summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-08-17 14:12:21 +1000
committerAndrew Tridgell <tridge@samba.org>2010-08-17 21:21:50 +1000
commit45a2b408ba16ebabedc519a7235b05c104dede6b (patch)
tree2d19a5608d123252a2e21297ead88776f61fc611
parent84bedf4028a5c841f08c079bfd20b9111fe52777 (diff)
downloadsamba-45a2b408ba16ebabedc519a7235b05c104dede6b.tar.gz
samba-45a2b408ba16ebabedc519a7235b05c104dede6b.tar.bz2
samba-45a2b408ba16ebabedc519a7235b05c104dede6b.zip
s4-drs: added domain_sid to DRS security checks
we need the domain_sid to determine if the account is a RODC for our domain Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/rpc_server/drsuapi/addentry.c2
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.c8
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.h3
-rw-r--r--source4/rpc_server/drsuapi/drsutil.c5
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c3
-rw-r--r--source4/rpc_server/drsuapi/updaterefs.c3
6 files changed, 14 insertions, 10 deletions
diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
index ab75ff4005..bb254cb3ee 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -171,7 +171,7 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
- status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER);
+ status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
}
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index e4dd2f28a6..a46937b3ea 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -65,7 +65,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
W_ERROR_HAVE_NO_MEMORY(b_state);
/* if this is a DC connecting, give them system level access */
- werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER);
+ werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER, NULL);
if (W_ERROR_IS_OK(werr)) {
DEBUG(3,(__location__ ": doing DsBind with system_session\n"));
auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
@@ -247,7 +247,7 @@ static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, T
{
WERROR status;
- status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER);
+ status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
}
@@ -400,7 +400,7 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
*r->out.level_out = 1;
- status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER);
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
}
@@ -725,7 +725,7 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA
struct drsuapi_DsExecuteKCC *r)
{
WERROR status;
- status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER);
+ status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 3b733deec1..04bb3db984 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -63,7 +63,8 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
enum security_user_level;
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
- const char* call, enum security_user_level minimum_level);
+ const char* call, enum security_user_level minimum_level,
+ const struct dom_sid *domain_sid);
void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
struct drsuapi_DsReplicaMetaData *meta_data);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index e29c14dbc1..f20082f6bb 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -103,7 +103,8 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
const char* call,
- enum security_user_level minimum_level)
+ enum security_user_level minimum_level,
+ const struct dom_sid *domain_sid)
{
enum security_user_level level;
@@ -112,7 +113,7 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
return WERR_OK;
}
- level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+ level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
if (level < minimum_level) {
if (call) {
DEBUG(0,("%s refused for security token (level=%u)\n",
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index cea5fc99c6..dcf1dbef5c 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -760,7 +760,8 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_SOURCE_DISABLED;
}
- werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER);
+ werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER,
+ samdb_domain_sid(b_state->sam_ctx));
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index d52a77959a..daf057d6d6 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -197,7 +197,8 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
- werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs", SECURITY_RO_DOMAIN_CONTROLLER);
+ werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs", SECURITY_RO_DOMAIN_CONTROLLER,
+ samdb_domain_sid(b_state->sam_ctx));
if (!W_ERROR_IS_OK(werr)) {
return werr;
}