summaryrefslogtreecommitdiff
path: root/source4/libcli/security
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-04-22 16:48:01 +1000
committerAndrew Tridgell <tridge@samba.org>2010-04-22 19:36:16 +1000
commitbb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e (patch)
tree8fd3704eb6819063b1916c78bb1893ba16c7fe72 /source4/libcli/security
parentec0bb2f46b855d44cccb71a5511c2acb7d8eae09 (diff)
downloadsamba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.gz
samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.bz2
samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.zip
s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level
This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Diffstat (limited to 'source4/libcli/security')
-rw-r--r--source4/libcli/security/security.h11
-rw-r--r--source4/libcli/security/security_token.c13
2 files changed, 18 insertions, 6 deletions
diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h
index e3fdb0c794..585170ed61 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -23,11 +23,12 @@
#include "librpc/gen_ndr/security.h"
enum security_user_level {
- SECURITY_ANONYMOUS,
- SECURITY_USER,
- SECURITY_DOMAIN_CONTROLLER,
- SECURITY_ADMINISTRATOR,
- SECURITY_SYSTEM
+ SECURITY_ANONYMOUS = 0,
+ SECURITY_USER = 10,
+ SECURITY_RO_DOMAIN_CONTROLLER = 20,
+ SECURITY_DOMAIN_CONTROLLER = 30,
+ SECURITY_ADMINISTRATOR = 40,
+ SECURITY_SYSTEM = 50
};
struct auth_session_info;
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index d3eff93ddb..f105ed391f 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -147,7 +147,8 @@ bool security_token_has_enterprise_dcs(const struct security_token *token)
return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS);
}
-enum security_user_level security_session_user_level(struct auth_session_info *session_info)
+enum security_user_level security_session_user_level(struct auth_session_info *session_info,
+ const struct dom_sid *domain_sid)
{
if (!session_info) {
return SECURITY_ANONYMOUS;
@@ -165,6 +166,16 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
return SECURITY_ADMINISTRATOR;
}
+ if (domain_sid &&
+ dom_sid_in_domain(domain_sid, session_info->security_token->user_sid)) {
+ uint32_t rid;
+ NTSTATUS status = dom_sid_split_rid(NULL, session_info->security_token->user_sid,
+ NULL, &rid);
+ if (NT_STATUS_IS_OK(status) && rid == DOMAIN_RID_ENTERPRISE_READONLY_DCS) {
+ return SECURITY_RO_DOMAIN_CONTROLLER;
+ }
+ }
+
if (security_token_has_enterprise_dcs(session_info->security_token)) {
return SECURITY_DOMAIN_CONTROLLER;
}