From 180245fce0f0d73d924ca6a25db3fc78934c40d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 4 Dec 2008 15:09:21 +0100
Subject: s4:kdc: allow a trusted domain to get kerberos tickets

metze
---
 source4/auth/sam.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'source4/auth/sam.c')

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f6a998ae0f..4b848cffe0 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -144,7 +144,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_message *msg,
 			    struct ldb_message *msg_domain_ref,
 			    const char *logon_workstation,
-			    const char *name_for_logs)
+			    const char *name_for_logs,
+			    bool allow_domain_trust)
 {
 	uint16_t acct_flags;
 	const char *workstation_list;
@@ -231,11 +232,12 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_LOGON_HOURS;
 	}
 	
-	if (acct_flags & ACB_DOMTRUST) {
-		DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
-		return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+	if (!allow_domain_trust) {
+		if (acct_flags & ACB_DOMTRUST) {
+			DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
+			return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+		}
 	}
-	
 	if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
 		if (acct_flags & ACB_SVRTRUST) {
 			DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs));
-- 
cgit