summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-04-22 16:56:40 +1000
committerAndrew Tridgell <tridge@samba.org>2010-04-22 19:36:16 +1000
commite7262b51d1a8905ba3b874f5d48eab4292ebca4d (patch)
treef0ee713edc851370524f8c78b850d8d3de8e3f5c
parentbb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e (diff)
downloadsamba-e7262b51d1a8905ba3b874f5d48eab4292ebca4d.tar.gz
samba-e7262b51d1a8905ba3b874f5d48eab4292ebca4d.tar.bz2
samba-e7262b51d1a8905ba3b874f5d48eab4292ebca4d.zip
s4-drs: validate RODC credentials via the user_sid
This checks whether a replication client is a RODC by inclusion of the the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token Pair-Programmed-With: Rusty Russell <rusty@samba.org> Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c39
1 files changed, 12 insertions, 27 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 50de087662..6a8ab3b201 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -751,31 +751,21 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_SOURCE_DISABLED;
}
- /* for non-administrator replications, check that they have
- given the correct source_dsa_invocation_id */
- security_level = security_session_user_level(dce_call->conn->auth_state.session_info);
-
- if (security_level < SECURITY_ADMINISTRATOR) {
- /* validate their guid */
- ret = dsdb_validate_invocation_id(b_state->sam_ctx,
- &req8->source_dsa_invocation_id,
- dce_call->conn->auth_state.session_info->security_token->user_sid);
- if (ret != LDB_SUCCESS) {
- DEBUG(0,(__location__ ": Attempted replication with invalid invocationId %s\n",
- GUID_string(mem_ctx, &req8->source_dsa_invocation_id)));
- return WERR_DS_DRA_INVALID_PARAMETER;
- }
+ werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
- if (security_level < SECURITY_ADMINISTRATOR &&
+ /* for non-administrator replications, check that they have
+ given the correct source_dsa_invocation_id */
+ security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
+ samdb_domain_sid(b_state->sam_ctx));
+ if (security_level == SECURITY_RO_DOMAIN_CONTROLLER &&
(req8->replica_flags & DRSUAPI_DRS_WRIT_REP)) {
- bool is_rodc;
- ret = samdb_is_rodc(b_state->sam_ctx, &req8->source_dsa_invocation_id, &is_rodc);
- if (ret != LDB_SUCCESS || is_rodc) {
- DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n",
- GUID_string(mem_ctx, &req8->source_dsa_invocation_id)));
- return WERR_DS_DRA_INVALID_PARAMETER;
- }
+ DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n",
+ dom_sid_string(mem_ctx,
+ dce_call->conn->auth_state.session_info->security_token->user_sid)));
+ return WERR_DS_DRA_INVALID_PARAMETER;
}
@@ -784,11 +774,6 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
req8->uptodateness_vector = NULL;
}
- werr = drs_security_level_check(dce_call, "DsGetNCChanges");
- if (!W_ERROR_IS_OK(werr)) {
- return werr;
- }
-
/* we don't yet support extended operations */
switch (req8->extended_op) {
case DRSUAPI_EXOP_NONE: