From 6e56261eb7d417b488da2d3b051fb8284abb3fbd Mon Sep 17 00:00:00 2001
From: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Date: Sat, 19 Sep 2009 15:08:19 -0700
Subject: Add drs_security_level_check for dcesrv calls security checks

There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
---
 source4/rpc_server/drsuapi/updaterefs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'source4/rpc_server/drsuapi/updaterefs.c')

diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index 6e97024d77..e12be6f058 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -105,10 +105,9 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 	WERROR werr;
 	struct ldb_dn *dn;
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-	    SECURITY_DOMAIN_CONTROLLER) {
-		DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
-		return WERR_DS_DRA_ACCESS_DENIED;
+	werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
 	}
 
 	if (r->in.level != 1) {
-- 
cgit