From 5d2dfd12cf779c410e041a1815e5e3edf0ea38d8 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 15 Sep 2009 19:26:33 -0700 Subject: s4-drs: lock down key DRS calls The key DRS calls should only be allowed by administrators or domain controllers --- source4/rpc_server/drsuapi/addentry.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source4/rpc_server/drsuapi/addentry.c') diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c index ae478027a6..edf46aa5fb 100644 --- a/source4/rpc_server/drsuapi/addentry.c +++ b/source4/rpc_server/drsuapi/addentry.c @@ -30,6 +30,7 @@ #include "librpc/gen_ndr/ndr_drsblobs.h" #include "auth/auth.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" /* @@ -149,6 +150,12 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsAddEntry refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + switch (r->in.level) { case 2: ret = ldb_transaction_start(b_state->sam_ctx); -- cgit