int ret;
struct auth_session_info *auth_info;
WERROR werr;
+ bool connected_as_system = false;
r->out.bind_info = NULL;
ZERO_STRUCTP(r->out.bind_handle);
W_ERROR_HAVE_NO_MEMORY(b_state);
/* if this is a DC connecting, give them system level access */
- werr = drs_security_level_check(dce_call, NULL);
+ werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER, NULL);
if (W_ERROR_IS_OK(werr)) {
DEBUG(3,(__location__ ": doing DsBind with system_session\n"));
auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
+ connected_as_system = true;
} else {
auth_info = dce_call->conn->auth_state.session_info;
}
* connect to the samdb
*/
b_state->sam_ctx = samdb_connect(b_state, dce_call->event_ctx,
- dce_call->conn->dce_ctx->lp_ctx, auth_info);
+ dce_call->conn->dce_ctx->lp_ctx, auth_info);
if (!b_state->sam_ctx) {
return WERR_FOOBAR;
}
+ if (connected_as_system) {
+ b_state->sam_ctx_system = b_state->sam_ctx;
+ } else {
+ /* an RODC also needs system samdb access for secret
+ attribute replication */
+ werr = drs_security_level_check(dce_call, NULL, SECURITY_RO_DOMAIN_CONTROLLER,
+ samdb_domain_sid(b_state->sam_ctx));
+ if (W_ERROR_IS_OK(werr)) {
+ b_state->sam_ctx_system = samdb_connect(b_state, dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ system_session(dce_call->conn->dce_ctx->lp_ctx));
+ if (!b_state->sam_ctx_system) {
+ return WERR_FOOBAR;
+ }
+ }
+ }
+
/*
* find out the guid of our own site
*/
{
WERROR status;
- status = drs_security_level_check(dce_call, "DsReplicaSync");
+ status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
}
case 1: {
struct drsuapi_DsNameCtr1 *ctr1;
struct drsuapi_DsNameInfo1 *names;
- int count;
- int i;
+ uint32_t i, count;
ctr1 = talloc(mem_ctx, struct drsuapi_DsNameCtr1);
W_ERROR_HAVE_NO_MEMORY(ctr1);
*r->out.level_out = 1;
- status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
}
}
/* Obtain the site name from a server DN */
-static const char *result_site_name(struct ldb_dn *site_dn)
+static const char *result_site_name(struct ldb_dn *server_dn)
{
/* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */
- const struct ldb_val *val = ldb_dn_get_component_val(site_dn, 2);
- const char *name = ldb_dn_get_component_name(site_dn, 2);
+ const struct ldb_val *val = ldb_dn_get_component_val(server_dn, 2);
+ const char *name = ldb_dn_get_component_name(server_dn, 2);
if (!name || (ldb_attr_cmp(name, "cn") != 0)) {
/* Ensure this matches the format. This gives us a
struct drsuapi_DsExecuteKCC *r)
{
WERROR status;
- status = drs_security_level_check(dce_call, "DsExecuteKCC");
+ status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER, NULL);
if (!W_ERROR_IS_OK(status)) {
return status;
{
enum security_user_level level;
- if (!lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
"drs", "disable_sec_check", false)) {
- level = security_session_user_level(dce_call->conn->auth_state.session_info);
+ level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
if (level < SECURITY_ADMINISTRATOR) {
DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
git.samba.org / nivanova / samba.git / blobdiff