Add drs_security_level_check for dcesrv calls security checks

There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true

1 files changed, 10 insertions, 8 deletions

diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index f96c4c03da..9903f08746 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -228,15 +228,17 @@ static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC
 static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 					   struct drsuapi_DsReplicaSync *r)
 {
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsReplicaSync refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	WERROR status;
+
+	status = drs_security_level_check(dce_call, "DsReplicaSync");
+	if (!W_ERROR_IS_OK(status)) {
+		return status;
 	}
 
 	dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
 				     &ndr_table_drsuapi,
 				     "dreplsrv", "DsReplicaSync");
+
 	return WERR_OK;
 }
 
@@ -453,14 +455,14 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
 	struct ldb_dn *ntds_dn;
 	int ret;
 	bool ok;
+	WERROR status;
 
 	ZERO_STRUCT(r->out.res);
 	*r->out.level_out = 1;
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsRemoveDSServer refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+	if (!W_ERROR_IS_OK(status)) {
+		return status;
 	}
 
 	DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);