diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-04-22 16:56:40 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-04-22 19:36:16 +1000 |
commit | e7262b51d1a8905ba3b874f5d48eab4292ebca4d (patch) | |
tree | f0ee713edc851370524f8c78b850d8d3de8e3f5c /source4/rpc_server | |
parent | bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e (diff) | |
download | samba-e7262b51d1a8905ba3b874f5d48eab4292ebca4d.tar.gz samba-e7262b51d1a8905ba3b874f5d48eab4292ebca4d.tar.bz2 samba-e7262b51d1a8905ba3b874f5d48eab4292ebca4d.zip |
s4-drs: validate RODC credentials via the user_sid
This checks whether a replication client is a RODC by inclusion of the
the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 39 |
1 files changed, 12 insertions, 27 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 50de087662..6a8ab3b201 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -751,31 +751,21 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_SOURCE_DISABLED; } - /* for non-administrator replications, check that they have - given the correct source_dsa_invocation_id */ - security_level = security_session_user_level(dce_call->conn->auth_state.session_info); - - if (security_level < SECURITY_ADMINISTRATOR) { - /* validate their guid */ - ret = dsdb_validate_invocation_id(b_state->sam_ctx, - &req8->source_dsa_invocation_id, - dce_call->conn->auth_state.session_info->security_token->user_sid); - if (ret != LDB_SUCCESS) { - DEBUG(0,(__location__ ": Attempted replication with invalid invocationId %s\n", - GUID_string(mem_ctx, &req8->source_dsa_invocation_id))); - return WERR_DS_DRA_INVALID_PARAMETER; - } + werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER); + if (!W_ERROR_IS_OK(werr)) { + return werr; } - if (security_level < SECURITY_ADMINISTRATOR && + /* for non-administrator replications, check that they have + given the correct source_dsa_invocation_id */ + security_level = security_session_user_level(dce_call->conn->auth_state.session_info, + samdb_domain_sid(b_state->sam_ctx)); + if (security_level == SECURITY_RO_DOMAIN_CONTROLLER && (req8->replica_flags & DRSUAPI_DRS_WRIT_REP)) { - bool is_rodc; - ret = samdb_is_rodc(b_state->sam_ctx, &req8->source_dsa_invocation_id, &is_rodc); - if (ret != LDB_SUCCESS || is_rodc) { - DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n", - GUID_string(mem_ctx, &req8->source_dsa_invocation_id))); - return WERR_DS_DRA_INVALID_PARAMETER; - } + DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n", + dom_sid_string(mem_ctx, + dce_call->conn->auth_state.session_info->security_token->user_sid))); + return WERR_DS_DRA_INVALID_PARAMETER; } @@ -784,11 +774,6 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ req8->uptodateness_vector = NULL; } - werr = drs_security_level_check(dce_call, "DsGetNCChanges"); - if (!W_ERROR_IS_OK(werr)) { - return werr; - } - /* we don't yet support extended operations */ switch (req8->extended_op) { case DRSUAPI_EXOP_NONE: |