diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-09-15 19:26:33 -0700 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-09-15 19:52:25 -0700 |
commit | 5d2dfd12cf779c410e041a1815e5e3edf0ea38d8 (patch) | |
tree | 5f22b2c8eeb4159875f47055b50a2e5ee36e0143 /source4/rpc_server/drsuapi/updaterefs.c | |
parent | 7ded0741d9d5a4c2859769e4abfbc197aed0e5e1 (diff) | |
download | samba-5d2dfd12cf779c410e041a1815e5e3edf0ea38d8.tar.gz samba-5d2dfd12cf779c410e041a1815e5e3edf0ea38d8.tar.bz2 samba-5d2dfd12cf779c410e041a1815e5e3edf0ea38d8.zip |
s4-drs: lock down key DRS calls
The key DRS calls should only be allowed by administrators or domain
controllers
Diffstat (limited to 'source4/rpc_server/drsuapi/updaterefs.c')
-rw-r--r-- | source4/rpc_server/drsuapi/updaterefs.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index 45244c7801..34ff0caa14 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -29,6 +29,7 @@ #include "librpc/gen_ndr/ndr_drsblobs.h" #include "auth/auth.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" struct repsTo { uint32_t count; @@ -109,6 +110,12 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA WERROR werr; struct ldb_dn *dn; + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsReplicaUpdateRefs refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + if (r->in.level != 1) { DEBUG(0,("DrReplicUpdateRefs - unsupported level %u\n", r->in.level)); return WERR_DS_DRA_INVALID_PARAMETER; |