s4-drs: better debug info when security checks fail

show the security token of the user at debug level 2

diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 0a8a576d60f81eb2ae7bf6592bc36c09060c1aa8..28ec7bb84889b62bd16dd427e550b3e4e090fe59 100644 (file)
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -24,6 +24,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "libcli/security/security.h"
 #include "param/param.h"
+#include "auth/session.h"
 
 /*
   format a drsuapi_DsReplicaObjectIdentifier naming context as a string
@@ -102,15 +103,19 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 
 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
 {
+       enum security_user_level level;
+
        if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, 
                         "drs", "disable_sec_check", false)) {
                return WERR_OK;
        }
 
-       if (security_session_user_level(dce_call->conn->auth_state.session_info) <
-               SECURITY_DOMAIN_CONTROLLER) {
+       level = security_session_user_level(dce_call->conn->auth_state.session_info);
+       if (level < SECURITY_DOMAIN_CONTROLLER) {
                if (call) {
-                       DEBUG(0,("%s refused for security token\n", call));
+                       DEBUG(0,("%s refused for security token (level=%u)\n",
+                                call, (unsigned)level));
+                       security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
                }
                return WERR_DS_DRA_ACCESS_DENIED;
        }