From dde836adbdb5c04cb43774c65fa1af713d9cdb7a Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sun, 17 Jan 2010 06:52:14 +1100
Subject: [PATCH] s4-drs: allow for security bypass for DsReplicaGetInfo

Use --option=drs:disable_sec_check=true until the group membership bug
with the PAC is fixed.
---
 source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index ae70fbc18f7..b5088bb1d7a 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -28,6 +28,7 @@
 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
 #include "libcli/security/security.h"
 #include "auth/auth.h"
+#include "param/param.h"
 
 #define DRSUAPI_UNSUPPORTED(fname) do { \
 	DEBUG(1,(__location__ ": Unsupported DRS call %s\n", #fname)); \
@@ -745,11 +746,14 @@ static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call
 {
 	enum security_user_level level;
 
-	level = security_session_user_level(dce_call->conn->auth_state.session_info);
-	if (level < SECURITY_ADMINISTRATOR) {
-		DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
-		security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
-		return WERR_DS_DRA_ACCESS_DENIED;
+	if (!lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+			 "drs", "disable_sec_check", false)) {
+		level = security_session_user_level(dce_call->conn->auth_state.session_info);
+		if (level < SECURITY_ADMINISTRATOR) {
+			DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
+			security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
+			return WERR_DS_DRA_ACCESS_DENIED;
+		}
 	}
 
 	dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICAGETINFO,
-- 
2.34.1