summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/rpc_server/drsuapi/addentry.c7
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.c18
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.h2
-rw-r--r--source4/rpc_server/drsuapi/drsutil.c15
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c7
-rw-r--r--source4/rpc_server/drsuapi/updaterefs.c7
6 files changed, 36 insertions, 20 deletions
diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
index 25f2aaaa29..74de772f7a 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -151,10 +151,9 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsAddEntry refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsAddEntry");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
switch (r->in.level) {
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index f96c4c03da..9903f08746 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -228,15 +228,17 @@ static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC
static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaSync *r)
{
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaSync refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaSync");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
&ndr_table_drsuapi,
"dreplsrv", "DsReplicaSync");
+
return WERR_OK;
}
@@ -453,14 +455,14 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
struct ldb_dn *ntds_dn;
int ret;
bool ok;
+ WERROR status;
ZERO_STRUCT(r->out.res);
*r->out.level_out = 1;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsRemoveDSServer refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 3f69a3fb52..685203360b 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -56,3 +56,5 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
const char * const *attrs,
const char *format, ...) PRINTF_ATTRIBUTE(7,8);
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+ const char* call);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 305e298e00..f4155192d7 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -24,6 +24,7 @@
#include "dsdb/samdb/samdb.h"
#include "libcli/security/dom_sid.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
/*
format a drsuapi_DsReplicaObjectIdentifier naming context as a string
@@ -101,3 +102,17 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
return ret;
}
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
+{
+ if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
+ return WERR_OK;
+ }
+
+ if (security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsReplicaGetInfo refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
+ return WERR_OK;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 52d751bcd7..f84ffda094 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -301,10 +301,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_BAD_NC;
}
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("getncchanges refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ werr = drs_security_level_check(dce_call, "DsGetNCChanges");
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
/*
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index 6e97024d77..e12be6f058 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -105,10 +105,9 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
WERROR werr;
struct ldb_dn *dn;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
if (r->in.level != 1) {