s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password

dsdb_have_system_access() takes into account the AS_SYSTEM control as
well as the result of dsdb_module_am_system().

This change means that we can reset the password of an account without
being SYSTEM by means of the AS_SYSTEM control. This is essential for
ldapsrv_SearchRequest() to be able to process the automatic password
changes of Group Managed Service Accounts.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 11fb63e9d975b971a64a174b283cbae624bf2ea1..c9f95123edf4bc9481c0c795cb773f7358115a97 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -3962,7 +3962,10 @@ static int setup_io(struct ph_context *ac,
                         * If the DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
                         * control is missing, we require system access!
                         */
-                       ok = dsdb_module_am_system(ac->module);
+                       ok = dsdb_have_system_access(
+                               ac->module,
+                               ac->req,
+                               SYSTEM_CONTROL_KEEP_CRITICAL);
                        if (!ok) {
                                return ldb_module_operr(ac->module);
                        }