Add drs_security_level_check for dcesrv calls security checks

There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true

6 files changed, 36 insertions, 20 deletions

diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
index 25f2aaaa29..74de772f7a 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -151,10 +151,9 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
 	b_state = h->data;
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsAddEntry refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	status = drs_security_level_check(dce_call, "DsAddEntry");
+	if (!W_ERROR_IS_OK(status)) {
+		return status;
 	}
 
 	switch (r->in.level) {
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index f96c4c03da..9903f08746 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -228,15 +228,17 @@ static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC
 static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 					   struct drsuapi_DsReplicaSync *r)
 {
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsReplicaSync refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	WERROR status;
+
+	status = drs_security_level_check(dce_call, "DsReplicaSync");
+	if (!W_ERROR_IS_OK(status)) {
+		return status;
 	}
 
 	dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
 				     &ndr_table_drsuapi,
 				     "dreplsrv", "DsReplicaSync");
+
 	return WERR_OK;
 }
 
@@ -453,14 +455,14 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
 	struct ldb_dn *ntds_dn;
 	int ret;
 	bool ok;
+	WERROR status;
 
 	ZERO_STRUCT(r->out.res);
 	*r->out.level_out = 1;
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsRemoveDSServer refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+	if (!W_ERROR_IS_OK(status)) {
+		return status;
 	}
 
 	DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 3f69a3fb52..685203360b 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -56,3 +56,5 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 				    const char * const *attrs,
 				    const char *format, ...) PRINTF_ATTRIBUTE(7,8);
 
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+				const char* call);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 305e298e00..f4155192d7 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -24,6 +24,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "libcli/security/dom_sid.h"
 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
 
 /*
   format a drsuapi_DsReplicaObjectIdentifier naming context as a string
@@ -101,3 +102,17 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 	return ret;
 }
 
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
+{
+	if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
+		return WERR_OK;
+	}
+
+	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
+		SECURITY_DOMAIN_CONTROLLER) {
+		DEBUG(0,("DsReplicaGetInfo refused for security token\n"));
+		return WERR_DS_DRA_ACCESS_DENIED;
+	}
+
+	return WERR_OK;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 52d751bcd7..f84ffda094 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -301,10 +301,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 		return WERR_DS_DRA_BAD_NC;
 	}
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("getncchanges refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	werr = drs_security_level_check(dce_call, "DsGetNCChanges");
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
 	}
 
 	/*
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index 6e97024d77..e12be6f058 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -105,10 +105,9 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 	WERROR werr;
 	struct ldb_dn *dn;
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
 	}
 
 	if (r->in.level != 1) {