s4:dsdb/password_hash: reject interdomain trust password changes via LDAP

Only the LSA and NETLOGON server should be able to change this, otherwise
the incoming passwords in the trust account and trusted domain object
get out of sync.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 16 insertions, 0 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 5defc1df483..9ac3551ea3f 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2260,6 +2260,22 @@ static int setup_io(struct ph_context *ac,
 		return LDB_ERR_CONSTRAINT_VIOLATION;
 	}
 
+	if (io->u.userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
+		struct ldb_control *permit_trust = ldb_request_get_control(ac->req,
+				DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID);
+
+		if (permit_trust == NULL) {
+			ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+			ldb_asprintf_errstring(ldb,
+				"%08X: %s - setup_io: changing the interdomain trust password "
+				"on %s not allowed via LDAP. Use LSA or NETLOGON",
+				W_ERROR_V(WERR_ACCESS_DENIED),
+				ldb_strerror(ret),
+				ldb_dn_get_linearized(searched_msg->dn));
+			return ret;
+		}
+	}
+
 	/* Only non-trust accounts have restrictions (possibly this test is the
 	 * wrong way around, but we like to be restrictive if possible */
 	io->u.restrictions = !(io->u.userAccountControl