s4-drs: fixed check for SECURITY_RO_DOMAIN_CONTROLLER

check more than the user_sid, and also check for the right rid value

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index f105ed391f9df144ac7e0ef969c188a2a88499bf..7cfb566b91b05023aa35c1c1dd5240dca41743cf 100644 (file)
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -166,14 +166,14 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
                return SECURITY_ADMINISTRATOR;
        }
 
-       if (domain_sid &&
-           dom_sid_in_domain(domain_sid, session_info->security_token->user_sid)) {
-               uint32_t rid;
-               NTSTATUS status = dom_sid_split_rid(NULL, session_info->security_token->user_sid,
-                                                   NULL, &rid);
-               if (NT_STATUS_IS_OK(status) && rid == DOMAIN_RID_ENTERPRISE_READONLY_DCS) {
+       if (domain_sid) {
+               struct dom_sid *rodc_dcs;
+               rodc_dcs = dom_sid_add_rid(session_info, domain_sid, DOMAIN_RID_READONLY_DCS);
+               if (security_token_has_sid(session_info->security_token, rodc_dcs)) {
+                       talloc_free(rodc_dcs);
                        return SECURITY_RO_DOMAIN_CONTROLLER;
                }
+               talloc_free(rodc_dcs);
        }
 
        if (security_token_has_enterprise_dcs(session_info->security_token)) {