diff --git a/.gitignore b/.gitignore index e69de29..a1343b9 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,17 @@ +/adcli-0.1.tar.gz +/adcli-0.2.tar.gz +/adcli-0.3.tar.gz +/adcli-0.4.tar.gz +/adcli-0.5.tar.gz +/adcli-0.6.tar.gz +/adcli-0.7.tar.gz +/adcli-0.7.1.tar.gz +/old +/adcli-0.7.2.tar.gz +/adcli-0.7.3.tar.gz +/adcli-0.7.4.tar.gz +/adcli-0.7.5.tar.gz +/adcli-0.7.6.tar.gz +/adcli-0.8.0.tar.gz +/adcli-0.8.2.tar.gz +/adcli-0.9.0.tar.gz diff --git a/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch b/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch new file mode 100644 index 0000000..15aaf07 --- /dev/null +++ b/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch @@ -0,0 +1,32 @@ +From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 5 Jun 2020 17:06:58 +0200 +Subject: [PATCH] delete: do not exit if keytab cannot be read + +Reading the keytab is not required when deleting a host object in AD. It +is only needed in the case where the host was added with a manual set +NetBIOS name (--computer-name option) which does not match the short +hostname and no computer name was given at the delete-computer command +line. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752 +--- + tools/computer.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/computer.c b/tools/computer.c +index 292c4d8..a90c4b2 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn, + if (res != ADCLI_SUCCESS) { + warnx ("couldn't lookup domain info from keytab: %s", + adcli_get_last_error ()); +- adcli_enroll_unref (enroll); +- return -res; + } + + res = adcli_conn_connect (conn); +-- +2.26.2 + diff --git a/0001-man-move-note-to-the-right-section.patch b/0001-man-move-note-to-the-right-section.patch new file mode 100644 index 0000000..c128204 --- /dev/null +++ b/0001-man-move-note-to-the-right-section.patch @@ -0,0 +1,48 @@ +From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 18:26:44 +0100 +Subject: [PATCH 1/6] man: move note to the right section + +Unfortunately the note about the password lifetime was added to the join +section. This patch move it to the update section where it belongs to. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573 + https://bugzilla.redhat.com/show_bug.cgi?id=1745931 + https://bugzilla.redhat.com/show_bug.cgi?id=1774622 +--- + doc/adcli.xml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 4f201e0..9faf96a 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -330,11 +330,7 @@ Password for Administrator: + important here is currently the + option, see + smb.conf5 +- for details. +- Note that if the machine account password is not +- older than 30 days, you have to pass +- to +- force the update. ++ for details. + + + +@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123 + important here is currently the + option, see + smb.conf5 +- for details. ++ for details. ++ Note that if the machine account password is not ++ older than 30 days, you have to pass ++ to ++ force the update. + + + +-- +2.25.1 + diff --git a/0001-tools-disable-SSSD-s-locator-plugin.patch b/0001-tools-disable-SSSD-s-locator-plugin.patch new file mode 100644 index 0000000..07d791e --- /dev/null +++ b/0001-tools-disable-SSSD-s-locator-plugin.patch @@ -0,0 +1,41 @@ +From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 5 Jun 2020 17:28:28 +0200 +Subject: [PATCH] tools: disable SSSD's locator plugin + +MIT's libkrb5 checks available locator plugins first before checking the +config file. This might cause issues when the locator plugin returns a +different DC than the one used for the LDAP connection if some data must +be replicated. + +This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to +'true' to disable SSSD's locator plugin for adcli. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633 +--- + tools/tools.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tools.c b/tools/tools.c +index 9d422f2..1b6d879 100644 +--- a/tools/tools.c ++++ b/tools/tools.c +@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void) + } + + unsetenv ("KRB5_CONFIG"); ++ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE"); + } + + static void +@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn) + adcli_krb5_conf_filename = filename; + adcli_krb5_d_directory = snippets; + setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1); ++ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1); + + } else { + free (filename); +-- +2.26.2 + diff --git a/0001-tools-fix-typo-in-show-password-help-output.patch b/0001-tools-fix-typo-in-show-password-help-output.patch new file mode 100644 index 0000000..3e16726 --- /dev/null +++ b/0001-tools-fix-typo-in-show-password-help-output.patch @@ -0,0 +1,26 @@ +From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 15 Jun 2020 15:41:53 +0200 +Subject: [PATCH 1/3] tools: fix typo in show-password help output + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611 +--- + tools/computer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/computer.c b/tools/computer.c +index a90c4b2..24ea258 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = { + "accounts" }, + { opt_show_details, "show information about joining the domain after\n" + "a successful join" }, +- { opt_show_password, "show computer account password after after a\n" ++ { opt_show_password, "show computer account password after a\n" + "successful join" }, + { opt_add_samba_data, "add domain SID and computer account password\n" + "to the Samba specific configuration database" }, +-- +2.26.2 + diff --git a/0002-man-explain-optional-parameter-of-login-ccache-bette.patch b/0002-man-explain-optional-parameter-of-login-ccache-bette.patch new file mode 100644 index 0000000..a76cbb6 --- /dev/null +++ b/0002-man-explain-optional-parameter-of-login-ccache-bette.patch @@ -0,0 +1,44 @@ +From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 15 Jun 2020 15:57:47 +0200 +Subject: [PATCH 2/3] man: explain optional parameter of login-ccache better + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545 +--- + doc/adcli.xml | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index acced25..ecf8726 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa + + + Use the specified kerberos credential +- cache to authenticate with the domain. If no credential +- cache is specified, the default kerberos credential +- cache will be used. Credential caches of type FILE can +- be given with the path to the file. For other +- credential cache types, e.g. DIR, KEYRING or KCM, the +- type must be specified explicitly together with a +- suitable identifier. ++ cache to authenticate with the domain. If no credential ++ cache is specified, the default kerberos credential ++ cache will be used. Credential caches of type FILE can ++ be given with the path to the file. For other ++ credential cache types, e.g. DIR, KEYRING or KCM, the ++ type must be specified explicitly together with a ++ suitable identifier. ++ Please note that since the ++ ccache_name is optional the ++ =(equal) sign is mandatory. If = is missing the ++ parameter is treated as optionless extra argument. How ++ this is handled depends on the specific sub-command. ++ + + + +-- +2.26.2 + diff --git a/0002-tools-add-show-computer-command.patch b/0002-tools-add-show-computer-command.patch new file mode 100644 index 0000000..67684d1 --- /dev/null +++ b/0002-tools-add-show-computer-command.patch @@ -0,0 +1,338 @@ +From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 12:34:45 +0100 +Subject: [PATCH 2/6] tools: add show-computer command + +The show-computer command prints the LDAP attributes of the related +computer object from AD. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342 +--- + doc/adcli.xml | 28 ++++++++++++++ + library/adenroll.c | 78 +++++++++++++++++++++++++++++--------- + library/adenroll.h | 5 +++ + tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ + tools/tools.c | 1 + + tools/tools.h | 4 ++ + 6 files changed, 191 insertions(+), 18 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 9faf96a..1f93186 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -93,6 +93,11 @@ + --domain=domain.example.com + computer + ++ ++ adcli show-computer ++ --domain=domain.example.com ++ computer ++ + + + +@@ -811,6 +816,29 @@ Password for Administrator: + + + ++ ++ Show Computer Account Attributes ++ ++ adcli show-computer show the computer account ++ attributes stored in AD. The account must already exist. ++ ++ ++$ adcli show-computer --domain=domain.example.com host2 ++Password for Administrator: ++ ++ ++ If the computer name contains a dot, then it is ++ treated as fully qualified host name, otherwise it is treated ++ as short computer name. ++ ++ If no computer name is specified, then the host name of the ++ computer adcli is running on is used, as returned by ++ gethostname(). ++ ++ The various global options can be used. ++ ++ ++ + + Bugs + +diff --git a/library/adenroll.c b/library/adenroll.c +index 524663a..8d2adeb 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = { + 0 + }; + ++static char *default_ad_ldap_attrs[] = { ++ "sAMAccountName", ++ "userPrincipalName", ++ "msDS-KeyVersionNumber", ++ "msDS-supportedEncryptionTypes", ++ "dNSHostName", ++ "servicePrincipalName", ++ "operatingSystem", ++ "operatingSystemVersion", ++ "operatingSystemServicePack", ++ "pwdLastSet", ++ "userAccountControl", ++ NULL, ++}; ++ + /* Some constants for the userAccountControl AD LDAP attribute, see e.g. + * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro + * for details. */ +@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll) + char *end; + int ret; + +- char *attrs[] = { +- "msDS-KeyVersionNumber", +- "msDS-supportedEncryptionTypes", +- "dNSHostName", +- "servicePrincipalName", +- "operatingSystem", +- "operatingSystemVersion", +- "operatingSystemServicePack", +- "pwdLastSet", +- "userAccountControl", +- NULL, +- }; +- + assert (enroll->computer_dn != NULL); + assert (enroll->computer_attributes == NULL); + +@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll) + assert (ldap != NULL); + + ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE, +- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1, ++ "(objectClass=*)", default_ad_ldap_attrs, ++ 0, NULL, NULL, NULL, -1, + &enroll->computer_attributes); + + if (ret != LDAP_SUCCESS) { +@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll) + } + + adcli_result +-adcli_enroll_update (adcli_enroll *enroll, +- adcli_enroll_flags flags) ++adcli_enroll_read_computer_account (adcli_enroll *enroll, ++ adcli_enroll_flags flags) + { + adcli_result res = ADCLI_SUCCESS; + LDAP *ldap; +- char *value; + + return_unexpected_if_fail (enroll != NULL); + +@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll, + } + + /* Get information about the computer account */ +- res = retrieve_computer_account (enroll); ++ return retrieve_computer_account (enroll); ++} ++ ++adcli_result ++adcli_enroll_update (adcli_enroll *enroll, ++ adcli_enroll_flags flags) ++{ ++ adcli_result res = ADCLI_SUCCESS; ++ LDAP *ldap; ++ char *value; ++ ++ res = adcli_enroll_read_computer_account (enroll, flags); + if (res != ADCLI_SUCCESS) + return res; + +@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll, + return enroll_join_or_update_tasks (enroll, flags); + } + ++adcli_result ++adcli_enroll_show_computer_attribute (adcli_enroll *enroll) ++{ ++ LDAP *ldap; ++ size_t c; ++ char **vals; ++ size_t v; ++ ++ ldap = adcli_conn_get_ldap_connection (enroll->conn); ++ assert (ldap != NULL); ++ ++ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) { ++ vals = _adcli_ldap_parse_values (ldap, ++ enroll->computer_attributes, ++ default_ad_ldap_attrs[c]); ++ printf ("%s:\n", default_ad_ldap_attrs[c]); ++ if (vals == NULL) { ++ printf (" - not set -\n"); ++ } else { ++ for (v = 0; vals[v] != NULL; v++) { ++ printf (" %s\n", vals[v]); ++ } ++ } ++ _adcli_strv_free (vals); ++ } ++ ++ return ADCLI_SUCCESS; ++} ++ + adcli_result + adcli_enroll_delete (adcli_enroll *enroll, + adcli_enroll_flags delete_flags) +diff --git a/library/adenroll.h b/library/adenroll.h +index 1d5d00d..11eb517 100644 +--- a/library/adenroll.h ++++ b/library/adenroll.h +@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll, + adcli_result adcli_enroll_update (adcli_enroll *enroll, + adcli_enroll_flags flags); + ++adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll, ++ adcli_enroll_flags flags); ++ ++adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll); ++ + adcli_result adcli_enroll_delete (adcli_enroll *enroll, + adcli_enroll_flags delete_flags); + +diff --git a/tools/computer.c b/tools/computer.c +index ac8a203..c8b96a4 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn, + adcli_enroll_unref (enroll); + return 0; + } ++ ++int ++adcli_tool_computer_show (adcli_conn *conn, ++ int argc, ++ char *argv[]) ++{ ++ adcli_enroll *enroll; ++ adcli_result res; ++ int opt; ++ ++ struct option options[] = { ++ { "domain", required_argument, NULL, opt_domain }, ++ { "domain-realm", required_argument, NULL, opt_domain_realm }, ++ { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "login-user", required_argument, NULL, opt_login_user }, ++ { "login-ccache", optional_argument, NULL, opt_login_ccache }, ++ { "login-type", required_argument, NULL, opt_login_type }, ++ { "no-password", no_argument, 0, opt_no_password }, ++ { "stdin-password", no_argument, 0, opt_stdin_password }, ++ { "prompt-password", no_argument, 0, opt_prompt_password }, ++ { "verbose", no_argument, NULL, opt_verbose }, ++ { "help", no_argument, NULL, 'h' }, ++ { 0 }, ++ }; ++ ++ static adcli_tool_desc usages[] = { ++ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" }, ++ { 0 }, ++ }; ++ ++ enroll = adcli_enroll_new (conn); ++ if (enroll == NULL) { ++ warnx ("unexpected memory problems"); ++ return -1; ++ } ++ ++ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { ++ switch (opt) { ++ case 'h': ++ case '?': ++ case ':': ++ adcli_tool_usage (options, usages); ++ adcli_tool_usage (options, common_usages); ++ adcli_enroll_unref (enroll); ++ return opt == 'h' ? 0 : 2; ++ default: ++ res = parse_option ((Option)opt, optarg, conn, enroll); ++ if (res != ADCLI_SUCCESS) { ++ adcli_enroll_unref (enroll); ++ return res; ++ } ++ break; ++ } ++ } ++ ++ argc -= optind; ++ argv += optind; ++ ++ res = adcli_conn_connect (conn); ++ if (res != ADCLI_SUCCESS) { ++ warnx ("couldn't connect to %s domain: %s", ++ adcli_conn_get_domain_name (conn), ++ adcli_get_last_error ()); ++ adcli_enroll_unref (enroll); ++ return -res; ++ } ++ ++ if (argc == 1) { ++ parse_fqdn_or_name (enroll, argv[0]); ++ } ++ ++ res = adcli_enroll_read_computer_account (enroll, 0); ++ if (res != ADCLI_SUCCESS) { ++ warnx ("couldn't read data for %s: %s", ++ adcli_enroll_get_host_fqdn (enroll) != NULL ++ ? adcli_enroll_get_host_fqdn (enroll) ++ : adcli_enroll_get_computer_name (enroll), ++ adcli_get_last_error ()); ++ adcli_enroll_unref (enroll); ++ return -res; ++ } ++ ++ res = adcli_enroll_show_computer_attribute (enroll); ++ if (res != ADCLI_SUCCESS) { ++ warnx ("couldn't print data for %s: %s", ++ argv[0], adcli_get_last_error ()); ++ adcli_enroll_unref (enroll); ++ return -res; ++ } ++ ++ adcli_enroll_unref (enroll); ++ return 0; ++} +diff --git a/tools/tools.c b/tools/tools.c +index fc9fa9a..9d422f2 100644 +--- a/tools/tools.c ++++ b/tools/tools.c +@@ -59,6 +59,7 @@ struct { + { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", }, + { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", }, + { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", }, ++ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", }, + { "create-user", adcli_tool_user_create, "Create a user account", }, + { "delete-user", adcli_tool_user_delete, "Delete a user account", }, + { "create-group", adcli_tool_group_create, "Create a group", }, +diff --git a/tools/tools.h b/tools/tools.h +index 8cebbf9..3702875 100644 +--- a/tools/tools.h ++++ b/tools/tools.h +@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn, + int argc, + char *argv[]); + ++int adcli_tool_computer_show (adcli_conn *conn, ++ int argc, ++ char *argv[]); ++ + int adcli_tool_user_create (adcli_conn *conn, + int argc, + char *argv[]); +-- +2.25.1 + diff --git a/0003-add-description-option-to-join-and-update.patch b/0003-add-description-option-to-join-and-update.patch new file mode 100644 index 0000000..43e1633 --- /dev/null +++ b/0003-add-description-option-to-join-and-update.patch @@ -0,0 +1,183 @@ +From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 14:48:32 +0100 +Subject: [PATCH 3/6] add description option to join and update + +This new option allows to set the description LDAP attribute for the AD +computer object. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342 +--- + doc/adcli.xml | 10 ++++++++++ + library/adenroll.c | 29 +++++++++++++++++++++++++++++ + library/adenroll.h | 4 ++++ + tools/computer.c | 7 +++++++ + 4 files changed, 50 insertions(+) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 1f93186..dd30435 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -275,6 +275,11 @@ Password for Administrator: + Set the operating system version on the computer + account. Not set by default. + ++ ++ ++ Set the description attribute on the computer ++ account. Not set by default. ++ + + + Additional service name for a kerberos +@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123 + Set the operating system version on the computer + account. Not set by default. + ++ ++ ++ Set the description attribute on the computer ++ account. Not set by default. ++ + + + Additional service name for a Kerberos +diff --git a/library/adenroll.c b/library/adenroll.c +index 8d2adeb..246f658 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] = { + "operatingSystemServicePack", + "pwdLastSet", + "userAccountControl", ++ "description", + NULL, + }; + +@@ -143,6 +144,7 @@ struct _adcli_enroll { + char *samba_data_tool; + bool trusted_for_delegation; + int trusted_for_delegation_explicit; ++ char *description; + }; + + static adcli_result +@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll, + char *vals_userPrincipalName[] = { enroll->user_principal, NULL }; + LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, }; + LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } }; ++ char *vals_description[] = { enroll->description, NULL }; ++ LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, }; + + char *val = NULL; + +@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll, + &operatingSystemServicePack, + &userPrincipalName, + &servicePrincipalName, ++ &description, + NULL + }; + +@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll) + res |= update_computer_attribute (enroll, ldap, mods); + } + ++ if (res == ADCLI_SUCCESS && enroll->description != NULL) { ++ char *vals_description[] = { enroll->description, NULL }; ++ LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, }; ++ LDAPMod *mods[] = { &description, NULL, }; ++ ++ res |= update_computer_attribute (enroll, ldap, mods); ++ } ++ + if (res != 0) + _adcli_info ("Updated existing computer account: %s", enroll->computer_dn); + } +@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll, + enroll->trusted_for_delegation_explicit = 1; + } + ++void ++adcli_enroll_set_description (adcli_enroll *enroll, const char *value) ++{ ++ return_if_fail (enroll != NULL); ++ if (value != NULL && value[0] != '\0') { ++ _adcli_str_set (&enroll->description, value); ++ } ++} ++ ++const char * ++adcli_enroll_get_desciption (adcli_enroll *enroll) ++{ ++ return_val_if_fail (enroll != NULL, NULL); ++ return enroll->description; ++} ++ + const char ** + adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll) + { +diff --git a/library/adenroll.h b/library/adenroll.h +index 11eb517..0606169 100644 +--- a/library/adenroll.h ++++ b/library/adenroll.h +@@ -126,6 +126,10 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll + void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll, + bool value); + ++const char * adcli_enroll_get_desciption (adcli_enroll *enroll); ++void adcli_enroll_set_description (adcli_enroll *enroll, ++ const char *value); ++ + krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll); + + void adcli_enroll_set_kvno (adcli_enroll *enroll, +diff --git a/tools/computer.c b/tools/computer.c +index c8b96a4..840e334 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -112,6 +112,7 @@ typedef enum { + opt_trusted_for_delegation, + opt_add_service_principal, + opt_remove_service_principal, ++ opt_description, + } Option; + + static adcli_tool_desc common_usages[] = { +@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = { + "in the userAccountControl attribute", }, + { opt_add_service_principal, "add the given service principal to the account\n" }, + { opt_remove_service_principal, "remove the given service principal from the account\n" }, ++ { opt_description, "add a description to the account\n" }, + { opt_no_password, "don't prompt for or read a password" }, + { opt_prompt_password, "prompt for a password if necessary" }, + { opt_stdin_password, "read a password from stdin (until EOF) if\n" +@@ -306,6 +308,9 @@ parse_option (Option opt, + case opt_remove_service_principal: + adcli_enroll_add_service_principal_to_remove (enroll, optarg); + return ADCLI_SUCCESS; ++ case opt_description: ++ adcli_enroll_set_description (enroll, optarg); ++ return ADCLI_SUCCESS; + case opt_verbose: + return ADCLI_SUCCESS; + +@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn, + { "os-name", required_argument, NULL, opt_os_name }, + { "os-version", required_argument, NULL, opt_os_version }, + { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, ++ { "description", optional_argument, NULL, opt_description }, + { "user-principal", optional_argument, NULL, opt_user_principal }, + { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, + { "add-service-principal", required_argument, NULL, opt_add_service_principal }, +@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn, + { "os-name", required_argument, NULL, opt_os_name }, + { "os-version", required_argument, NULL, opt_os_version }, + { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, ++ { "description", optional_argument, NULL, opt_description }, + { "user-principal", optional_argument, NULL, opt_user_principal }, + { "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime }, + { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, +-- +2.25.1 + diff --git a/0003-man-make-handling-of-optional-credential-cache-more-.patch b/0003-man-make-handling-of-optional-credential-cache-more-.patch new file mode 100644 index 0000000..328cc5a --- /dev/null +++ b/0003-man-make-handling-of-optional-credential-cache-more-.patch @@ -0,0 +1,42 @@ +From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 13 Aug 2020 17:10:01 +0200 +Subject: [PATCH 3/3] man: make handling of optional credential cache more + clear + +The optional Kerberos credential cache can only be used with the long +option name --login-ccache and not with the short version -C. To make +this more clear each option get its own entry. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545 +--- + doc/adcli.xml | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index ecf8726..1437679 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa + + + +- +- Use the specified kerberos credential ++ ++ Use the default Kerberos credential ++ cache to authenticate with the domain. ++ ++ ++ ++ ++ Use the specified Kerberos credential + cache to authenticate with the domain. If no credential +- cache is specified, the default kerberos credential ++ cache is specified, the default Kerberos credential + cache will be used. Credential caches of type FILE can + be given with the path to the file. For other + credential cache types, e.g. DIR, KEYRING or KCM, the +-- +2.26.2 + diff --git a/0004-Use-GSS-SPNEGO-if-available.patch b/0004-Use-GSS-SPNEGO-if-available.patch new file mode 100644 index 0000000..dba4893 --- /dev/null +++ b/0004-Use-GSS-SPNEGO-if-available.patch @@ -0,0 +1,124 @@ +From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 11 Oct 2019 16:39:25 +0200 +Subject: [PATCH 4/6] Use GSS-SPNEGO if available + +Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication +and to establish encryption. While this works in general it does not +handle some of the more advanced features which can be required by AD +DCs. + +The GSS-SPNEGO mechanism can handle them and is used with this patch by +adcli if the AD DC indicates that it supports it. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 +--- + library/adconn.c | 35 ++++++++++++++++++++++++++++++++++- + library/adconn.h | 3 +++ + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/library/adconn.c b/library/adconn.c +index bcaced8..ffb54f9 100644 +--- a/library/adconn.c ++++ b/library/adconn.c +@@ -77,6 +77,7 @@ struct _adcli_conn_ctx { + char *default_naming_context; + char *configuration_naming_context; + char **supported_capabilities; ++ char **supported_sasl_mechs; + + /* Connect state */ + LDAP *ldap; +@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn, + "defaultNamingContext", + "configurationNamingContext", + "supportedCapabilities", ++ "supportedSASLMechanisms", + NULL + }; + +@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn, + "supportedCapabilities"); + } + ++ if (conn->supported_sasl_mechs == NULL) { ++ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results, ++ "supportedSASLMechanisms"); ++ } ++ + ldap_msgfree (results); + + if (conn->default_naming_context == NULL) { +@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn) + OM_uint32 minor; + ber_len_t ssf; + int ret; ++ const char *mech = "GSSAPI"; + + if (conn->ldap_authenticated) + return ADCLI_SUCCESS; +@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn) + ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); + return_unexpected_if_fail (ret == 0); + +- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL, ++ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) { ++ mech = "GSS-SPNEGO"; ++ } ++ ++ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL, + LDAP_SASL_QUIET, sasl_interact, NULL); + + /* Clear the credential cache GSSAPI to use (for this thread) */ +@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn) + free (conn->default_naming_context); + free (conn->configuration_naming_context); + _adcli_strv_free (conn->supported_capabilities); ++ _adcli_strv_free (conn->supported_sasl_mechs); + + free (conn->computer_name); + free (conn->host_fqdn); +@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn, + return 0; + } + ++bool ++adcli_conn_server_has_sasl_mech (adcli_conn *conn, ++ const char *mech) ++{ ++ int i; ++ ++ return_val_if_fail (conn != NULL, false); ++ return_val_if_fail (mech != NULL, false); ++ ++ if (!conn->supported_sasl_mechs) ++ return false; ++ ++ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) { ++ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0) ++ return true; ++ } ++ ++ return false; ++} ++ + bool adcli_conn_is_writeable (adcli_conn *conn) + { + disco_dance_if_necessary (conn); +diff --git a/library/adconn.h b/library/adconn.h +index 1ad5715..37ebdd9 100644 +--- a/library/adconn.h ++++ b/library/adconn.h +@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn, + int adcli_conn_server_has_capability (adcli_conn *conn, + const char *capability); + ++bool adcli_conn_server_has_sasl_mech (adcli_conn *conn, ++ const char *mech); ++ + bool adcli_conn_is_writeable (adcli_conn *conn); + + #endif /* ADCONN_H_ */ +-- +2.25.1 + diff --git a/0005-add-option-use-ldaps.patch b/0005-add-option-use-ldaps.patch new file mode 100644 index 0000000..675f204 --- /dev/null +++ b/0005-add-option-use-ldaps.patch @@ -0,0 +1,378 @@ +From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 19 Dec 2019 07:22:33 +0100 +Subject: [PATCH 5/6] add option use-ldaps + +In general using the LDAP port with GSS-SPNEGO should satifiy all +requirements an AD DC should have for authentication on an encrypted +LDAP connection. + +But if e.g. the LDAP port is blocked by a firewall using the LDAPS port +with TLS encryption might be an alternative. For this use case the +--use-ldaps option is added. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 +--- + doc/adcli.xml | 24 +++++++++++++++ + library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------ + library/adconn.h | 4 +++ + tools/computer.c | 10 ++++++ + tools/entry.c | 11 +++++++ + 5 files changed, 119 insertions(+), 9 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index dd30435..acced25 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -128,6 +128,30 @@ + If not specified, then an appropriate domain controller + is automatically discovered. + ++ ++ ++ Connect to the domain controller ++ with LDAPS. By default the LDAP port is used and SASL ++ GSS-SPNEGO or GSSAPI is used for authentication and to ++ establish encryption. This should satisfy all ++ requirements set on the server side and LDAPS should ++ only be used if the LDAP port is not accessible due to ++ firewalls or other reasons. ++ Please note that the place where CA certificates ++ can be found to validate the AD DC certificates ++ must be configured in the OpenLDAP configuration ++ file, e.g. /etc/openldap/ldap.conf. ++ As an alternative it can be specified with the help of ++ an environment variable, e.g. ++ ++$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com ++... ++ ++ Please see ++ ldap.conf ++ 5 for details. ++ ++ + + + Use the specified kerberos credential +diff --git a/library/adconn.c b/library/adconn.c +index ffb54f9..7bab852 100644 +--- a/library/adconn.c ++++ b/library/adconn.c +@@ -70,6 +70,7 @@ struct _adcli_conn_ctx { + char *domain_name; + char *domain_realm; + char *domain_controller; ++ bool use_ldaps; + char *canonical_host; + char *domain_short; + char *domain_sid; +@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap + + static LDAP * + connect_to_address (const char *host, +- const char *canonical_host) ++ const char *canonical_host, ++ bool use_ldaps) + { + struct addrinfo *res = NULL; + struct addrinfo *ai; +@@ -783,6 +785,16 @@ connect_to_address (const char *host, + char *url; + int sock; + int rc; ++ int opt_rc; ++ const char *port = "389"; ++ const char *proto = "ldap"; ++ const char *errmsg = NULL; ++ ++ if (use_ldaps) { ++ port = "636"; ++ proto = "ldaps"; ++ _adcli_info ("Using LDAPS to connect to %s", host); ++ } + + memset (&hints, '\0', sizeof(hints)); + #ifdef AI_ADDRCONFIG +@@ -794,7 +806,7 @@ connect_to_address (const char *host, + if (!canonical_host) + canonical_host = host; + +- rc = getaddrinfo (host, "389", &hints, &res); ++ rc = getaddrinfo (host, port, &hints, &res); + if (rc != 0) { + _adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc)); + return NULL; +@@ -810,7 +822,7 @@ connect_to_address (const char *host, + close (sock); + } else { + error = 0; +- if (asprintf (&url, "ldap://%s", canonical_host) < 0) ++ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0) + return_val_if_reached (NULL); + rc = ldap_init_fd (sock, 1, url, &ldap); + free (url); +@@ -820,6 +832,25 @@ connect_to_address (const char *host, + ldap_err2string (rc)); + break; + } ++ ++ if (use_ldaps) { ++ rc = ldap_install_tls (ldap); ++ if (rc != LDAP_SUCCESS) { ++ opt_rc = ldap_get_option (ldap, ++ LDAP_OPT_DIAGNOSTIC_MESSAGE, ++ (void *) &errmsg); ++ if (opt_rc != LDAP_SUCCESS) { ++ errmsg = NULL; ++ } ++ _adcli_err ("Couldn't initialize TLS [%s]: %s", ++ ldap_err2string (rc), ++ errmsg == NULL ? "- no details -" ++ : errmsg); ++ ldap_unbind_ext_s (ldap, NULL, NULL); ++ ldap = NULL; ++ break; ++ } ++ } + } + } + +@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn, + if (!canonical_host) + canonical_host = disco->host_addr; + +- ldap = connect_to_address (disco->host_addr, canonical_host); ++ ldap = connect_to_address (disco->host_addr, canonical_host, ++ adcli_conn_get_use_ldaps (conn)); + if (ldap == NULL) + return ADCLI_ERR_DIRECTORY; + +@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn) + status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL); + return_unexpected_if_fail (status == 0); + +- /* Clumsily tell ldap + cyrus-sasl that we want encryption */ +- ssf = 1; +- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); +- return_unexpected_if_fail (ret == 0); ++ if (adcli_conn_get_use_ldaps (conn)) { ++ /* do not use SASL encryption on LDAPS connection */ ++ ssf = 0; ++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); ++ return_unexpected_if_fail (ret == 0); ++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf); ++ return_unexpected_if_fail (ret == 0); ++ } else { ++ /* Clumsily tell ldap + cyrus-sasl that we want encryption */ ++ ssf = 1; ++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); ++ return_unexpected_if_fail (ret == 0); ++ } + +- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) { ++ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if ++ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used ++ * without LDAPS. */ ++ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO") ++ && !adcli_conn_get_use_ldaps (conn)) { + mech = "GSS-SPNEGO"; + } ++ _adcli_info ("Using %s for SASL bind", mech); + + ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL, + LDAP_SASL_QUIET, sasl_interact, NULL); +@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name) + conn->refs = 1; + conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT; + adcli_conn_set_domain_name (conn, domain_name); ++ adcli_conn_set_use_ldaps (conn, false); + return conn; + } + +@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn, + no_more_disco (conn); + } + ++bool ++adcli_conn_get_use_ldaps (adcli_conn *conn) ++{ ++ return_val_if_fail (conn != NULL, NULL); ++ return conn->use_ldaps; ++} ++ ++void ++adcli_conn_set_use_ldaps (adcli_conn *conn, bool value) ++{ ++ return_if_fail (conn != NULL); ++ conn->use_ldaps = value; ++} ++ + const char * + adcli_conn_get_domain_short (adcli_conn *conn) + { +diff --git a/library/adconn.h b/library/adconn.h +index 37ebdd9..1d5faa8 100644 +--- a/library/adconn.h ++++ b/library/adconn.h +@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn); + void adcli_conn_set_domain_controller (adcli_conn *conn, + const char *value); + ++bool adcli_conn_get_use_ldaps (adcli_conn *conn); ++void adcli_conn_set_use_ldaps (adcli_conn *conn, ++ bool value); ++ + const char * adcli_conn_get_domain_short (adcli_conn *conn); + + const char * adcli_conn_get_domain_sid (adcli_conn *conn); +diff --git a/tools/computer.c b/tools/computer.c +index 840e334..292c4d8 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -113,12 +113,14 @@ typedef enum { + opt_add_service_principal, + opt_remove_service_principal, + opt_description, ++ opt_use_ldaps, + } Option; + + static adcli_tool_desc common_usages[] = { + { opt_domain, "active directory domain name" }, + { opt_domain_realm, "kerberos realm for the domain" }, + { opt_domain_controller, "domain controller to connect to" }, ++ { opt_use_ldaps, "use LDAPS port for communication" }, + { opt_host_fqdn, "override the fully qualified domain name of the\n" + "local machine" }, + { opt_host_keytab, "filename for the host kerberos keytab" }, +@@ -311,6 +313,9 @@ parse_option (Option opt, + case opt_description: + adcli_enroll_set_description (enroll, optarg); + return ADCLI_SUCCESS; ++ case opt_use_ldaps: ++ adcli_conn_set_use_ldaps (conn, true); ++ return ADCLI_SUCCESS; + case opt_verbose: + return ADCLI_SUCCESS; + +@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, + { "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */ ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "user", required_argument, NULL, opt_login_user }, /* compat */ + { "login-ccache", optional_argument, NULL, opt_login_ccache }, +@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "domain-ou", required_argument, NULL, opt_domain_ou }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, +@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "login-type", required_argument, NULL, opt_login_type }, +@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "login-type", required_argument, NULL, opt_login_type }, +diff --git a/tools/entry.c b/tools/entry.c +index f361845..05e4313 100644 +--- a/tools/entry.c ++++ b/tools/entry.c +@@ -53,6 +53,7 @@ typedef enum { + opt_unix_gid, + opt_unix_shell, + opt_nis_domain, ++ opt_use_ldaps, + } Option; + + static adcli_tool_desc common_usages[] = { +@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = { + { opt_domain, "active directory domain name" }, + { opt_domain_realm, "kerberos realm for the domain" }, + { opt_domain_controller, "domain directory server to connect to" }, ++ { opt_use_ldaps, "use LDAPS port for communication" }, + { opt_login_ccache, "kerberos credential cache file which contains\n" + "ticket to used to connect to the domain" }, + { opt_login_user, "user (usually administrative) login name of\n" +@@ -136,6 +138,9 @@ parse_option (Option opt, + stdin_password = 1; + } + return ADCLI_SUCCESS; ++ case opt_use_ldaps: ++ adcli_conn_set_use_ldaps (conn, true); ++ return ADCLI_SUCCESS; + case opt_verbose: + return ADCLI_SUCCESS; + default: +@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "domain-ou", required_argument, NULL, opt_domain_ou }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, +@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +-- +2.25.1 + diff --git a/0006-discovery-fix.patch b/0006-discovery-fix.patch new file mode 100644 index 0000000..04568ce --- /dev/null +++ b/0006-discovery-fix.patch @@ -0,0 +1,27 @@ +From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 11 Feb 2020 17:42:03 +0100 +Subject: [PATCH 6/6] discovery fix + +Do not continue processing on closed connection. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258 +--- + library/addisco.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/library/addisco.c b/library/addisco.c +index 6e73ead..f3b3546 100644 +--- a/library/addisco.c ++++ b/library/addisco.c +@@ -622,6 +622,7 @@ ldap_disco (const char *domain, + "Couldn't perform discovery search"); + ldap_unbind_ext_s (ldap[i], NULL, NULL); + ldap[i] = NULL; ++ continue; + } + + /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first +-- +2.25.1 + diff --git a/adcli.spec b/adcli.spec new file mode 100644 index 0000000..f489b8c --- /dev/null +++ b/adcli.spec @@ -0,0 +1,236 @@ +Name: adcli +Version: 0.9.0 +Release: 5%{?dist} +Summary: Active Directory enrollment +License: LGPLv2+ +URL: http://cgit.freedesktop.org/realmd/adcli +Source0: https://gitlab.freedesktop.org/realmd/adcli/uploads/02d8757266c24fdc10822306582287bf/adcli-%{version}.tar.gz + +Patch1: 0001-man-move-note-to-the-right-section.patch +Patch2: 0002-tools-add-show-computer-command.patch +Patch3: 0003-add-description-option-to-join-and-update.patch +Patch4: 0004-Use-GSS-SPNEGO-if-available.patch +Patch5: 0005-add-option-use-ldaps.patch +Patch6: 0006-discovery-fix.patch +Patch7: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch +Patch8: 0001-tools-disable-SSSD-s-locator-plugin.patch +Patch9: 0001-tools-fix-typo-in-show-password-help-output.patch +Patch10: 0002-man-explain-optional-parameter-of-login-ccache-bette.patch +Patch11: 0003-man-make-handling-of-optional-credential-cache-more-.patch + + +BuildRequires: gcc +BuildRequires: intltool pkgconfig +BuildRequires: libtool +BuildRequires: gettext-devel +BuildRequires: krb5-devel +BuildRequires: openldap-devel +BuildRequires: libxslt +BuildRequires: xmlto + +Requires: cyrus-sasl-gssapi + +# adcli no longer has a library of development files +# the adcli tool itself is to be used by callers +Obsoletes: adcli-devel < 0.5 + +%description +adcli is a tool for joining an Active Directory domain using +standard LDAP and Kerberos calls. + +%define _hardened_build 1 + +%prep +%autosetup -p1 + +%build +autoreconf --force --install --verbose +%configure --disable-static --disable-silent-rules +make %{?_smp_mflags} + +%check +make check + +%install +make install DESTDIR=%{buildroot} +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +%ldconfig_scriptlets + +%files +%{_sbindir}/adcli +%doc AUTHORS COPYING ChangeLog NEWS README +%doc %{_mandir}/*/* + +%package doc +Summary: adcli documentation +BuildArch: noarch + +%description doc +adcli is a tool for joining an Active Directory domain using +standard LDAP and Kerberos calls. This package contains its +documentation. + +%files doc +%doc %{_datadir}/doc/adcli/* + +%changelog +* Thu Aug 13 2020 Sumit Bose - 0.9.0-5 +- man page and help output fixes + +* Fri Jul 31 2020 Fedora Release Engineering - 0.9.0-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.9.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 08 2020 Sumit Bose - 0.9.0-2 +- Include the latest upstream patches + +* Wed Mar 18 2020 Sumit Bose - 0.9.0-1 +- Update to upstream release 0.9.0 and latest patches + +* Tue Jan 28 2020 Fedora Release Engineering - 0.8.2-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Aug 26 2019 Sumit Bose - 0.8.2-8 +- various fixes and improvements + Resolves: rhbz#1683745, rhbz#1738573 + +* Wed Jul 24 2019 Fedora Release Engineering - 0.8.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jul 5 2019 Jakub Hrozek - 0.8.2-6 +- Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli + needs to backport patches to only use permitted + enctypes from upstream + +* Tue Apr 30 2019 Sumit Bose - 0.8.2-5 +- addition patch for rhbz#1630187 and new ones for rhbz#1588596 + Resolves: rhbz#1630187, rhbz#1588596 + +* Fri Mar 22 2019 Sumit Bose - 0.8.2-4 +- various fixes and improvements + Resolves: rhbz#1593240, rhbz#1608212, rhbz#1547014, rhbz#1547014, + rhbz#1649868, rhbz#1588596, rhbz#1642546, rhbz#1595911, + rhbz#1644311, rhbz#1337489, rhbz#1630187, rhbz#1622583 + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 05 2018 Sumit Bose - 0.8.0-1 +- Update to upstream release 0.8.2 +- various other fixes and improvements +- add option to enable "Trust this computer for delegation" + Resolves: rhbz#988349 +- fix typos in the adcli man page + Resolves: rhbz#1440533 + +* Wed Mar 07 2018 Sumit Bose - 0.8.0-7 +- Added BuildRequires gcc + +* Wed Feb 07 2018 Fedora Release Engineering - 0.8.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 0.8.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 03 2016 Fedora Release Engineering - 0.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Dec 17 2015 Sumit Bose - 0.8.0-1 +- Update to upstream release 0.8.0 + +* Mon Oct 19 2015 Stef Walter - 0.7.6-1 +- Fix issue with keytab use with sshd +- Resolves: rhbz#1267319 +- Put documentation in a subpackage + +* Tue Jun 16 2015 Fedora Release Engineering - 0.7.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Aug 15 2014 Fedora Release Engineering - 0.7.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.7.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Jan 30 2014 Stef Walter - 0.7.5-2 +- Fix incorrect ownership of manual page directory + +* Fri Sep 13 2013 Stef Walter - 0.7.5-1 +- Update to upstream point release 0.7.5 +- Workaround for discovery via IPv6 address +- Correctly put IPv6 addresses in temporary krb5.conf + +* Mon Sep 09 2013 Stef Walter - 0.7.4-1 +- Update to upstream point release 0.7.4 +- Correctly handle truncating long host names +- Try to contact all available addresses for discovery +- Build fixes + +* Wed Aug 07 2013 Stef Walter - 0.7.3-1 +- Update to upstream point release 0.7.3 +- Don't try to set encryption types on Windows 2003 + +* Sat Aug 03 2013 Fedora Release Engineering - 0.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Stef Walter - 0.7.2-1 +- Update to upstream point release 0.7.2 +- Part of fix for bug [#961244] + +* Mon Jul 15 2013 Stef Walter - 0.7.1-4 +- Build with verbose output logging + +* Tue Jun 11 2013 Stef Walter - 0.7.1-3 +- Run 'make check' when building the package + +* Mon May 13 2013 Stef Walter - 0.7.1-2 +- Bump version to get around botched update + +* Mon May 13 2013 Stef Walter - 0.7.1-1 +- Update to upstream 0.7.1 release +- Fix problems with salt discovery [#961399] + +* Mon May 06 2013 Stef Walter - 0.7-1 +- Work around broken krb5 with empty passwords [#960001] +- Fix memory corruption issue [#959999] +- Update to 0.7, fixing various bugs + +* Mon Apr 29 2013 Stef Walter - 0.6-1 +- Update to 0.6, fixing various bugs + +* Wed Apr 10 2013 Stef walter - 0.5-2 +- Add appropriate Obsoletes line for libadcli removal + +* Wed Apr 10 2013 Stef Walter - 0.5-1 +- Update to upstream 0.5 version +- No more libadcli, and thus no adcli-devel +- Many new adcli commands +- Documentation + +* Wed Feb 13 2013 Fedora Release Engineering - 0.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Stef Walter - 0.4-1 +- Update for 0.4 version, fixing various bugs + +* Sat Oct 20 2012 Stef Walter - 0.3-1 +- Update for 0.3 version + +* Tue Sep 4 2012 Stef Walter - 0.2-1 +- Update for 0.2 version + +* Wed Aug 15 2012 Stef Walter - 0.1-1 +- Initial 0.1 package diff --git a/sources b/sources new file mode 100644 index 0000000..4e3b7c0 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (adcli-0.9.0.tar.gz) = e9b210bf7a932750fc838d6f027ca1fbeca1bd6a0028b551c9a72c0fe3ee680d47031c614b74447613d06bd41462c489e8572d49e60b344d575ebb572c022344