summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2011-03-28 14:41:36 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-03-29 00:00:22 +0200
commitfdd9540187f019df0560eefe0805700df7d91138 (patch)
treed9302729882cdbd5ec67f0df283bd5d3c73ed379
parentf4d581468c467135553bba657a40ca1eb6ccc11c (diff)
downloadsamba-fdd9540187f019df0560eefe0805700df7d91138.tar.gz
samba-fdd9540187f019df0560eefe0805700df7d91138.tar.bz2
samba-fdd9540187f019df0560eefe0805700df7d91138.zip
s4-dsdb: only allow administrators to trigger FSMO role transfers
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/rootdse.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 516194d2b7..050cf5e062 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1173,6 +1173,14 @@ static int rootdse_become_master(struct ldb_module *module,
bool am_rodc;
struct dcerpc_binding_handle *irpc_handle;
int ret;
+ struct auth_session_info *session_info;
+ enum security_user_level level;
+
+ session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
+ level = security_session_user_level(session_info, NULL);
+ if (level < SECURITY_ADMINISTRATOR) {
+ return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
+ }
ret = samdb_rodc(ldb, &am_rodc);
if (ret != LDB_SUCCESS) {