diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-04-22 16:48:01 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-04-22 19:36:16 +1000 |
| commit | bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e (patch) | |
| tree | 8fd3704eb6819063b1916c78bb1893ba16c7fe72 /source4/libcli | |
| parent | ec0bb2f46b855d44cccb71a5511c2acb7d8eae09 (diff) | |
| download | samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.gz samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.xz samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.zip | |
s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Diffstat (limited to 'source4/libcli')
| -rw-r--r-- | source4/libcli/security/security.h | 11 | ||||
| -rw-r--r-- | source4/libcli/security/security_token.c | 13 |
2 files changed, 18 insertions, 6 deletions
diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h index e3fdb0c7948..585170ed61c 100644 --- a/source4/libcli/security/security.h +++ b/source4/libcli/security/security.h @@ -23,11 +23,12 @@ #include "librpc/gen_ndr/security.h" enum security_user_level { - SECURITY_ANONYMOUS, - SECURITY_USER, - SECURITY_DOMAIN_CONTROLLER, - SECURITY_ADMINISTRATOR, - SECURITY_SYSTEM + SECURITY_ANONYMOUS = 0, + SECURITY_USER = 10, + SECURITY_RO_DOMAIN_CONTROLLER = 20, + SECURITY_DOMAIN_CONTROLLER = 30, + SECURITY_ADMINISTRATOR = 40, + SECURITY_SYSTEM = 50 }; struct auth_session_info; diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index d3eff93ddb7..f105ed391f9 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -147,7 +147,8 @@ bool security_token_has_enterprise_dcs(const struct security_token *token) return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS); } -enum security_user_level security_session_user_level(struct auth_session_info *session_info) +enum security_user_level security_session_user_level(struct auth_session_info *session_info, + const struct dom_sid *domain_sid) { if (!session_info) { return SECURITY_ANONYMOUS; @@ -165,6 +166,16 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ADMINISTRATOR; } + if (domain_sid && + dom_sid_in_domain(domain_sid, session_info->security_token->user_sid)) { + uint32_t rid; + NTSTATUS status = dom_sid_split_rid(NULL, session_info->security_token->user_sid, + NULL, &rid); + if (NT_STATUS_IS_OK(status) && rid == DOMAIN_RID_ENTERPRISE_READONLY_DCS) { + return SECURITY_RO_DOMAIN_CONTROLLER; + } + } + if (security_token_has_enterprise_dcs(session_info->security_token)) { return SECURITY_DOMAIN_CONTROLLER; } |