diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-04-22 16:48:01 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-04-22 19:36:16 +1000 |
commit | bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e (patch) | |
tree | 8fd3704eb6819063b1916c78bb1893ba16c7fe72 /source4/rpc_server/drsuapi/drsutil.c | |
parent | ec0bb2f46b855d44cccb71a5511c2acb7d8eae09 (diff) | |
download | samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.gz samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.bz2 samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.zip |
s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Diffstat (limited to 'source4/rpc_server/drsuapi/drsutil.c')
-rw-r--r-- | source4/rpc_server/drsuapi/drsutil.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index 28ec7bb848..11eff25fab 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -101,7 +101,9 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, return ret; } -WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call) +WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, + const char* call, + enum security_user_level minimum_level) { enum security_user_level level; @@ -110,8 +112,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* return WERR_OK; } - level = security_session_user_level(dce_call->conn->auth_state.session_info); - if (level < SECURITY_DOMAIN_CONTROLLER) { + level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); + if (level < minimum_level) { if (call) { DEBUG(0,("%s refused for security token (level=%u)\n", call, (unsigned)level)); |