From 7ded0741d9d5a4c2859769e4abfbc197aed0e5e1 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Tue, 15 Sep 2009 19:25:45 -0700
Subject: s4-security: added a new security level SECURITY_DOMAIN_CONTROLLER

This will be used as a simple way to lock down DRS replication to
administrators and domain controllers
---
 source4/libcli/security/security.h       | 1 +
 source4/libcli/security/security_token.c | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h
index 6dbbe014e7..3cfa484816 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -22,6 +22,7 @@
 enum security_user_level {
 	SECURITY_ANONYMOUS,
 	SECURITY_USER,
+	SECURITY_DOMAIN_CONTROLLER,
 	SECURITY_ADMINISTRATOR,
 	SECURITY_SYSTEM
 };
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index 0764dfeb8f..d3eff93ddb 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -142,6 +142,11 @@ bool security_token_has_nt_authenticated_users(const struct security_token *toke
 	return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
 }
 
+bool security_token_has_enterprise_dcs(const struct security_token *token)
+{
+	return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS);
+}
+
 enum security_user_level security_session_user_level(struct auth_session_info *session_info) 
 {
 	if (!session_info) {
@@ -160,6 +165,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_ADMINISTRATOR;
 	}
 
+	if (security_token_has_enterprise_dcs(session_info->security_token)) {
+		return SECURITY_DOMAIN_CONTROLLER;
+	}
+
 	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
 		return SECURITY_USER;
 	}
-- 
cgit