From 84bedf4028a5c841f08c079bfd20b9111fe52777 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Tue, 17 Aug 2010 14:11:24 +1000
Subject: [PATCH] s4-drs: fixed check for SECURITY_RO_DOMAIN_CONTROLLER

check more than the user_sid, and also check for the right rid value

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/libcli/security/security_token.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index f105ed391f9..7cfb566b91b 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -166,14 +166,14 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_ADMINISTRATOR;
 	}
 
-	if (domain_sid &&
-	    dom_sid_in_domain(domain_sid, session_info->security_token->user_sid)) {
-		uint32_t rid;
-		NTSTATUS status = dom_sid_split_rid(NULL, session_info->security_token->user_sid,
-						    NULL, &rid);
-		if (NT_STATUS_IS_OK(status) && rid == DOMAIN_RID_ENTERPRISE_READONLY_DCS) {
+	if (domain_sid) {
+		struct dom_sid *rodc_dcs;
+		rodc_dcs = dom_sid_add_rid(session_info, domain_sid, DOMAIN_RID_READONLY_DCS);
+		if (security_token_has_sid(session_info->security_token, rodc_dcs)) {
+			talloc_free(rodc_dcs);
 			return SECURITY_RO_DOMAIN_CONTROLLER;
 		}
+		talloc_free(rodc_dcs);
 	}
 
 	if (security_token_has_enterprise_dcs(session_info->security_token)) {
-- 
2.34.1