s4-netlogon: added SEC_CHAN_RODC

This seems to be equivalent to SEC_CHAN_BDC, but for RODCs

diff --git a/librpc/idl/misc.idl b/librpc/idl/misc.idl
index a60d30bef2c450e02c5ab008f45b07ebc74f0653..e92846043d58981cd7a714c38e6aee103cb59a9e 100644 (file)
--- a/librpc/idl/misc.idl
+++ b/librpc/idl/misc.idl
@@ -40,7 +40,8 @@ interface misc
                SEC_CHAN_WKSTA       = 2,
                SEC_CHAN_DNS_DOMAIN  = 3,
                SEC_CHAN_DOMAIN      = 4,
-               SEC_CHAN_BDC         = 6
+               SEC_CHAN_BDC         = 6,
+               SEC_CHAN_RODC        = 7
        } netr_SchannelType;
 
        typedef [public] struct {

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 9d8195aaad4afdca99e685103005394a4cd7309c..5893bd48219c74155fe299e358d8341136a9ef95 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -217,6 +217,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
                        DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control));
                        return NT_STATUS_ACCESS_DENIED;
                }
+       } else if (r->in.secure_channel_type == SEC_CHAN_RODC) {
+               if (!(user_account_control & UF_PARTIAL_SECRETS_ACCOUNT)) {
+                       DEBUG(1, ("Client asked for a RODC secure channel, but is not a RODC: acb flags: 0x%x\n", user_account_control));
+                       return NT_STATUS_ACCESS_DENIED;
+               }
        } else {
                DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
                          r->in.secure_channel_type));