s4-netlogon: added SEC_CHAN_RODC

This seems to be equivalent to SEC_CHAN_BDC, but for RODCs

2 files changed, 7 insertions, 1 deletions

diff --git a/librpc/idl/misc.idl b/librpc/idl/misc.idl
index a60d30bef2..e92846043d 100644
--- a/librpc/idl/misc.idl
+++ b/librpc/idl/misc.idl
@@ -40,7 +40,8 @@ interface misc
 		SEC_CHAN_WKSTA       = 2,
 		SEC_CHAN_DNS_DOMAIN  = 3,
 		SEC_CHAN_DOMAIN      = 4,
-		SEC_CHAN_BDC         = 6
+		SEC_CHAN_BDC         = 6,
+		SEC_CHAN_RODC        = 7
 	} netr_SchannelType;
 
 	typedef [public] struct {
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9d8195aaad..5893bd4821 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -217,6 +217,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 			DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control));
 			return NT_STATUS_ACCESS_DENIED;
 		}
+	} else if (r->in.secure_channel_type == SEC_CHAN_RODC) {
+		if (!(user_account_control & UF_PARTIAL_SECRETS_ACCOUNT)) {
+			DEBUG(1, ("Client asked for a RODC secure channel, but is not a RODC: acb flags: 0x%x\n", user_account_control));
+			return NT_STATUS_ACCESS_DENIED;
+		}
 	} else {
 		DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
 			  r->in.secure_channel_type));