diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index eac96a3aa12..9796da405f7 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c @@ -90,7 +90,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx); connected_as_system = true; } else { - auth_info = dce_call->conn->auth_state.session_info; + auth_info = dcesrv_call_session_info(dce_call); } /* @@ -1011,15 +1011,17 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct drsuapi_DsReplicaGetInfo *r) { + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); enum security_user_level level; if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", false)) { - level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); + level = security_session_user_level(session_info, NULL); if (level < SECURITY_DOMAIN_CONTROLLER) { DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n")); security_token_debug(DBGC_DRS_REPL, 2, - dce_call->conn->auth_state.session_info->security_token); + session_info->security_token); return WERR_DS_DRA_ACCESS_DENIED; } } diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index 6fe254ac96c..7897c35d2e9 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -95,6 +95,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, enum security_user_level minimum_level, const struct dom_sid *domain_sid) { + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); enum security_user_level level; if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, @@ -102,12 +104,12 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, return WERR_OK; } - level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid); + level = security_session_user_level(session_info, domain_sid); if (level < minimum_level) { if (call) { DEBUG(0,("%s refused for security token (level=%u)\n", call, (unsigned)level)); - security_token_debug(DBGC_DRS_REPL, 2, dce_call->conn->auth_state.session_info->security_token); + security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token); } return WERR_DS_DRA_ACCESS_DENIED; } diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index b48e9c7234d..f3f819a410e 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -2698,6 +2698,8 @@ static struct getncchanges_repl_chunk * getncchanges_chunk_new(TALLOC_CTX *mem_c WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct drsuapi_DsGetNCChanges *r) { + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); struct drsuapi_DsReplicaObjectIdentifier *ncRoot; int ret; uint32_t i, k; @@ -2799,12 +2801,12 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_SOURCE_DISABLED; } - user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; /* all clients must have GUID_DRS_GET_CHANGES */ werr = drs_security_access_check_nc_root(sam_ctx, mem_ctx, - dce_call->conn->auth_state.session_info->security_token, + session_info->security_token, req10->naming_context, GUID_DRS_GET_CHANGES); if (!W_ERROR_IS_OK(werr)) { @@ -2846,7 +2848,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ if (is_gc_pas_request) { werr = drs_security_access_check_nc_root(sam_ctx, mem_ctx, - dce_call->conn->auth_state.session_info->security_token, + session_info->security_token, req10->naming_context, GUID_DRS_GET_FILTERED_ATTRIBUTES); if (W_ERROR_IS_OK(werr)) { @@ -2863,7 +2865,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ if (is_secret_request) { werr = drs_security_access_check_nc_root(sam_ctx, mem_ctx, - dce_call->conn->auth_state.session_info->security_token, + session_info->security_token, req10->naming_context, GUID_DRS_GET_ALL_CHANGES); if (!W_ERROR_IS_OK(werr)) { @@ -2879,7 +2881,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ allowed: /* for non-administrator replications, check that they have given the correct source_dsa_invocation_id */ - security_level = security_session_user_level(dce_call->conn->auth_state.session_info, + security_level = security_session_user_level(session_info, samdb_domain_sid(sam_ctx)); if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) { if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) { diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index c92add744ec..0d3b47a9505 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -336,6 +336,8 @@ failed: WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct drsuapi_DsReplicaUpdateRefs *r) { + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); struct dcesrv_handle *h; struct drsuapi_bind_state *b_state; struct drsuapi_DsReplicaUpdateRefsRequest1 *req; @@ -353,7 +355,7 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA req = &r->in.req.req1; werr = drs_security_access_check(b_state->sam_ctx, mem_ctx, - dce_call->conn->auth_state.session_info->security_token, + session_info->security_token, req->naming_context, GUID_DRS_MANAGE_TOPOLOGY); @@ -361,16 +363,16 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA return werr; } - security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); + security_level = security_session_user_level(session_info, NULL); if (security_level < SECURITY_ADMINISTRATOR) { /* check that they are using an DSA objectGUID that they own */ ret = dsdb_validate_dsa_guid(b_state->sam_ctx, &req->dest_dsa_guid, - &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n", dom_sid_string(mem_ctx, - &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), GUID_string(mem_ctx, &req->dest_dsa_guid))); return WERR_DS_DRA_ACCESS_DENIED; } diff --git a/source4/rpc_server/drsuapi/writespn.c b/source4/rpc_server/drsuapi/writespn.c index 991efccae38..9a289897f3e 100644 --- a/source4/rpc_server/drsuapi/writespn.c +++ b/source4/rpc_server/drsuapi/writespn.c @@ -53,6 +53,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state, * 1) they are on the clients own account object * 2) they are of the form SERVICE/dnshostname */ + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); struct dom_sid *user_sid, *sid; TALLOC_CTX *tmp_ctx = talloc_new(dce_call); struct ldb_result *res; @@ -82,7 +84,7 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state, return false; } - user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid"); if (sid == NULL) { talloc_free(tmp_ctx);