CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control

Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

source4/dsdb/samdb/samdb.h

@@ -195,6 +195,15 @@ struct dsdb_control_password_user_account_control {
 
 #define DSDB_CONTROL_INVALID_NOT_IMPLEMENTED "1.3.6.1.4.1.7165.4.3.32"
 
+/*
+ * Used to pass "user password change" vs "password reset" from the ACL to the
+ * password_hash module, ensuring both modules treat the request identical.
+ */
+#define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33"
+struct dsdb_control_password_acl_validation {
+	bool pwd_reset;
+};
+
 #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
 struct dsdb_extended_replicated_object {
 	struct ldb_message *msg;

source4/libcli/ldap/ldap_controls.c

@@ -1262,6 +1262,7 @@ static const struct ldap_control_handler ldap_known_controls[] = {
 	{ DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, NULL, NULL },
 	{ DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, NULL, NULL },
 	{ DSDB_CONTROL_PASSWORD_CHANGE_OID, NULL, NULL },
+	{ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, NULL, NULL },
 	{ DSDB_CONTROL_APPLY_LINKS, NULL, NULL },
 	{ LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL },
 	{ DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL },

source4/setup/schema_samba4.ldif

@@ -226,6 +226,7 @@
 #Allocated: LDB_CONTROL_RECALCULATE_RDN_OID 1.3.6.1.4.1.7165.4.3.30
 #Allocated: DSDB_CONTROL_FORCE_RODC_LOCAL_CHANGE 1.3.6.1.4.1.7165.4.3.31
 #Allocated: DSDB_CONTROL_INVALID_NOT_IMPLEMENTED 1.3.6.1.4.1.7165.4.3.32
+#Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33
 
 
 # Extended 1.3.6.1.4.1.7165.4.4.x