From c7658589fa53a7905678361409341a916b0d41f5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 25 Jan 2023 16:01:48 +1300
Subject: s4-drsuapi: Clarify role of drs_security_access_check_nc_root()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1838f349c94b878de1740af35351a2e8e0c8cffb)
---
 source4/rpc_server/drsuapi/getncchanges.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 57bd50b1268..ca805d9f958 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2830,7 +2830,11 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 
 	user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
 
-	/* all clients must have GUID_DRS_GET_CHANGES */
+	/*
+	 * all clients must have GUID_DRS_GET_CHANGES.  This finds the
+	 * actual NC root of the given value and checks that, allowing
+	 * REPL_OBJ to work safely
+	 */
 	werr = drs_security_access_check_nc_root(sam_ctx,
 						 mem_ctx,
 						 session_info->security_token,
-- 
cgit v1.2.1