From fdd9540187f019df0560eefe0805700df7d91138 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Mon, 28 Mar 2011 14:41:36 +1100
Subject: s4-dsdb: only allow administrators to trigger FSMO role transfers

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/rootdse.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'source4/dsdb/samdb')

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 516194d2b7..050cf5e062 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1173,6 +1173,14 @@ static int rootdse_become_master(struct ldb_module *module,
 	bool am_rodc;
 	struct dcerpc_binding_handle *irpc_handle;
 	int ret;
+	struct auth_session_info *session_info;
+	enum security_user_level level;
+
+	session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
+	level = security_session_user_level(session_info, NULL);
+	if (level < SECURITY_ADMINISTRATOR) {
+		return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
+	}
 
 	ret = samdb_rodc(ldb, &am_rodc);
 	if (ret != LDB_SUCCESS) {
-- 
cgit