From 57300bbf5e5fcb9cb32bd3462e8ed86400b68920 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Jan 2015 16:01:16 +0100
Subject: s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if
 FOREST_TRANSITIVE is cleared

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  6 22:50:23 CET 2015 on sn-devel-104
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index f3d30477e9..cc2048da07 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1366,7 +1366,10 @@ static NTSTATUS get_tdo(struct ldb_context *sam, TALLOC_CTX *mem_ctx,
 				"securityIdentifier", "trustDirection",
 				"trustType", "trustAttributes",
 				"trustPosixOffset",
-				"msDs-supportedEncryptionTypes", NULL };
+				"msDs-supportedEncryptionTypes",
+				"msDS-TrustForestTrustInfo",
+				NULL
+	};
 	char *dns = NULL;
 	char *nbn = NULL;
 	char *sidstr = NULL;
@@ -1621,6 +1624,7 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 	bool add_incoming = false;
 	bool del_outgoing = false;
 	bool del_incoming = false;
+	bool del_forest_info = false;
 	bool in_transaction = false;
 	int ret;
 	bool am_rodc;
@@ -1832,6 +1836,18 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 				  (unsigned)info_ex->trust_attributes));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
+
+		if (!(info_ex->trust_attributes &
+		      LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE))
+		{
+			struct ldb_message_element *orig_forest_el = NULL;
+
+			orig_forest_el = ldb_msg_find_element(dom_msg,
+						"msDS-TrustForestTrustInfo");
+			if (orig_forest_el != NULL) {
+				del_forest_info = true;
+			}
+		}
 	}
 
 	if (enc_types) {
@@ -1872,6 +1888,13 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 			}
 		}
 	}
+	if (del_forest_info) {
+		ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo",
+					LDB_FLAG_MOD_REPLACE, NULL);
+		if (ret != LDB_SUCCESS) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
 
 	/* start transaction */
 	ret = ldb_transaction_start(p_state->sam_ldb);
-- 
cgit