CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control

Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index 586a3bfaf0ec0f347c21835d895740b4cf4f350b..6390258141efad3b626b729d7ec6e292dbd7f3ef 100644 (file)
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -182,6 +182,15 @@ struct dsdb_control_password_user_account_control {
 /* passed when we want to thoroughly delete linked attributes */
 #define DSDB_CONTROL_REPLMD_VANISH_LINKS "1.3.6.1.4.1.7165.4.3.29"
 
+/*
+ * Used to pass "user password change" vs "password reset" from the ACL to the
+ * password_hash module, ensuring both modules treat the request identical.
+ */
+#define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33"
+struct dsdb_control_password_acl_validation {
+       bool pwd_reset;
+};
+
 #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
 struct dsdb_extended_replicated_object {
        struct ldb_message *msg;

diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
index 9df95c32a9d43d60263fe1815c4a2b6bcfe2d43f..7ecc9080cd1be417e6c6fc04ed42eda5c6d53d4c 100644 (file)
--- a/source4/libcli/ldap/ldap_controls.c
+++ b/source4/libcli/ldap/ldap_controls.c
@@ -1262,6 +1262,7 @@ static const struct ldap_control_handler ldap_known_controls[] = {
        { DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, NULL, NULL },
        { DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, NULL, NULL },
        { DSDB_CONTROL_PASSWORD_CHANGE_OID, NULL, NULL },
+       { DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, NULL, NULL },
        { DSDB_CONTROL_APPLY_LINKS, NULL, NULL },
        { LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL },
        { DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL },

diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif
index 0189fb5934a4404fa5c41f79536caf05d8a852fc..0e8847afbb003d1660c335f2764496eab87d1769 100644 (file)
--- a/source4/setup/schema_samba4.ldif
+++ b/source4/setup/schema_samba4.ldif
@@ -222,6 +222,8 @@
 #Allocated: DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID 1.3.6.1.4.1.7165.4.3.28
 #Allocated: DSDB_CONTROL_REPLMD_VANISH_LINKS 1.3.6.1.4.1.7165.4.3.29
 #Allocated: LDB_CONTROL_RECALCULATE_RDN_OID 1.3.6.1.4.1.7165.4.3.30
+#Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33
+
 
 # Extended 1.3.6.1.4.1.7165.4.4.x
 #Allocated: DSDB_EXTENDED_REPLICATED_OBJECTS_OID 1.3.6.1.4.1.7165.4.4.1