From bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 22 Apr 2010 16:48:01 +1000
Subject: s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level

This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC

This required a new domain_sid argument to
security_session_user_level()

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
---
 source4/libcli/security/security.h       | 11 ++++++-----
 source4/libcli/security/security_token.c | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 6 deletions(-)

(limited to 'source4/libcli/security')

diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h
index e3fdb0c794..585170ed61 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -23,11 +23,12 @@
 #include "librpc/gen_ndr/security.h"
 
 enum security_user_level {
-	SECURITY_ANONYMOUS,
-	SECURITY_USER,
-	SECURITY_DOMAIN_CONTROLLER,
-	SECURITY_ADMINISTRATOR,
-	SECURITY_SYSTEM
+	SECURITY_ANONYMOUS            = 0,
+	SECURITY_USER                 = 10,
+	SECURITY_RO_DOMAIN_CONTROLLER = 20,
+	SECURITY_DOMAIN_CONTROLLER    = 30,
+	SECURITY_ADMINISTRATOR        = 40,
+	SECURITY_SYSTEM               = 50
 };
 
 struct auth_session_info;
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index d3eff93ddb..f105ed391f 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -147,7 +147,8 @@ bool security_token_has_enterprise_dcs(const struct security_token *token)
 	return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS);
 }
 
-enum security_user_level security_session_user_level(struct auth_session_info *session_info) 
+enum security_user_level security_session_user_level(struct auth_session_info *session_info,
+						     const struct dom_sid *domain_sid)
 {
 	if (!session_info) {
 		return SECURITY_ANONYMOUS;
@@ -165,6 +166,16 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_ADMINISTRATOR;
 	}
 
+	if (domain_sid &&
+	    dom_sid_in_domain(domain_sid, session_info->security_token->user_sid)) {
+		uint32_t rid;
+		NTSTATUS status = dom_sid_split_rid(NULL, session_info->security_token->user_sid,
+						    NULL, &rid);
+		if (NT_STATUS_IS_OK(status) && rid == DOMAIN_RID_ENTERPRISE_READONLY_DCS) {
+			return SECURITY_RO_DOMAIN_CONTROLLER;
+		}
+	}
+
 	if (security_token_has_enterprise_dcs(session_info->security_token)) {
 		return SECURITY_DOMAIN_CONTROLLER;
 	}
-- 
cgit