From 45a2b408ba16ebabedc519a7235b05c104dede6b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 17 Aug 2010 14:12:21 +1000 Subject: s4-drs: added domain_sid to DRS security checks we need the domain_sid to determine if the account is a RODC for our domain Pair-Programmed-With: Andrew Bartlett --- source4/rpc_server/drsuapi/addentry.c | 2 +- source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 ++++---- source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 3 ++- source4/rpc_server/drsuapi/drsutil.c | 5 +++-- source4/rpc_server/drsuapi/getncchanges.c | 3 ++- source4/rpc_server/drsuapi/updaterefs.c | 3 ++- 6 files changed, 14 insertions(+), 10 deletions(-) (limited to 'source4') diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c index ab75ff4005..bb254cb3ee 100644 --- a/source4/rpc_server/drsuapi/addentry.c +++ b/source4/rpc_server/drsuapi/addentry.c @@ -171,7 +171,7 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; - status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER); + status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER, NULL); if (!W_ERROR_IS_OK(status)) { return status; } diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index e4dd2f28a6..a46937b3ea 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c @@ -65,7 +65,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C W_ERROR_HAVE_NO_MEMORY(b_state); /* if this is a DC connecting, give them system level access */ - werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER); + werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER, NULL); if (W_ERROR_IS_OK(werr)) { DEBUG(3,(__location__ ": doing DsBind with system_session\n")); auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx); @@ -247,7 +247,7 @@ static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, T { WERROR status; - status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER); + status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER, NULL); if (!W_ERROR_IS_OK(status)) { return status; } @@ -400,7 +400,7 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call *r->out.level_out = 1; - status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER); + status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER, NULL); if (!W_ERROR_IS_OK(status)) { return status; } @@ -725,7 +725,7 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA struct drsuapi_DsExecuteKCC *r) { WERROR status; - status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER); + status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER, NULL); if (!W_ERROR_IS_OK(status)) { return status; diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h index 3b733deec1..04bb3db984 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h @@ -63,7 +63,8 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, enum security_user_level; WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, - const char* call, enum security_user_level minimum_level); + const char* call, enum security_user_level minimum_level, + const struct dom_sid *domain_sid); void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, struct drsuapi_DsReplicaMetaData *meta_data); diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index e29c14dbc1..f20082f6bb 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -103,7 +103,8 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call, - enum security_user_level minimum_level) + enum security_user_level minimum_level, + const struct dom_sid *domain_sid) { enum security_user_level level; @@ -112,7 +113,7 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, return WERR_OK; } - level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); + level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid); if (level < minimum_level) { if (call) { DEBUG(0,("%s refused for security token (level=%u)\n", diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index cea5fc99c6..dcf1dbef5c 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -760,7 +760,8 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_SOURCE_DISABLED; } - werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER); + werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER, + samdb_domain_sid(b_state->sam_ctx)); if (!W_ERROR_IS_OK(werr)) { return werr; } diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index d52a77959a..daf057d6d6 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -197,7 +197,8 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; - werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs", SECURITY_RO_DOMAIN_CONTROLLER); + werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs", SECURITY_RO_DOMAIN_CONTROLLER, + samdb_domain_sid(b_state->sam_ctx)); if (!W_ERROR_IS_OK(werr)) { return werr; } -- cgit