summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-09-15 19:25:45 -0700
committerAndrew Tridgell <tridge@samba.org>2009-09-15 19:25:45 -0700
commit7ded0741d9d5a4c2859769e4abfbc197aed0e5e1 (patch)
tree9c9d10956c39f1262780aade62becfd791b567f6
parent10e25fc5e90e9eaabedc2f3477ac1e8947c88c77 (diff)
downloadsamba-7ded0741d9d5a4c2859769e4abfbc197aed0e5e1.tar.gz
samba-7ded0741d9d5a4c2859769e4abfbc197aed0e5e1.tar.bz2
samba-7ded0741d9d5a4c2859769e4abfbc197aed0e5e1.zip
s4-security: added a new security level SECURITY_DOMAIN_CONTROLLER
This will be used as a simple way to lock down DRS replication to administrators and domain controllers
-rw-r--r--source4/libcli/security/security.h1
-rw-r--r--source4/libcli/security/security_token.c9
2 files changed, 10 insertions, 0 deletions
diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h
index 6dbbe014e7..3cfa484816 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -22,6 +22,7 @@
enum security_user_level {
SECURITY_ANONYMOUS,
SECURITY_USER,
+ SECURITY_DOMAIN_CONTROLLER,
SECURITY_ADMINISTRATOR,
SECURITY_SYSTEM
};
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index 0764dfeb8f..d3eff93ddb 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -142,6 +142,11 @@ bool security_token_has_nt_authenticated_users(const struct security_token *toke
return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
}
+bool security_token_has_enterprise_dcs(const struct security_token *token)
+{
+ return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS);
+}
+
enum security_user_level security_session_user_level(struct auth_session_info *session_info)
{
if (!session_info) {
@@ -160,6 +165,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
return SECURITY_ADMINISTRATOR;
}
+ if (security_token_has_enterprise_dcs(session_info->security_token)) {
+ return SECURITY_DOMAIN_CONTROLLER;
+ }
+
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return SECURITY_USER;
}