summaryrefslogtreecommitdiff
blob: 457bad16a6e209d75d97b03ce24db048cc81a0c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
From 9f73f8a784f2de9211601f92729a47aaa3e51a1a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Nov 2021 20:50:20 +0100
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression

add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).

We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184

(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
---
 source3/winbindd/winbindd_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index fe68adec534a..a8c510fafc67 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -135,7 +135,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	if (!is_allowed_domain(domain_name)) {
+	if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}
 
-- 
2.25.1