RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/adcli#9b162ca3df4c49322bfac940ba0efb6a38544003
This commit is contained in:
parent
b5688f2cd4
commit
10bd2dc843
17
.gitignore
vendored
17
.gitignore
vendored
@ -0,0 +1,17 @@
|
|||||||
|
/adcli-0.1.tar.gz
|
||||||
|
/adcli-0.2.tar.gz
|
||||||
|
/adcli-0.3.tar.gz
|
||||||
|
/adcli-0.4.tar.gz
|
||||||
|
/adcli-0.5.tar.gz
|
||||||
|
/adcli-0.6.tar.gz
|
||||||
|
/adcli-0.7.tar.gz
|
||||||
|
/adcli-0.7.1.tar.gz
|
||||||
|
/old
|
||||||
|
/adcli-0.7.2.tar.gz
|
||||||
|
/adcli-0.7.3.tar.gz
|
||||||
|
/adcli-0.7.4.tar.gz
|
||||||
|
/adcli-0.7.5.tar.gz
|
||||||
|
/adcli-0.7.6.tar.gz
|
||||||
|
/adcli-0.8.0.tar.gz
|
||||||
|
/adcli-0.8.2.tar.gz
|
||||||
|
/adcli-0.9.0.tar.gz
|
32
0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
Normal file
32
0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 5 Jun 2020 17:06:58 +0200
|
||||||
|
Subject: [PATCH] delete: do not exit if keytab cannot be read
|
||||||
|
|
||||||
|
Reading the keytab is not required when deleting a host object in AD. It
|
||||||
|
is only needed in the case where the host was added with a manual set
|
||||||
|
NetBIOS name (--computer-name option) which does not match the short
|
||||||
|
hostname and no computer name was given at the delete-computer command
|
||||||
|
line.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
|
||||||
|
---
|
||||||
|
tools/computer.c | 2 --
|
||||||
|
1 file changed, 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index 292c4d8..a90c4b2 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
warnx ("couldn't lookup domain info from keytab: %s",
|
||||||
|
adcli_get_last_error ());
|
||||||
|
- adcli_enroll_unref (enroll);
|
||||||
|
- return -res;
|
||||||
|
}
|
||||||
|
|
||||||
|
res = adcli_conn_connect (conn);
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
48
0001-man-move-note-to-the-right-section.patch
Normal file
48
0001-man-move-note-to-the-right-section.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 27 Nov 2019 18:26:44 +0100
|
||||||
|
Subject: [PATCH 1/6] man: move note to the right section
|
||||||
|
|
||||||
|
Unfortunately the note about the password lifetime was added to the join
|
||||||
|
section. This patch move it to the update section where it belongs to.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1745931
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1774622
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index 4f201e0..9faf96a 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -330,11 +330,7 @@ Password for Administrator:
|
||||||
|
important here is currently the
|
||||||
|
<option>workgroup</option> option, see
|
||||||
|
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
|
- for details.</para>
|
||||||
|
- <para>Note that if the machine account password is not
|
||||||
|
- older than 30 days, you have to pass
|
||||||
|
- <option>--computer-password-lifetime=0</option> to
|
||||||
|
- force the update.</para></listitem>
|
||||||
|
+ for details.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
|
||||||
|
@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
|
||||||
|
important here is currently the
|
||||||
|
<option>workgroup</option> option, see
|
||||||
|
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
|
- for details.</para></listitem>
|
||||||
|
+ for details.</para>
|
||||||
|
+ <para>Note that if the machine account password is not
|
||||||
|
+ older than 30 days, you have to pass
|
||||||
|
+ <option>--computer-password-lifetime=0</option> to
|
||||||
|
+ force the update.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
41
0001-tools-disable-SSSD-s-locator-plugin.patch
Normal file
41
0001-tools-disable-SSSD-s-locator-plugin.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 5 Jun 2020 17:28:28 +0200
|
||||||
|
Subject: [PATCH] tools: disable SSSD's locator plugin
|
||||||
|
|
||||||
|
MIT's libkrb5 checks available locator plugins first before checking the
|
||||||
|
config file. This might cause issues when the locator plugin returns a
|
||||||
|
different DC than the one used for the LDAP connection if some data must
|
||||||
|
be replicated.
|
||||||
|
|
||||||
|
This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
|
||||||
|
'true' to disable SSSD's locator plugin for adcli.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
|
||||||
|
---
|
||||||
|
tools/tools.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tools/tools.c b/tools/tools.c
|
||||||
|
index 9d422f2..1b6d879 100644
|
||||||
|
--- a/tools/tools.c
|
||||||
|
+++ b/tools/tools.c
|
||||||
|
@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
|
||||||
|
}
|
||||||
|
|
||||||
|
unsetenv ("KRB5_CONFIG");
|
||||||
|
+ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
|
||||||
|
adcli_krb5_conf_filename = filename;
|
||||||
|
adcli_krb5_d_directory = snippets;
|
||||||
|
setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
|
||||||
|
+ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
|
||||||
|
|
||||||
|
} else {
|
||||||
|
free (filename);
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
26
0001-tools-fix-typo-in-show-password-help-output.patch
Normal file
26
0001-tools-fix-typo-in-show-password-help-output.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 15 Jun 2020 15:41:53 +0200
|
||||||
|
Subject: [PATCH 1/3] tools: fix typo in show-password help output
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
|
||||||
|
---
|
||||||
|
tools/computer.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index a90c4b2..24ea258 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
|
||||||
|
"accounts" },
|
||||||
|
{ opt_show_details, "show information about joining the domain after\n"
|
||||||
|
"a successful join" },
|
||||||
|
- { opt_show_password, "show computer account password after after a\n"
|
||||||
|
+ { opt_show_password, "show computer account password after a\n"
|
||||||
|
"successful join" },
|
||||||
|
{ opt_add_samba_data, "add domain SID and computer account password\n"
|
||||||
|
"to the Samba specific configuration database" },
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 15 Jun 2020 15:57:47 +0200
|
||||||
|
Subject: [PATCH 2/3] man: explain optional parameter of login-ccache better
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 20 +++++++++++++-------
|
||||||
|
1 file changed, 13 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index acced25..ecf8726 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
|
||||||
|
<listitem><para>Use the specified kerberos credential
|
||||||
|
- cache to authenticate with the domain. If no credential
|
||||||
|
- cache is specified, the default kerberos credential
|
||||||
|
- cache will be used. Credential caches of type FILE can
|
||||||
|
- be given with the path to the file. For other
|
||||||
|
- credential cache types, e.g. DIR, KEYRING or KCM, the
|
||||||
|
- type must be specified explicitly together with a
|
||||||
|
- suitable identifier.</para></listitem>
|
||||||
|
+ cache to authenticate with the domain. If no credential
|
||||||
|
+ cache is specified, the default kerberos credential
|
||||||
|
+ cache will be used. Credential caches of type FILE can
|
||||||
|
+ be given with the path to the file. For other
|
||||||
|
+ credential cache types, e.g. DIR, KEYRING or KCM, the
|
||||||
|
+ type must be specified explicitly together with a
|
||||||
|
+ suitable identifier.</para>
|
||||||
|
+ <para>Please note that since the
|
||||||
|
+ <parameter>ccache_name</parameter> is optional the
|
||||||
|
+ =(equal) sign is mandatory. If = is missing the
|
||||||
|
+ parameter is treated as optionless extra argument. How
|
||||||
|
+ this is handled depends on the specific sub-command.
|
||||||
|
+ </para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>-U, --login-user=<parameter>User</parameter></option></term>
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
338
0002-tools-add-show-computer-command.patch
Normal file
338
0002-tools-add-show-computer-command.patch
Normal file
@ -0,0 +1,338 @@
|
|||||||
|
From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 27 Nov 2019 12:34:45 +0100
|
||||||
|
Subject: [PATCH 2/6] tools: add show-computer command
|
||||||
|
|
||||||
|
The show-computer command prints the LDAP attributes of the related
|
||||||
|
computer object from AD.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 28 ++++++++++++++
|
||||||
|
library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
|
||||||
|
library/adenroll.h | 5 +++
|
||||||
|
tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tools/tools.c | 1 +
|
||||||
|
tools/tools.h | 4 ++
|
||||||
|
6 files changed, 191 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index 9faf96a..1f93186 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -93,6 +93,11 @@
|
||||||
|
<arg choice="opt">--domain=domain.example.com</arg>
|
||||||
|
<arg choice="plain">computer</arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
+ <cmdsynopsis>
|
||||||
|
+ <command>adcli show-computer</command>
|
||||||
|
+ <arg choice="opt">--domain=domain.example.com</arg>
|
||||||
|
+ <arg choice="plain">computer</arg>
|
||||||
|
+ </cmdsynopsis>
|
||||||
|
</refsynopsisdiv>
|
||||||
|
|
||||||
|
<refsect1 id='general_overview'>
|
||||||
|
@@ -811,6 +816,29 @@ Password for Administrator:
|
||||||
|
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
+<refsect1 id='show_computer_account'>
|
||||||
|
+ <title>Show Computer Account Attributes</title>
|
||||||
|
+
|
||||||
|
+ <para><command>adcli show-computer</command> show the computer account
|
||||||
|
+ attributes stored in AD. The account must already exist.</para>
|
||||||
|
+
|
||||||
|
+<programlisting>
|
||||||
|
+$ adcli show-computer --domain=domain.example.com host2
|
||||||
|
+Password for Administrator:
|
||||||
|
+</programlisting>
|
||||||
|
+
|
||||||
|
+ <para>If the computer name contains a dot, then it is
|
||||||
|
+ treated as fully qualified host name, otherwise it is treated
|
||||||
|
+ as short computer name.</para>
|
||||||
|
+
|
||||||
|
+ <para>If no computer name is specified, then the host name of the
|
||||||
|
+ computer adcli is running on is used, as returned by
|
||||||
|
+ <literal>gethostname()</literal>.</para>
|
||||||
|
+
|
||||||
|
+ <para>The various global options can be used.</para>
|
||||||
|
+
|
||||||
|
+</refsect1>
|
||||||
|
+
|
||||||
|
<refsect1 id='bugs'>
|
||||||
|
<title>Bugs</title>
|
||||||
|
<para>
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index 524663a..8d2adeb 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
|
||||||
|
0
|
||||||
|
};
|
||||||
|
|
||||||
|
+static char *default_ad_ldap_attrs[] = {
|
||||||
|
+ "sAMAccountName",
|
||||||
|
+ "userPrincipalName",
|
||||||
|
+ "msDS-KeyVersionNumber",
|
||||||
|
+ "msDS-supportedEncryptionTypes",
|
||||||
|
+ "dNSHostName",
|
||||||
|
+ "servicePrincipalName",
|
||||||
|
+ "operatingSystem",
|
||||||
|
+ "operatingSystemVersion",
|
||||||
|
+ "operatingSystemServicePack",
|
||||||
|
+ "pwdLastSet",
|
||||||
|
+ "userAccountControl",
|
||||||
|
+ NULL,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
/* Some constants for the userAccountControl AD LDAP attribute, see e.g.
|
||||||
|
* https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
|
||||||
|
* for details. */
|
||||||
|
@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
|
||||||
|
char *end;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- char *attrs[] = {
|
||||||
|
- "msDS-KeyVersionNumber",
|
||||||
|
- "msDS-supportedEncryptionTypes",
|
||||||
|
- "dNSHostName",
|
||||||
|
- "servicePrincipalName",
|
||||||
|
- "operatingSystem",
|
||||||
|
- "operatingSystemVersion",
|
||||||
|
- "operatingSystemServicePack",
|
||||||
|
- "pwdLastSet",
|
||||||
|
- "userAccountControl",
|
||||||
|
- NULL,
|
||||||
|
- };
|
||||||
|
-
|
||||||
|
assert (enroll->computer_dn != NULL);
|
||||||
|
assert (enroll->computer_attributes == NULL);
|
||||||
|
|
||||||
|
@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
|
||||||
|
assert (ldap != NULL);
|
||||||
|
|
||||||
|
ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
|
||||||
|
- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
|
||||||
|
+ "(objectClass=*)", default_ad_ldap_attrs,
|
||||||
|
+ 0, NULL, NULL, NULL, -1,
|
||||||
|
&enroll->computer_attributes);
|
||||||
|
|
||||||
|
if (ret != LDAP_SUCCESS) {
|
||||||
|
@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
|
||||||
|
}
|
||||||
|
|
||||||
|
adcli_result
|
||||||
|
-adcli_enroll_update (adcli_enroll *enroll,
|
||||||
|
- adcli_enroll_flags flags)
|
||||||
|
+adcli_enroll_read_computer_account (adcli_enroll *enroll,
|
||||||
|
+ adcli_enroll_flags flags)
|
||||||
|
{
|
||||||
|
adcli_result res = ADCLI_SUCCESS;
|
||||||
|
LDAP *ldap;
|
||||||
|
- char *value;
|
||||||
|
|
||||||
|
return_unexpected_if_fail (enroll != NULL);
|
||||||
|
|
||||||
|
@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Get information about the computer account */
|
||||||
|
- res = retrieve_computer_account (enroll);
|
||||||
|
+ return retrieve_computer_account (enroll);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+adcli_result
|
||||||
|
+adcli_enroll_update (adcli_enroll *enroll,
|
||||||
|
+ adcli_enroll_flags flags)
|
||||||
|
+{
|
||||||
|
+ adcli_result res = ADCLI_SUCCESS;
|
||||||
|
+ LDAP *ldap;
|
||||||
|
+ char *value;
|
||||||
|
+
|
||||||
|
+ res = adcli_enroll_read_computer_account (enroll, flags);
|
||||||
|
if (res != ADCLI_SUCCESS)
|
||||||
|
return res;
|
||||||
|
|
||||||
|
@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
|
||||||
|
return enroll_join_or_update_tasks (enroll, flags);
|
||||||
|
}
|
||||||
|
|
||||||
|
+adcli_result
|
||||||
|
+adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
|
||||||
|
+{
|
||||||
|
+ LDAP *ldap;
|
||||||
|
+ size_t c;
|
||||||
|
+ char **vals;
|
||||||
|
+ size_t v;
|
||||||
|
+
|
||||||
|
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
||||||
|
+ assert (ldap != NULL);
|
||||||
|
+
|
||||||
|
+ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
|
||||||
|
+ vals = _adcli_ldap_parse_values (ldap,
|
||||||
|
+ enroll->computer_attributes,
|
||||||
|
+ default_ad_ldap_attrs[c]);
|
||||||
|
+ printf ("%s:\n", default_ad_ldap_attrs[c]);
|
||||||
|
+ if (vals == NULL) {
|
||||||
|
+ printf (" - not set -\n");
|
||||||
|
+ } else {
|
||||||
|
+ for (v = 0; vals[v] != NULL; v++) {
|
||||||
|
+ printf (" %s\n", vals[v]);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ _adcli_strv_free (vals);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
adcli_result
|
||||||
|
adcli_enroll_delete (adcli_enroll *enroll,
|
||||||
|
adcli_enroll_flags delete_flags)
|
||||||
|
diff --git a/library/adenroll.h b/library/adenroll.h
|
||||||
|
index 1d5d00d..11eb517 100644
|
||||||
|
--- a/library/adenroll.h
|
||||||
|
+++ b/library/adenroll.h
|
||||||
|
@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll,
|
||||||
|
adcli_result adcli_enroll_update (adcli_enroll *enroll,
|
||||||
|
adcli_enroll_flags flags);
|
||||||
|
|
||||||
|
+adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll,
|
||||||
|
+ adcli_enroll_flags flags);
|
||||||
|
+
|
||||||
|
+adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
|
||||||
|
+
|
||||||
|
adcli_result adcli_enroll_delete (adcli_enroll *enroll,
|
||||||
|
adcli_enroll_flags delete_flags);
|
||||||
|
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index ac8a203..c8b96a4 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
adcli_enroll_unref (enroll);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+adcli_tool_computer_show (adcli_conn *conn,
|
||||||
|
+ int argc,
|
||||||
|
+ char *argv[])
|
||||||
|
+{
|
||||||
|
+ adcli_enroll *enroll;
|
||||||
|
+ adcli_result res;
|
||||||
|
+ int opt;
|
||||||
|
+
|
||||||
|
+ struct option options[] = {
|
||||||
|
+ { "domain", required_argument, NULL, opt_domain },
|
||||||
|
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
+ { "login-type", required_argument, NULL, opt_login_type },
|
||||||
|
+ { "no-password", no_argument, 0, opt_no_password },
|
||||||
|
+ { "stdin-password", no_argument, 0, opt_stdin_password },
|
||||||
|
+ { "prompt-password", no_argument, 0, opt_prompt_password },
|
||||||
|
+ { "verbose", no_argument, NULL, opt_verbose },
|
||||||
|
+ { "help", no_argument, NULL, 'h' },
|
||||||
|
+ { 0 },
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ static adcli_tool_desc usages[] = {
|
||||||
|
+ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
|
||||||
|
+ { 0 },
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ enroll = adcli_enroll_new (conn);
|
||||||
|
+ if (enroll == NULL) {
|
||||||
|
+ warnx ("unexpected memory problems");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
|
||||||
|
+ switch (opt) {
|
||||||
|
+ case 'h':
|
||||||
|
+ case '?':
|
||||||
|
+ case ':':
|
||||||
|
+ adcli_tool_usage (options, usages);
|
||||||
|
+ adcli_tool_usage (options, common_usages);
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return opt == 'h' ? 0 : 2;
|
||||||
|
+ default:
|
||||||
|
+ res = parse_option ((Option)opt, optarg, conn, enroll);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return res;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ argc -= optind;
|
||||||
|
+ argv += optind;
|
||||||
|
+
|
||||||
|
+ res = adcli_conn_connect (conn);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ warnx ("couldn't connect to %s domain: %s",
|
||||||
|
+ adcli_conn_get_domain_name (conn),
|
||||||
|
+ adcli_get_last_error ());
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return -res;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (argc == 1) {
|
||||||
|
+ parse_fqdn_or_name (enroll, argv[0]);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ res = adcli_enroll_read_computer_account (enroll, 0);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ warnx ("couldn't read data for %s: %s",
|
||||||
|
+ adcli_enroll_get_host_fqdn (enroll) != NULL
|
||||||
|
+ ? adcli_enroll_get_host_fqdn (enroll)
|
||||||
|
+ : adcli_enroll_get_computer_name (enroll),
|
||||||
|
+ adcli_get_last_error ());
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return -res;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ res = adcli_enroll_show_computer_attribute (enroll);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ warnx ("couldn't print data for %s: %s",
|
||||||
|
+ argv[0], adcli_get_last_error ());
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return -res;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
diff --git a/tools/tools.c b/tools/tools.c
|
||||||
|
index fc9fa9a..9d422f2 100644
|
||||||
|
--- a/tools/tools.c
|
||||||
|
+++ b/tools/tools.c
|
||||||
|
@@ -59,6 +59,7 @@ struct {
|
||||||
|
{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
|
||||||
|
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
|
||||||
|
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
|
||||||
|
+ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
|
||||||
|
{ "create-user", adcli_tool_user_create, "Create a user account", },
|
||||||
|
{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
|
||||||
|
{ "create-group", adcli_tool_group_create, "Create a group", },
|
||||||
|
diff --git a/tools/tools.h b/tools/tools.h
|
||||||
|
index 8cebbf9..3702875 100644
|
||||||
|
--- a/tools/tools.h
|
||||||
|
+++ b/tools/tools.h
|
||||||
|
@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
int argc,
|
||||||
|
char *argv[]);
|
||||||
|
|
||||||
|
+int adcli_tool_computer_show (adcli_conn *conn,
|
||||||
|
+ int argc,
|
||||||
|
+ char *argv[]);
|
||||||
|
+
|
||||||
|
int adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
int argc,
|
||||||
|
char *argv[]);
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
183
0003-add-description-option-to-join-and-update.patch
Normal file
183
0003-add-description-option-to-join-and-update.patch
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 27 Nov 2019 14:48:32 +0100
|
||||||
|
Subject: [PATCH 3/6] add description option to join and update
|
||||||
|
|
||||||
|
This new option allows to set the description LDAP attribute for the AD
|
||||||
|
computer object.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 10 ++++++++++
|
||||||
|
library/adenroll.c | 29 +++++++++++++++++++++++++++++
|
||||||
|
library/adenroll.h | 4 ++++
|
||||||
|
tools/computer.c | 7 +++++++
|
||||||
|
4 files changed, 50 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index 1f93186..dd30435 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -275,6 +275,11 @@ Password for Administrator:
|
||||||
|
<listitem><para>Set the operating system version on the computer
|
||||||
|
account. Not set by default.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>--description=<parameter>description</parameter></option></term>
|
||||||
|
+ <listitem><para>Set the description attribute on the computer
|
||||||
|
+ account. Not set by default.</para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--service-name=<parameter>service</parameter></option></term>
|
||||||
|
<listitem><para>Additional service name for a kerberos
|
||||||
|
@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
|
||||||
|
<listitem><para>Set the operating system version on the computer
|
||||||
|
account. Not set by default.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>--description=<parameter>description</parameter></option></term>
|
||||||
|
+ <listitem><para>Set the description attribute on the computer
|
||||||
|
+ account. Not set by default.</para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--service-name=<parameter>service</parameter></option></term>
|
||||||
|
<listitem><para>Additional service name for a Kerberos
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index 8d2adeb..246f658 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] = {
|
||||||
|
"operatingSystemServicePack",
|
||||||
|
"pwdLastSet",
|
||||||
|
"userAccountControl",
|
||||||
|
+ "description",
|
||||||
|
NULL,
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -143,6 +144,7 @@ struct _adcli_enroll {
|
||||||
|
char *samba_data_tool;
|
||||||
|
bool trusted_for_delegation;
|
||||||
|
int trusted_for_delegation_explicit;
|
||||||
|
+ char *description;
|
||||||
|
};
|
||||||
|
|
||||||
|
static adcli_result
|
||||||
|
@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
|
||||||
|
char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
|
||||||
|
LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
|
||||||
|
LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
|
||||||
|
+ char *vals_description[] = { enroll->description, NULL };
|
||||||
|
+ LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
|
||||||
|
|
||||||
|
char *val = NULL;
|
||||||
|
|
||||||
|
@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
|
||||||
|
&operatingSystemServicePack,
|
||||||
|
&userPrincipalName,
|
||||||
|
&servicePrincipalName,
|
||||||
|
+ &description,
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
|
||||||
|
res |= update_computer_attribute (enroll, ldap, mods);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (res == ADCLI_SUCCESS && enroll->description != NULL) {
|
||||||
|
+ char *vals_description[] = { enroll->description, NULL };
|
||||||
|
+ LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
|
||||||
|
+ LDAPMod *mods[] = { &description, NULL, };
|
||||||
|
+
|
||||||
|
+ res |= update_computer_attribute (enroll, ldap, mods);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (res != 0)
|
||||||
|
_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
|
||||||
|
}
|
||||||
|
@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
|
||||||
|
enroll->trusted_for_delegation_explicit = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+void
|
||||||
|
+adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
|
||||||
|
+{
|
||||||
|
+ return_if_fail (enroll != NULL);
|
||||||
|
+ if (value != NULL && value[0] != '\0') {
|
||||||
|
+ _adcli_str_set (&enroll->description, value);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+const char *
|
||||||
|
+adcli_enroll_get_desciption (adcli_enroll *enroll)
|
||||||
|
+{
|
||||||
|
+ return_val_if_fail (enroll != NULL, NULL);
|
||||||
|
+ return enroll->description;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const char **
|
||||||
|
adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
|
||||||
|
{
|
||||||
|
diff --git a/library/adenroll.h b/library/adenroll.h
|
||||||
|
index 11eb517..0606169 100644
|
||||||
|
--- a/library/adenroll.h
|
||||||
|
+++ b/library/adenroll.h
|
||||||
|
@@ -126,6 +126,10 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
|
||||||
|
void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
|
||||||
|
bool value);
|
||||||
|
|
||||||
|
+const char * adcli_enroll_get_desciption (adcli_enroll *enroll);
|
||||||
|
+void adcli_enroll_set_description (adcli_enroll *enroll,
|
||||||
|
+ const char *value);
|
||||||
|
+
|
||||||
|
krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll);
|
||||||
|
|
||||||
|
void adcli_enroll_set_kvno (adcli_enroll *enroll,
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index c8b96a4..840e334 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -112,6 +112,7 @@ typedef enum {
|
||||||
|
opt_trusted_for_delegation,
|
||||||
|
opt_add_service_principal,
|
||||||
|
opt_remove_service_principal,
|
||||||
|
+ opt_description,
|
||||||
|
} Option;
|
||||||
|
|
||||||
|
static adcli_tool_desc common_usages[] = {
|
||||||
|
@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
|
||||||
|
"in the userAccountControl attribute", },
|
||||||
|
{ opt_add_service_principal, "add the given service principal to the account\n" },
|
||||||
|
{ opt_remove_service_principal, "remove the given service principal from the account\n" },
|
||||||
|
+ { opt_description, "add a description to the account\n" },
|
||||||
|
{ opt_no_password, "don't prompt for or read a password" },
|
||||||
|
{ opt_prompt_password, "prompt for a password if necessary" },
|
||||||
|
{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
|
||||||
|
@@ -306,6 +308,9 @@ parse_option (Option opt,
|
||||||
|
case opt_remove_service_principal:
|
||||||
|
adcli_enroll_add_service_principal_to_remove (enroll, optarg);
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
+ case opt_description:
|
||||||
|
+ adcli_enroll_set_description (enroll, optarg);
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
case opt_verbose:
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
|
||||||
|
@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
|
||||||
|
{ "os-name", required_argument, NULL, opt_os_name },
|
||||||
|
{ "os-version", required_argument, NULL, opt_os_version },
|
||||||
|
{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
|
||||||
|
+ { "description", optional_argument, NULL, opt_description },
|
||||||
|
{ "user-principal", optional_argument, NULL, opt_user_principal },
|
||||||
|
{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
|
||||||
|
{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
|
||||||
|
@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
|
||||||
|
{ "os-name", required_argument, NULL, opt_os_name },
|
||||||
|
{ "os-version", required_argument, NULL, opt_os_version },
|
||||||
|
{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
|
||||||
|
+ { "description", optional_argument, NULL, opt_description },
|
||||||
|
{ "user-principal", optional_argument, NULL, opt_user_principal },
|
||||||
|
{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
|
||||||
|
{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 13 Aug 2020 17:10:01 +0200
|
||||||
|
Subject: [PATCH 3/3] man: make handling of optional credential cache more
|
||||||
|
clear
|
||||||
|
|
||||||
|
The optional Kerberos credential cache can only be used with the long
|
||||||
|
option name --login-ccache and not with the short version -C. To make
|
||||||
|
this more clear each option get its own entry.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 12 +++++++++---
|
||||||
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index ecf8726..1437679 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
|
||||||
|
</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
- <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
|
||||||
|
- <listitem><para>Use the specified kerberos credential
|
||||||
|
+ <term><option>-C</option></term>
|
||||||
|
+ <listitem><para>Use the default Kerberos credential
|
||||||
|
+ cache to authenticate with the domain.
|
||||||
|
+ </para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
|
||||||
|
+ <listitem><para>Use the specified Kerberos credential
|
||||||
|
cache to authenticate with the domain. If no credential
|
||||||
|
- cache is specified, the default kerberos credential
|
||||||
|
+ cache is specified, the default Kerberos credential
|
||||||
|
cache will be used. Credential caches of type FILE can
|
||||||
|
be given with the path to the file. For other
|
||||||
|
credential cache types, e.g. DIR, KEYRING or KCM, the
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
124
0004-Use-GSS-SPNEGO-if-available.patch
Normal file
124
0004-Use-GSS-SPNEGO-if-available.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 11 Oct 2019 16:39:25 +0200
|
||||||
|
Subject: [PATCH 4/6] Use GSS-SPNEGO if available
|
||||||
|
|
||||||
|
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
|
||||||
|
and to establish encryption. While this works in general it does not
|
||||||
|
handle some of the more advanced features which can be required by AD
|
||||||
|
DCs.
|
||||||
|
|
||||||
|
The GSS-SPNEGO mechanism can handle them and is used with this patch by
|
||||||
|
adcli if the AD DC indicates that it supports it.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
|
||||||
|
---
|
||||||
|
library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
|
||||||
|
library/adconn.h | 3 +++
|
||||||
|
2 files changed, 37 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/library/adconn.c b/library/adconn.c
|
||||||
|
index bcaced8..ffb54f9 100644
|
||||||
|
--- a/library/adconn.c
|
||||||
|
+++ b/library/adconn.c
|
||||||
|
@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
|
||||||
|
char *default_naming_context;
|
||||||
|
char *configuration_naming_context;
|
||||||
|
char **supported_capabilities;
|
||||||
|
+ char **supported_sasl_mechs;
|
||||||
|
|
||||||
|
/* Connect state */
|
||||||
|
LDAP *ldap;
|
||||||
|
@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
|
||||||
|
"defaultNamingContext",
|
||||||
|
"configurationNamingContext",
|
||||||
|
"supportedCapabilities",
|
||||||
|
+ "supportedSASLMechanisms",
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
|
||||||
|
"supportedCapabilities");
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (conn->supported_sasl_mechs == NULL) {
|
||||||
|
+ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
|
||||||
|
+ "supportedSASLMechanisms");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ldap_msgfree (results);
|
||||||
|
|
||||||
|
if (conn->default_naming_context == NULL) {
|
||||||
|
@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
|
||||||
|
OM_uint32 minor;
|
||||||
|
ber_len_t ssf;
|
||||||
|
int ret;
|
||||||
|
+ const char *mech = "GSSAPI";
|
||||||
|
|
||||||
|
if (conn->ldap_authenticated)
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
|
||||||
|
ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
|
||||||
|
return_unexpected_if_fail (ret == 0);
|
||||||
|
|
||||||
|
- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
|
||||||
|
+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
|
||||||
|
+ mech = "GSS-SPNEGO";
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
|
||||||
|
LDAP_SASL_QUIET, sasl_interact, NULL);
|
||||||
|
|
||||||
|
/* Clear the credential cache GSSAPI to use (for this thread) */
|
||||||
|
@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
|
||||||
|
free (conn->default_naming_context);
|
||||||
|
free (conn->configuration_naming_context);
|
||||||
|
_adcli_strv_free (conn->supported_capabilities);
|
||||||
|
+ _adcli_strv_free (conn->supported_sasl_mechs);
|
||||||
|
|
||||||
|
free (conn->computer_name);
|
||||||
|
free (conn->host_fqdn);
|
||||||
|
@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+bool
|
||||||
|
+adcli_conn_server_has_sasl_mech (adcli_conn *conn,
|
||||||
|
+ const char *mech)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ return_val_if_fail (conn != NULL, false);
|
||||||
|
+ return_val_if_fail (mech != NULL, false);
|
||||||
|
+
|
||||||
|
+ if (!conn->supported_sasl_mechs)
|
||||||
|
+ return false;
|
||||||
|
+
|
||||||
|
+ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
|
||||||
|
+ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return false;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
bool adcli_conn_is_writeable (adcli_conn *conn)
|
||||||
|
{
|
||||||
|
disco_dance_if_necessary (conn);
|
||||||
|
diff --git a/library/adconn.h b/library/adconn.h
|
||||||
|
index 1ad5715..37ebdd9 100644
|
||||||
|
--- a/library/adconn.h
|
||||||
|
+++ b/library/adconn.h
|
||||||
|
@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn,
|
||||||
|
int adcli_conn_server_has_capability (adcli_conn *conn,
|
||||||
|
const char *capability);
|
||||||
|
|
||||||
|
+bool adcli_conn_server_has_sasl_mech (adcli_conn *conn,
|
||||||
|
+ const char *mech);
|
||||||
|
+
|
||||||
|
bool adcli_conn_is_writeable (adcli_conn *conn);
|
||||||
|
|
||||||
|
#endif /* ADCONN_H_ */
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
378
0005-add-option-use-ldaps.patch
Normal file
378
0005-add-option-use-ldaps.patch
Normal file
@ -0,0 +1,378 @@
|
|||||||
|
From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 19 Dec 2019 07:22:33 +0100
|
||||||
|
Subject: [PATCH 5/6] add option use-ldaps
|
||||||
|
|
||||||
|
In general using the LDAP port with GSS-SPNEGO should satifiy all
|
||||||
|
requirements an AD DC should have for authentication on an encrypted
|
||||||
|
LDAP connection.
|
||||||
|
|
||||||
|
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
|
||||||
|
with TLS encryption might be an alternative. For this use case the
|
||||||
|
--use-ldaps option is added.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 24 +++++++++++++++
|
||||||
|
library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
|
||||||
|
library/adconn.h | 4 +++
|
||||||
|
tools/computer.c | 10 ++++++
|
||||||
|
tools/entry.c | 11 +++++++
|
||||||
|
5 files changed, 119 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index dd30435..acced25 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -128,6 +128,30 @@
|
||||||
|
If not specified, then an appropriate domain controller
|
||||||
|
is automatically discovered.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>--use-ldaps</option></term>
|
||||||
|
+ <listitem><para>Connect to the domain controller
|
||||||
|
+ with LDAPS. By default the LDAP port is used and SASL
|
||||||
|
+ GSS-SPNEGO or GSSAPI is used for authentication and to
|
||||||
|
+ establish encryption. This should satisfy all
|
||||||
|
+ requirements set on the server side and LDAPS should
|
||||||
|
+ only be used if the LDAP port is not accessible due to
|
||||||
|
+ firewalls or other reasons.</para>
|
||||||
|
+ <para> Please note that the place where CA certificates
|
||||||
|
+ can be found to validate the AD DC certificates
|
||||||
|
+ must be configured in the OpenLDAP configuration
|
||||||
|
+ file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
|
||||||
|
+ As an alternative it can be specified with the help of
|
||||||
|
+ an environment variable, e.g.
|
||||||
|
+<programlisting>
|
||||||
|
+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
|
||||||
|
+...
|
||||||
|
+</programlisting>
|
||||||
|
+ Please see
|
||||||
|
+ <citerefentry><refentrytitle>ldap.conf</refentrytitle>
|
||||||
|
+ <manvolnum>5</manvolnum></citerefentry> for details.
|
||||||
|
+ </para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
|
||||||
|
<listitem><para>Use the specified kerberos credential
|
||||||
|
diff --git a/library/adconn.c b/library/adconn.c
|
||||||
|
index ffb54f9..7bab852 100644
|
||||||
|
--- a/library/adconn.c
|
||||||
|
+++ b/library/adconn.c
|
||||||
|
@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
|
||||||
|
char *domain_name;
|
||||||
|
char *domain_realm;
|
||||||
|
char *domain_controller;
|
||||||
|
+ bool use_ldaps;
|
||||||
|
char *canonical_host;
|
||||||
|
char *domain_short;
|
||||||
|
char *domain_sid;
|
||||||
|
@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
|
||||||
|
|
||||||
|
static LDAP *
|
||||||
|
connect_to_address (const char *host,
|
||||||
|
- const char *canonical_host)
|
||||||
|
+ const char *canonical_host,
|
||||||
|
+ bool use_ldaps)
|
||||||
|
{
|
||||||
|
struct addrinfo *res = NULL;
|
||||||
|
struct addrinfo *ai;
|
||||||
|
@@ -783,6 +785,16 @@ connect_to_address (const char *host,
|
||||||
|
char *url;
|
||||||
|
int sock;
|
||||||
|
int rc;
|
||||||
|
+ int opt_rc;
|
||||||
|
+ const char *port = "389";
|
||||||
|
+ const char *proto = "ldap";
|
||||||
|
+ const char *errmsg = NULL;
|
||||||
|
+
|
||||||
|
+ if (use_ldaps) {
|
||||||
|
+ port = "636";
|
||||||
|
+ proto = "ldaps";
|
||||||
|
+ _adcli_info ("Using LDAPS to connect to %s", host);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
memset (&hints, '\0', sizeof(hints));
|
||||||
|
#ifdef AI_ADDRCONFIG
|
||||||
|
@@ -794,7 +806,7 @@ connect_to_address (const char *host,
|
||||||
|
if (!canonical_host)
|
||||||
|
canonical_host = host;
|
||||||
|
|
||||||
|
- rc = getaddrinfo (host, "389", &hints, &res);
|
||||||
|
+ rc = getaddrinfo (host, port, &hints, &res);
|
||||||
|
if (rc != 0) {
|
||||||
|
_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
|
||||||
|
return NULL;
|
||||||
|
@@ -810,7 +822,7 @@ connect_to_address (const char *host,
|
||||||
|
close (sock);
|
||||||
|
} else {
|
||||||
|
error = 0;
|
||||||
|
- if (asprintf (&url, "ldap://%s", canonical_host) < 0)
|
||||||
|
+ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
|
||||||
|
return_val_if_reached (NULL);
|
||||||
|
rc = ldap_init_fd (sock, 1, url, &ldap);
|
||||||
|
free (url);
|
||||||
|
@@ -820,6 +832,25 @@ connect_to_address (const char *host,
|
||||||
|
ldap_err2string (rc));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (use_ldaps) {
|
||||||
|
+ rc = ldap_install_tls (ldap);
|
||||||
|
+ if (rc != LDAP_SUCCESS) {
|
||||||
|
+ opt_rc = ldap_get_option (ldap,
|
||||||
|
+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
|
||||||
|
+ (void *) &errmsg);
|
||||||
|
+ if (opt_rc != LDAP_SUCCESS) {
|
||||||
|
+ errmsg = NULL;
|
||||||
|
+ }
|
||||||
|
+ _adcli_err ("Couldn't initialize TLS [%s]: %s",
|
||||||
|
+ ldap_err2string (rc),
|
||||||
|
+ errmsg == NULL ? "- no details -"
|
||||||
|
+ : errmsg);
|
||||||
|
+ ldap_unbind_ext_s (ldap, NULL, NULL);
|
||||||
|
+ ldap = NULL;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
|
||||||
|
if (!canonical_host)
|
||||||
|
canonical_host = disco->host_addr;
|
||||||
|
|
||||||
|
- ldap = connect_to_address (disco->host_addr, canonical_host);
|
||||||
|
+ ldap = connect_to_address (disco->host_addr, canonical_host,
|
||||||
|
+ adcli_conn_get_use_ldaps (conn));
|
||||||
|
if (ldap == NULL)
|
||||||
|
return ADCLI_ERR_DIRECTORY;
|
||||||
|
|
||||||
|
@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
|
||||||
|
status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
|
||||||
|
return_unexpected_if_fail (status == 0);
|
||||||
|
|
||||||
|
- /* Clumsily tell ldap + cyrus-sasl that we want encryption */
|
||||||
|
- ssf = 1;
|
||||||
|
- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
|
||||||
|
- return_unexpected_if_fail (ret == 0);
|
||||||
|
+ if (adcli_conn_get_use_ldaps (conn)) {
|
||||||
|
+ /* do not use SASL encryption on LDAPS connection */
|
||||||
|
+ ssf = 0;
|
||||||
|
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
|
||||||
|
+ return_unexpected_if_fail (ret == 0);
|
||||||
|
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
|
||||||
|
+ return_unexpected_if_fail (ret == 0);
|
||||||
|
+ } else {
|
||||||
|
+ /* Clumsily tell ldap + cyrus-sasl that we want encryption */
|
||||||
|
+ ssf = 1;
|
||||||
|
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
|
||||||
|
+ return_unexpected_if_fail (ret == 0);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
|
||||||
|
+ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
|
||||||
|
+ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
|
||||||
|
+ * without LDAPS. */
|
||||||
|
+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
|
||||||
|
+ && !adcli_conn_get_use_ldaps (conn)) {
|
||||||
|
mech = "GSS-SPNEGO";
|
||||||
|
}
|
||||||
|
+ _adcli_info ("Using %s for SASL bind", mech);
|
||||||
|
|
||||||
|
ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
|
||||||
|
LDAP_SASL_QUIET, sasl_interact, NULL);
|
||||||
|
@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
|
||||||
|
conn->refs = 1;
|
||||||
|
conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
|
||||||
|
adcli_conn_set_domain_name (conn, domain_name);
|
||||||
|
+ adcli_conn_set_use_ldaps (conn, false);
|
||||||
|
return conn;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
|
||||||
|
no_more_disco (conn);
|
||||||
|
}
|
||||||
|
|
||||||
|
+bool
|
||||||
|
+adcli_conn_get_use_ldaps (adcli_conn *conn)
|
||||||
|
+{
|
||||||
|
+ return_val_if_fail (conn != NULL, NULL);
|
||||||
|
+ return conn->use_ldaps;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
|
||||||
|
+{
|
||||||
|
+ return_if_fail (conn != NULL);
|
||||||
|
+ conn->use_ldaps = value;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const char *
|
||||||
|
adcli_conn_get_domain_short (adcli_conn *conn)
|
||||||
|
{
|
||||||
|
diff --git a/library/adconn.h b/library/adconn.h
|
||||||
|
index 37ebdd9..1d5faa8 100644
|
||||||
|
--- a/library/adconn.h
|
||||||
|
+++ b/library/adconn.h
|
||||||
|
@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn);
|
||||||
|
void adcli_conn_set_domain_controller (adcli_conn *conn,
|
||||||
|
const char *value);
|
||||||
|
|
||||||
|
+bool adcli_conn_get_use_ldaps (adcli_conn *conn);
|
||||||
|
+void adcli_conn_set_use_ldaps (adcli_conn *conn,
|
||||||
|
+ bool value);
|
||||||
|
+
|
||||||
|
const char * adcli_conn_get_domain_short (adcli_conn *conn);
|
||||||
|
|
||||||
|
const char * adcli_conn_get_domain_sid (adcli_conn *conn);
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index 840e334..292c4d8 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -113,12 +113,14 @@ typedef enum {
|
||||||
|
opt_add_service_principal,
|
||||||
|
opt_remove_service_principal,
|
||||||
|
opt_description,
|
||||||
|
+ opt_use_ldaps,
|
||||||
|
} Option;
|
||||||
|
|
||||||
|
static adcli_tool_desc common_usages[] = {
|
||||||
|
{ opt_domain, "active directory domain name" },
|
||||||
|
{ opt_domain_realm, "kerberos realm for the domain" },
|
||||||
|
{ opt_domain_controller, "domain controller to connect to" },
|
||||||
|
+ { opt_use_ldaps, "use LDAPS port for communication" },
|
||||||
|
{ opt_host_fqdn, "override the fully qualified domain name of the\n"
|
||||||
|
"local machine" },
|
||||||
|
{ opt_host_keytab, "filename for the host kerberos keytab" },
|
||||||
|
@@ -311,6 +313,9 @@ parse_option (Option opt,
|
||||||
|
case opt_description:
|
||||||
|
adcli_enroll_set_description (enroll, optarg);
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
+ case opt_use_ldaps:
|
||||||
|
+ adcli_conn_set_use_ldaps (conn, true);
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
case opt_verbose:
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
|
||||||
|
@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "user", required_argument, NULL, opt_login_user }, /* compat */
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "domain-ou", required_argument, NULL, opt_domain_ou },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "login-type", required_argument, NULL, opt_login_type },
|
||||||
|
@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "no-password", no_argument, 0, opt_no_password },
|
||||||
|
@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "login-type", required_argument, NULL, opt_login_type },
|
||||||
|
diff --git a/tools/entry.c b/tools/entry.c
|
||||||
|
index f361845..05e4313 100644
|
||||||
|
--- a/tools/entry.c
|
||||||
|
+++ b/tools/entry.c
|
||||||
|
@@ -53,6 +53,7 @@ typedef enum {
|
||||||
|
opt_unix_gid,
|
||||||
|
opt_unix_shell,
|
||||||
|
opt_nis_domain,
|
||||||
|
+ opt_use_ldaps,
|
||||||
|
} Option;
|
||||||
|
|
||||||
|
static adcli_tool_desc common_usages[] = {
|
||||||
|
@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
|
||||||
|
{ opt_domain, "active directory domain name" },
|
||||||
|
{ opt_domain_realm, "kerberos realm for the domain" },
|
||||||
|
{ opt_domain_controller, "domain directory server to connect to" },
|
||||||
|
+ { opt_use_ldaps, "use LDAPS port for communication" },
|
||||||
|
{ opt_login_ccache, "kerberos credential cache file which contains\n"
|
||||||
|
"ticket to used to connect to the domain" },
|
||||||
|
{ opt_login_user, "user (usually administrative) login name of\n"
|
||||||
|
@@ -136,6 +138,9 @@ parse_option (Option opt,
|
||||||
|
stdin_password = 1;
|
||||||
|
}
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
+ case opt_use_ldaps:
|
||||||
|
+ adcli_conn_set_use_ldaps (conn, true);
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
case opt_verbose:
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
default:
|
||||||
|
@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "no-password", no_argument, 0, opt_no_password },
|
||||||
|
@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "no-password", no_argument, 0, opt_no_password },
|
||||||
|
@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "domain-ou", required_argument, NULL, opt_domain_ou },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "no-password", no_argument, 0, opt_no_password },
|
||||||
|
@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "no-password", no_argument, 0, opt_no_password },
|
||||||
|
@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
{ "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
|
||||||
|
{ "login-user", required_argument, NULL, opt_login_user },
|
||||||
|
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
|
||||||
|
{ "no-password", no_argument, 0, opt_no_password },
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
27
0006-discovery-fix.patch
Normal file
27
0006-discovery-fix.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 11 Feb 2020 17:42:03 +0100
|
||||||
|
Subject: [PATCH 6/6] discovery fix
|
||||||
|
|
||||||
|
Do not continue processing on closed connection.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
|
||||||
|
---
|
||||||
|
library/addisco.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/library/addisco.c b/library/addisco.c
|
||||||
|
index 6e73ead..f3b3546 100644
|
||||||
|
--- a/library/addisco.c
|
||||||
|
+++ b/library/addisco.c
|
||||||
|
@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
|
||||||
|
"Couldn't perform discovery search");
|
||||||
|
ldap_unbind_ext_s (ldap[i], NULL, NULL);
|
||||||
|
ldap[i] = NULL;
|
||||||
|
+ continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
236
adcli.spec
Normal file
236
adcli.spec
Normal file
@ -0,0 +1,236 @@
|
|||||||
|
Name: adcli
|
||||||
|
Version: 0.9.0
|
||||||
|
Release: 5%{?dist}
|
||||||
|
Summary: Active Directory enrollment
|
||||||
|
License: LGPLv2+
|
||||||
|
URL: http://cgit.freedesktop.org/realmd/adcli
|
||||||
|
Source0: https://gitlab.freedesktop.org/realmd/adcli/uploads/02d8757266c24fdc10822306582287bf/adcli-%{version}.tar.gz
|
||||||
|
|
||||||
|
Patch1: 0001-man-move-note-to-the-right-section.patch
|
||||||
|
Patch2: 0002-tools-add-show-computer-command.patch
|
||||||
|
Patch3: 0003-add-description-option-to-join-and-update.patch
|
||||||
|
Patch4: 0004-Use-GSS-SPNEGO-if-available.patch
|
||||||
|
Patch5: 0005-add-option-use-ldaps.patch
|
||||||
|
Patch6: 0006-discovery-fix.patch
|
||||||
|
Patch7: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
|
||||||
|
Patch8: 0001-tools-disable-SSSD-s-locator-plugin.patch
|
||||||
|
Patch9: 0001-tools-fix-typo-in-show-password-help-output.patch
|
||||||
|
Patch10: 0002-man-explain-optional-parameter-of-login-ccache-bette.patch
|
||||||
|
Patch11: 0003-man-make-handling-of-optional-credential-cache-more-.patch
|
||||||
|
|
||||||
|
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: intltool pkgconfig
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: gettext-devel
|
||||||
|
BuildRequires: krb5-devel
|
||||||
|
BuildRequires: openldap-devel
|
||||||
|
BuildRequires: libxslt
|
||||||
|
BuildRequires: xmlto
|
||||||
|
|
||||||
|
Requires: cyrus-sasl-gssapi
|
||||||
|
|
||||||
|
# adcli no longer has a library of development files
|
||||||
|
# the adcli tool itself is to be used by callers
|
||||||
|
Obsoletes: adcli-devel < 0.5
|
||||||
|
|
||||||
|
%description
|
||||||
|
adcli is a tool for joining an Active Directory domain using
|
||||||
|
standard LDAP and Kerberos calls.
|
||||||
|
|
||||||
|
%define _hardened_build 1
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
autoreconf --force --install --verbose
|
||||||
|
%configure --disable-static --disable-silent-rules
|
||||||
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
|
%check
|
||||||
|
make check
|
||||||
|
|
||||||
|
%install
|
||||||
|
make install DESTDIR=%{buildroot}
|
||||||
|
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||||
|
|
||||||
|
%ldconfig_scriptlets
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_sbindir}/adcli
|
||||||
|
%doc AUTHORS COPYING ChangeLog NEWS README
|
||||||
|
%doc %{_mandir}/*/*
|
||||||
|
|
||||||
|
%package doc
|
||||||
|
Summary: adcli documentation
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description doc
|
||||||
|
adcli is a tool for joining an Active Directory domain using
|
||||||
|
standard LDAP and Kerberos calls. This package contains its
|
||||||
|
documentation.
|
||||||
|
|
||||||
|
%files doc
|
||||||
|
%doc %{_datadir}/doc/adcli/*
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-5
|
||||||
|
- man page and help output fixes
|
||||||
|
|
||||||
|
* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-4
|
||||||
|
- Second attempt - Rebuilt for
|
||||||
|
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jun 08 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-2
|
||||||
|
- Include the latest upstream patches
|
||||||
|
|
||||||
|
* Wed Mar 18 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-1
|
||||||
|
- Update to upstream release 0.9.0 and latest patches
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-9
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Aug 26 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-8
|
||||||
|
- various fixes and improvements
|
||||||
|
Resolves: rhbz#1683745, rhbz#1738573
|
||||||
|
|
||||||
|
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jul 5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.8.2-6
|
||||||
|
- Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli
|
||||||
|
needs to backport patches to only use permitted
|
||||||
|
enctypes from upstream
|
||||||
|
|
||||||
|
* Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5
|
||||||
|
- addition patch for rhbz#1630187 and new ones for rhbz#1588596
|
||||||
|
Resolves: rhbz#1630187, rhbz#1588596
|
||||||
|
|
||||||
|
* Fri Mar 22 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
|
||||||
|
- various fixes and improvements
|
||||||
|
Resolves: rhbz#1593240, rhbz#1608212, rhbz#1547014, rhbz#1547014,
|
||||||
|
rhbz#1649868, rhbz#1588596, rhbz#1642546, rhbz#1595911,
|
||||||
|
rhbz#1644311, rhbz#1337489, rhbz#1630187, rhbz#1622583
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 05 2018 Sumit Bose <sbose@redhat.com> - 0.8.0-1
|
||||||
|
- Update to upstream release 0.8.2
|
||||||
|
- various other fixes and improvements
|
||||||
|
- add option to enable "Trust this computer for delegation"
|
||||||
|
Resolves: rhbz#988349
|
||||||
|
- fix typos in the adcli man page
|
||||||
|
Resolves: rhbz#1440533
|
||||||
|
|
||||||
|
* Wed Mar 07 2018 Sumit Bose <sbose@redhat.com> - 0.8.0-7
|
||||||
|
- Added BuildRequires gcc
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Dec 17 2015 Sumit Bose <sbose@redhat.com> - 0.8.0-1
|
||||||
|
- Update to upstream release 0.8.0
|
||||||
|
|
||||||
|
* Mon Oct 19 2015 Stef Walter <stefw@redhat.com> - 0.7.6-1
|
||||||
|
- Fix issue with keytab use with sshd
|
||||||
|
- Resolves: rhbz#1267319
|
||||||
|
- Put documentation in a subpackage
|
||||||
|
|
||||||
|
* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.5-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.5-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.5-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 30 2014 Stef Walter <stefw@redhat.com> - 0.7.5-2
|
||||||
|
- Fix incorrect ownership of manual page directory
|
||||||
|
|
||||||
|
* Fri Sep 13 2013 Stef Walter <stefw@redhat.com> - 0.7.5-1
|
||||||
|
- Update to upstream point release 0.7.5
|
||||||
|
- Workaround for discovery via IPv6 address
|
||||||
|
- Correctly put IPv6 addresses in temporary krb5.conf
|
||||||
|
|
||||||
|
* Mon Sep 09 2013 Stef Walter <stefw@redhat.com> - 0.7.4-1
|
||||||
|
- Update to upstream point release 0.7.4
|
||||||
|
- Correctly handle truncating long host names
|
||||||
|
- Try to contact all available addresses for discovery
|
||||||
|
- Build fixes
|
||||||
|
|
||||||
|
* Wed Aug 07 2013 Stef Walter <stefw@redhat.com> - 0.7.3-1
|
||||||
|
- Update to upstream point release 0.7.3
|
||||||
|
- Don't try to set encryption types on Windows 2003
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 22 2013 Stef Walter <stefw@redhat.com> - 0.7.2-1
|
||||||
|
- Update to upstream point release 0.7.2
|
||||||
|
- Part of fix for bug [#961244]
|
||||||
|
|
||||||
|
* Mon Jul 15 2013 Stef Walter <stefw@redhat.com> - 0.7.1-4
|
||||||
|
- Build with verbose output logging
|
||||||
|
|
||||||
|
* Tue Jun 11 2013 Stef Walter <stefw@redhat.com> - 0.7.1-3
|
||||||
|
- Run 'make check' when building the package
|
||||||
|
|
||||||
|
* Mon May 13 2013 Stef Walter <stefw@redhat.com> - 0.7.1-2
|
||||||
|
- Bump version to get around botched update
|
||||||
|
|
||||||
|
* Mon May 13 2013 Stef Walter <stefw@redhat.com> - 0.7.1-1
|
||||||
|
- Update to upstream 0.7.1 release
|
||||||
|
- Fix problems with salt discovery [#961399]
|
||||||
|
|
||||||
|
* Mon May 06 2013 Stef Walter <stefw@redhat.com> - 0.7-1
|
||||||
|
- Work around broken krb5 with empty passwords [#960001]
|
||||||
|
- Fix memory corruption issue [#959999]
|
||||||
|
- Update to 0.7, fixing various bugs
|
||||||
|
|
||||||
|
* Mon Apr 29 2013 Stef Walter <stefw@redhat.com> - 0.6-1
|
||||||
|
- Update to 0.6, fixing various bugs
|
||||||
|
|
||||||
|
* Wed Apr 10 2013 Stef walter <stefw@redhat.com> - 0.5-2
|
||||||
|
- Add appropriate Obsoletes line for libadcli removal
|
||||||
|
|
||||||
|
* Wed Apr 10 2013 Stef Walter <stefw@redhat.com> - 0.5-1
|
||||||
|
- Update to upstream 0.5 version
|
||||||
|
- No more libadcli, and thus no adcli-devel
|
||||||
|
- Many new adcli commands
|
||||||
|
- Documentation
|
||||||
|
|
||||||
|
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Nov 12 2012 Stef Walter <stefw@redhat.com> - 0.4-1
|
||||||
|
- Update for 0.4 version, fixing various bugs
|
||||||
|
|
||||||
|
* Sat Oct 20 2012 Stef Walter <stefw@redhat.com> - 0.3-1
|
||||||
|
- Update for 0.3 version
|
||||||
|
|
||||||
|
* Tue Sep 4 2012 Stef Walter <stefw@redhat.com> - 0.2-1
|
||||||
|
- Update for 0.2 version
|
||||||
|
|
||||||
|
* Wed Aug 15 2012 Stef Walter <stefw@redhat.com> - 0.1-1
|
||||||
|
- Initial 0.1 package
|
Loading…
Reference in New Issue
Block a user