summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/auth.h3
-rw-r--r--source4/auth/ntlm/auth_sam.c3
-rw-r--r--source4/auth/sam.c12
-rw-r--r--source4/kdc/pac-glue.c3
4 files changed, 13 insertions, 8 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index af9ed52f78..360da50f70 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -204,7 +204,8 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
struct ldb_message *msg_domain_ref,
const char *logon_workstation,
- const char *name_for_logs);
+ const char *name_for_logs,
+ bool allow_domain_trust);
struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
const char *netbios_name,
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d1be5b6e30..384d342e00 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -262,7 +262,8 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
msgs[0],
msgs_domain_ref[0],
user_info->workstation_name,
- user_info->mapped.account_name);
+ user_info->mapped.account_name,
+ false);
return nt_status;
}
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f6a998ae0f..4b848cffe0 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -144,7 +144,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
struct ldb_message *msg_domain_ref,
const char *logon_workstation,
- const char *name_for_logs)
+ const char *name_for_logs,
+ bool allow_domain_trust)
{
uint16_t acct_flags;
const char *workstation_list;
@@ -231,11 +232,12 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_LOGON_HOURS;
}
- if (acct_flags & ACB_DOMTRUST) {
- DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
- return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+ if (!allow_domain_trust) {
+ if (acct_flags & ACB_DOMTRUST) {
+ DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
+ return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+ }
}
-
if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
if (acct_flags & ACB_SVRTRUST) {
DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs));
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 3f1c1fc63e..74bec85d02 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -270,13 +270,14 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
}
}
+ /* we allow all kinds of trusts here */
nt_status = authsam_account_ok(tmp_ctx,
private->samdb,
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
private->msg,
private->realm_ref_msg,
workstation,
- name);
+ name, true);
free(name);
if (NT_STATUS_IS_OK(nt_status))