From 4cfa1f5e1a0f63fad354f55f1f1b01f8179eff10 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Feb 2018 11:06:10 +0100
Subject: [PATCH] s4:kdc: disable support for CROSS_ORGANIZATION domains

We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144

(cherry picked from commit 31b5328c46c5f510ba234f75688886987276ee9e)

Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Thu Mar  1 06:08:56 CET 2018 on sn-devel-144
---
 source4/kdc/db-glue.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 9d633a6e528..8ccc34cd665 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1225,6 +1225,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 		goto out;
 	}
 
+	if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+		/*
+		 * We don't support selective authentication yet.
+		 */
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
 	if (tdo->domain_name.string == NULL) {
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
-- 
2.11.4.GIT