diff options
-rw-r--r-- | source4/auth/auth.h | 3 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 3 | ||||
-rw-r--r-- | source4/auth/sam.c | 12 | ||||
-rw-r--r-- | source4/kdc/pac-glue.c | 3 |
4 files changed, 13 insertions, 8 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index af9ed52f78..360da50f70 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -204,7 +204,8 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct ldb_message *msg_domain_ref, const char *logon_workstation, - const char *name_for_logs); + const char *name_for_logs, + bool allow_domain_trust); struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index d1be5b6e30..384d342e00 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -262,7 +262,8 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, msgs[0], msgs_domain_ref[0], user_info->workstation_name, - user_info->mapped.account_name); + user_info->mapped.account_name, + false); return nt_status; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index f6a998ae0f..4b848cffe0 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -144,7 +144,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct ldb_message *msg_domain_ref, const char *logon_workstation, - const char *name_for_logs) + const char *name_for_logs, + bool allow_domain_trust) { uint16_t acct_flags; const char *workstation_list; @@ -231,11 +232,12 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_LOGON_HOURS; } - if (acct_flags & ACB_DOMTRUST) { - DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs)); - return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; + if (!allow_domain_trust) { + if (acct_flags & ACB_DOMTRUST) { + DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs)); + return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; + } } - if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { if (acct_flags & ACB_SVRTRUST) { DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs)); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 3f1c1fc63e..74bec85d02 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -270,13 +270,14 @@ krb5_error_code samba_kdc_check_client_access(void *priv, } } + /* we allow all kinds of trusts here */ nt_status = authsam_account_ok(tmp_ctx, private->samdb, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, private->msg, private->realm_ref_msg, workstation, - name); + name, true); free(name); if (NT_STATUS_IS_OK(nt_status)) |