diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-08-18 14:27:17 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-08-20 20:34:11 +1000 |
| commit | dc7cf47371e15a1bfe8c97341773076f00c67aa1 (patch) | |
| tree | 1aefe4ad9f82747a6ee723590c418ca9f7256890 | |
| parent | 34092c11b49a8bb16838be414cb71b0b5c2136bf (diff) | |
| download | samba-dc7cf47371e15a1bfe8c97341773076f00c67aa1.tar.gz samba-dc7cf47371e15a1bfe8c97341773076f00c67aa1.tar.bz2 samba-dc7cf47371e15a1bfe8c97341773076f00c67aa1.zip | |
s4-drs: added sam_ctx_system on DRS bind state
The getncchanges call needs to be able to access the sam as the system
user for RODC clients. To do this it needs a sam_ctx connection with
system credentials
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 19 | ||||
| -rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 1 |
2 files changed, 20 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index a46937b3ea..95113dd18d 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c @@ -57,6 +57,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C int ret; struct auth_session_info *auth_info; WERROR werr; + bool connected_as_system = false; r->out.bind_info = NULL; ZERO_STRUCTP(r->out.bind_handle); @@ -69,6 +70,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C if (W_ERROR_IS_OK(werr)) { DEBUG(3,(__location__ ": doing DsBind with system_session\n")); auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx); + connected_as_system = true; } else { auth_info = dce_call->conn->auth_state.session_info; } @@ -82,6 +84,23 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C return WERR_FOOBAR; } + if (connected_as_system) { + b_state->sam_ctx_system = b_state->sam_ctx; + } else { + /* an RODC also needs system samdb access for secret + attribute replication */ + werr = drs_security_level_check(dce_call, NULL, SECURITY_RO_DOMAIN_CONTROLLER, + samdb_domain_sid(b_state->sam_ctx)); + if (W_ERROR_IS_OK(werr)) { + b_state->sam_ctx_system = samdb_connect(b_state, dce_call->event_ctx, + dce_call->conn->dce_ctx->lp_ctx, + system_session(dce_call->conn->dce_ctx->lp_ctx)); + if (!b_state->sam_ctx_system) { + return WERR_FOOBAR; + } + } + } + /* * find out the guid of our own site */ diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h index 04bb3db984..818813ed57 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h @@ -31,6 +31,7 @@ enum drsuapi_handle { */ struct drsuapi_bind_state { struct ldb_context *sam_ctx; + struct ldb_context *sam_ctx_system; struct GUID remote_bind_guid; struct drsuapi_DsBindInfo28 remote_info28; struct drsuapi_DsBindInfo28 local_info28; |