This will be used as a simple way to lock down DRS replication to
administrators and domain controllers
enum security_user_level {
SECURITY_ANONYMOUS,
SECURITY_USER,
+ SECURITY_DOMAIN_CONTROLLER,
SECURITY_ADMINISTRATOR,
SECURITY_SYSTEM
};
return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
}
+bool security_token_has_enterprise_dcs(const struct security_token *token)
+{
+ return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS);
+}
+
enum security_user_level security_session_user_level(struct auth_session_info *session_info)
{
if (!session_info) {
return SECURITY_ADMINISTRATOR;
}
+ if (security_token_has_enterprise_dcs(session_info->security_token)) {
+ return SECURITY_DOMAIN_CONTROLLER;
+ }
+
if (security_token_has_nt_authenticated_users(session_info->security_token)) {
return SECURITY_USER;
}