From 6128cd4debc646dcf0da77a86ddf8cf669b9341b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Feb 2018 11:06:10 +0100
Subject: [PATCH 1/4] winbindd: disable support for CROSS_ORGANIZATION domains

We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit afd97e72090aaf31b084646b5fcecaeb8cde653d)
---
 source3/winbindd/winbindd_util.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 73e6b76..b19c42f 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void)
 			trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
 		}
 
+		if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+			/*
+			 * We don't support selective authentication yet.
+			 */
+			DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+				    "domain[%s/%s]\n",
+				    domains[i]->netbios_name,
+				    domains[i]->domain_name);
+			continue;
+		}
+
 		status = add_trusted_domain(domains[i]->netbios_name,
 					    domains[i]->domain_name,
 					    &domains[i]->security_identifier,
-- 
1.9.1


From fb3a95ad2a924e579e49a73f92c173a37e6c9f85 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Feb 2018 11:10:14 +0100
Subject: [PATCH 2/4] s4:kdc: make use of dsdb_trust_parse_tdo_info() in
 samba_kdc_trust_message2entry()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df)
---
 source4/kdc/db-glue.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 69c54b0..5ca2c06 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -57,14 +57,17 @@ enum trust_direction {
 };
 
 static const char *trust_attrs[] = {
+	"securityIdentifier",
+	"flatName",
 	"trustPartner",
+	"trustAttributes",
+	"trustDirection",
+	"trustType",
+	"msDS-TrustForestTrustInfo",
 	"trustAuthIncoming",
 	"trustAuthOutgoing",
 	"whenCreated",
 	"msDS-SupportedEncryptionTypes",
-	"trustAttributes",
-	"trustDirection",
-	"trustType",
 	NULL
 };
 
@@ -1167,7 +1170,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 {
 	struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
 	const char *our_realm = lpcfg_realm(lp_ctx);
-	const char *dnsdomain = NULL;
 	char *partner_realm = NULL;
 	const char *realm = NULL;
 	const char *krbtgt_realm = NULL;
@@ -1183,7 +1185,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 	uint32_t previous_kvno;
 	uint32_t num_keys = 0;
 	enum ndr_err_code ndr_err;
-	int ret, trust_direction_flags;
+	int ret;
 	unsigned int i;
 	struct AuthenticationInformationArray *auth_array;
 	struct timeval tv;
@@ -1191,6 +1193,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 	uint32_t *auth_kvno;
 	bool preferr_current = false;
 	uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
+	struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+	NTSTATUS status;
 
 	if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
 		supported_enctypes = ldb_msg_find_attr_as_uint(msg,
@@ -1198,20 +1202,25 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 					supported_enctypes);
 	}
 
-	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
-	if (!(trust_direction_flags & direction)) {
+	status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);
+	if (!NT_STATUS_IS_OK(status)) {
+		krb5_clear_error_message(context);
+		ret = ENOMEM;
+		goto out;
+	}
+
+	if (!(tdo->trust_direction & direction)) {
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
 		goto out;
 	}
 
-	dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
-	if (dnsdomain == NULL) {
+	if (tdo->domain_name.string == NULL) {
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
 		goto out;
 	}
-	partner_realm = strupper_talloc(mem_ctx, dnsdomain);
+	partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string);
 	if (partner_realm == NULL) {
 		krb5_clear_error_message(context);
 		ret = ENOMEM;
-- 
1.9.1


From caadf6313e720ff18554a0a7196b6b4b29b12509 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Feb 2018 11:10:14 +0100
Subject: [PATCH 3/4] s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in
 samba_kdc_trust_message2entry()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d0a813a173be630c2def93cc55e4514204d265a2)
---
 source4/kdc/db-glue.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 5ca2c06..9d633a6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1215,6 +1215,16 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 		goto out;
 	}
 
+	if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+		/*
+		 * Only UPLEVEL domains support kerberos here,
+		 * as we don't support LSA_TRUST_TYPE_MIT.
+		 */
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
 	if (tdo->domain_name.string == NULL) {
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
-- 
1.9.1


From 863eeaab64d93417264f3b5c99324c6edc2d0005 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Feb 2018 11:06:10 +0100
Subject: [PATCH 4/4] s4:kdc: disable support for CROSS_ORGANIZATION domains

We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144

(cherry picked from commit 31b5328c46c5f510ba234f75688886987276ee9e)
---
 source4/kdc/db-glue.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 9d633a6..8ccc34c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1225,6 +1225,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 		goto out;
 	}
 
+	if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+		/*
+		 * We don't support selective authentication yet.
+		 */
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
 	if (tdo->domain_name.string == NULL) {
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
-- 
1.9.1