DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsAddEntry refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsAddEntry");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
switch (r->in.level) {
static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaSync *r)
{
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaSync refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaSync");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
&ndr_table_drsuapi,
"dreplsrv", "DsReplicaSync");
+
return WERR_OK;
}
struct ldb_dn *ntds_dn;
int ret;
bool ok;
+ WERROR status;
ZERO_STRUCT(r->out.res);
*r->out.level_out = 1;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsRemoveDSServer refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
const char * const *attrs,
const char *format, ...) PRINTF_ATTRIBUTE(7,8);
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+ const char* call);
#include "dsdb/samdb/samdb.h"
#include "libcli/security/dom_sid.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
/*
format a drsuapi_DsReplicaObjectIdentifier naming context as a string
return ret;
}
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
+{
+ if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
+ return WERR_OK;
+ }
+
+ if (security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsReplicaGetInfo refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
+ return WERR_OK;
+}
return WERR_DS_DRA_BAD_NC;
}
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("getncchanges refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ werr = drs_security_level_check(dce_call, "DsGetNCChanges");
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
/*
WERROR werr;
struct ldb_dn *dn;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
if (r->in.level != 1) {