winbindd: disable support for CROSS_ORGANIZATION domains

We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 73e6b76ec733ffc08f3b2914026291445c41e9e2..b19c42f626bc77e2dfac109b2bec4df6fc1b80ec 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void)
                        trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
                }
 
+               if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+                       /*
+                        * We don't support selective authentication yet.
+                        */
+                       DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+                                   "domain[%s/%s]\n",
+                                   domains[i]->netbios_name,
+                                   domains[i]->domain_name);
+                       continue;
+               }
+
                status = add_trusted_domain(domains[i]->netbios_name,
                                            domains[i]->domain_name,
                                            &domains[i]->security_identifier,