diff options
author | Anatoliy Atanasov <anatoliy.atanasov@postpath.com> | 2009-09-19 15:08:19 -0700 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-09-19 15:39:40 -0700 |
commit | 6e56261eb7d417b488da2d3b051fb8284abb3fbd (patch) | |
tree | 1321e372a625c703b02258e10299d856f4dfb329 /source4/rpc_server/drsuapi/drsutil.c | |
parent | 2b5d1dfe6be0ba586d4af54f4b5ccd478ff4db77 (diff) | |
download | samba-6e56261eb7d417b488da2d3b051fb8284abb3fbd.tar.gz samba-6e56261eb7d417b488da2d3b051fb8284abb3fbd.tar.bz2 samba-6e56261eb7d417b488da2d3b051fb8284abb3fbd.zip |
Add drs_security_level_check for dcesrv calls security checks
There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
Diffstat (limited to 'source4/rpc_server/drsuapi/drsutil.c')
-rw-r--r-- | source4/rpc_server/drsuapi/drsutil.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index 305e298e00..f4155192d7 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -24,6 +24,7 @@ #include "dsdb/samdb/samdb.h" #include "libcli/security/dom_sid.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" /* format a drsuapi_DsReplicaObjectIdentifier naming context as a string @@ -101,3 +102,17 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, return ret; } +WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call) +{ + if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) { + return WERR_OK; + } + + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsReplicaGetInfo refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + + return WERR_OK; +} |