From 3a9b33b4876349165e7e16777fa283b128d525be Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sat, 16 Jan 2010 10:36:40 +1100
Subject: s4-drs: better debug info when security checks fail

show the security token of the user at debug level 2
---
 source4/rpc_server/drsuapi/drsutil.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'source4/rpc_server')

diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 0a8a576d60..28ec7bb848 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -24,6 +24,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "libcli/security/security.h"
 #include "param/param.h"
+#include "auth/session.h"
 
 /*
   format a drsuapi_DsReplicaObjectIdentifier naming context as a string
@@ -102,15 +103,19 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 
 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
 {
+	enum security_user_level level;
+
 	if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, 
 			 "drs", "disable_sec_check", false)) {
 		return WERR_OK;
 	}
 
-	if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-		SECURITY_DOMAIN_CONTROLLER) {
+	level = security_session_user_level(dce_call->conn->auth_state.session_info);
+	if (level < SECURITY_DOMAIN_CONTROLLER) {
 		if (call) {
-			DEBUG(0,("%s refused for security token\n", call));
+			DEBUG(0,("%s refused for security token (level=%u)\n",
+				 call, (unsigned)level));
+			security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
 		}
 		return WERR_DS_DRA_ACCESS_DENIED;
 	}
-- 
cgit