000 (10:40 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Fri, 23 Feb 2018 11:47:25 +0000 (12:47 +0100)