s4-drsuapi: Clarify role of drs_security_access_check_nc_root()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 1838f349c94b878de1740af35351a2e8e0c8cffb)
author: Andrew Bartlett <abartlet@samba.org> 2023-01-25 16:01:48 +1300
committer: Jule Anger <janger@samba.org> 2023-02-03 09:35:08 +0000
commit: c7658589fa53a7905678361409341a916b0d41f5 (patch)
tree: 29f9621dcdcdacd735a89392f907ae0a468cfc1c
parent: dee9067386531241846680e50dc892cc906b0a07 (diff)
download: samba-c7658589fa53a7905678361409341a916b0d41f5.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 57bd50b1268..ca805d9f958 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2830,7 +2830,11 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 
 	user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
 
-	/* all clients must have GUID_DRS_GET_CHANGES */
+	/*
+	 * all clients must have GUID_DRS_GET_CHANGES.  This finds the
+	 * actual NC root of the given value and checks that, allowing
+	 * REPL_OBJ to work safely
+	 */
 	werr = drs_security_access_check_nc_root(sam_ctx,
 						 mem_ctx,
 						 session_info->security_token,
author	Andrew Bartlett <abartlet@samba.org>	2023-01-25 16:01:48 +1300
committer	Jule Anger <janger@samba.org>	2023-02-03 09:35:08 +0000
commit	c7658589fa53a7905678361409341a916b0d41f5 (patch)
tree	29f9621dcdcdacd735a89392f907ae0a468cfc1c
parent	dee9067386531241846680e50dc892cc906b0a07 (diff)
download	samba-c7658589fa53a7905678361409341a916b0d41f5.tar.gz