s4-drs: lock down key DRS calls

The key DRS calls should only be allowed by administrators or domain
controllers

1 files changed, 7 insertions, 0 deletions

diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
index ae478027a6..edf46aa5fb 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -30,6 +30,7 @@
 #include "librpc/gen_ndr/ndr_drsblobs.h"
 #include "auth/auth.h"
 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
 
 
 /*
@@ -149,6 +150,12 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
 	b_state = h->data;
 
+	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
+	    SECURITY_DOMAIN_CONTROLLER) {
+		DEBUG(0,("DsAddEntry refused for security token\n"));
+		return WERR_DS_DRA_ACCESS_DENIED;
+	}
+
 	switch (r->in.level) {
 	case 2:
 		ret = ldb_transaction_start(b_state->sam_ctx);