diff options
author | Andrew Tridgell <tridge@samba.org> | 2011-03-28 14:41:36 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-03-29 00:00:22 +0200 |
commit | fdd9540187f019df0560eefe0805700df7d91138 (patch) | |
tree | d9302729882cdbd5ec67f0df283bd5d3c73ed379 | |
parent | f4d581468c467135553bba657a40ca1eb6ccc11c (diff) | |
download | samba-fdd9540187f019df0560eefe0805700df7d91138.tar.gz samba-fdd9540187f019df0560eefe0805700df7d91138.tar.bz2 samba-fdd9540187f019df0560eefe0805700df7d91138.zip |
s4-dsdb: only allow administrators to trigger FSMO role transfers
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/rootdse.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 516194d2b7..050cf5e062 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -1173,6 +1173,14 @@ static int rootdse_become_master(struct ldb_module *module, bool am_rodc; struct dcerpc_binding_handle *irpc_handle; int ret; + struct auth_session_info *session_info; + enum security_user_level level; + + session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo"); + level = security_session_user_level(session_info, NULL); + if (level < SECURITY_ADMINISTRATOR) { + return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator"); + } ret = samdb_rodc(ldb, &am_rodc); if (ret != LDB_SUCCESS) { |