rpms
/
adcli
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import adcli-0.8.2-5.el8

This commit is contained in:
CentOS Sources 2020-04-28 05:35:15 -04:00 committed by Andrew Lukoshko
parent fa9446a71a
commit 43c72bf250
9 changed files with 1221 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch Normal file
View File

@ -0,0 +1,63 @@
From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Apr 2019 10:55:39 +0200
Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
Since the arcfour-hmac-md5 encryption types does not use salts it cannot
be used to discover the right salt.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
---
library/adkrb5.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/library/adkrb5.c b/library/adkrb5.c
index da835d7..be3ede5 100644
--- a/library/adkrb5.c
+++ b/library/adkrb5.c
@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
krb5_keytab scratch;
krb5_error_code code;
int i;
+ krb5_enctype *salt_enctypes = NULL;
+ size_t c;
+ size_t s;
/* TODO: This should be a unique name */
code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
return_val_if_fail (code == 0, code);
+ for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
+ salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+ return_val_if_fail (salt_enctypes != NULL, ENOMEM);
+
+ /* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
+ * discover the right salt. */
+ s = 0;
+ for (c = 0; enctypes[c] != 0; c++) {
+ if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
+ continue;
+ }
+
+ salt_enctypes[s++] = enctypes[c];
+ }
+
for (i = 0; salts[i].data != NULL; i++) {
code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
- password, enctypes, &salts[i]);
+ password, salt_enctypes, &salts[i]);
if (code == 0) {
*discovered = i;
break;
@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
}
}
+ free (salt_enctypes);
krb5_kt_close (k5, scratch);
return code;
}
--
2.21.0

29
SOURCES/0001-Fix-for-issue-found-by-Coverity.patch Normal file
View File

@ -0,0 +1,29 @@
From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 12 Aug 2019 17:28:20 +0200
Subject: [PATCH] Fix for issue found by Coverity
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
---
library/adenroll.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 53cd812..524663a 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
for (c = 0; cur_enctypes[c] != 0; c++);
new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
- return_val_if_fail (new_enctypes != NULL, NULL);
+ if (new_enctypes == NULL) {
+ krb5_free_enctypes (k5, permitted_enctypes);
+ return NULL;
+ }
n = 0;
for (c = 0; cur_enctypes[c] != 0; c++) {
--
2.21.0

124
SOURCES/0001-Use-GSS-SPNEGO-if-available.patch Normal file
View File

@ -0,0 +1,124 @@
From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 11 Oct 2019 16:39:25 +0200
Subject: [PATCH 1/2] Use GSS-SPNEGO if available
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
---
library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
library/adconn.h | 3 +++
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/library/adconn.c b/library/adconn.c
index bcaced8..ffb54f9 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
char *default_naming_context;
char *configuration_naming_context;
char **supported_capabilities;
+ char **supported_sasl_mechs;
/* Connect state */
LDAP *ldap;
@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
"defaultNamingContext",
"configurationNamingContext",
"supportedCapabilities",
+ "supportedSASLMechanisms",
NULL
};
@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
"supportedCapabilities");
}
+ if (conn->supported_sasl_mechs == NULL) {
+ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
+ "supportedSASLMechanisms");
+ }
+
ldap_msgfree (results);
if (conn->default_naming_context == NULL) {
@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
OM_uint32 minor;
ber_len_t ssf;
int ret;
+ const char *mech = "GSSAPI";
if (conn->ldap_authenticated)
return ADCLI_SUCCESS;
@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
return_unexpected_if_fail (ret == 0);
- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
+ mech = "GSS-SPNEGO";
+ }
+
+ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
LDAP_SASL_QUIET, sasl_interact, NULL);
/* Clear the credential cache GSSAPI to use (for this thread) */
@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
free (conn->default_naming_context);
free (conn->configuration_naming_context);
_adcli_strv_free (conn->supported_capabilities);
+ _adcli_strv_free (conn->supported_sasl_mechs);
free (conn->computer_name);
free (conn->host_fqdn);
@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
return 0;
}
+bool
+adcli_conn_server_has_sasl_mech (adcli_conn *conn,
+ const char *mech)
+{
+ int i;
+
+ return_val_if_fail (conn != NULL, false);
+ return_val_if_fail (mech != NULL, false);
+
+ if (!conn->supported_sasl_mechs)
+ return false;
+
+ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
+ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
+ return true;
+ }
+
+ return false;
+}
+
bool adcli_conn_is_writeable (adcli_conn *conn)
{
disco_dance_if_necessary (conn);
diff --git a/library/adconn.h b/library/adconn.h
index 1ad5715..37ebdd9 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn,
int adcli_conn_server_has_capability (adcli_conn *conn,
const char *capability);
+bool adcli_conn_server_has_sasl_mech (adcli_conn *conn,
+ const char *mech);
+
bool adcli_conn_is_writeable (adcli_conn *conn);
#endif /* ADCONN_H_ */
--
2.21.0

30
SOURCES/0001-doc-explain-how-to-force-password-reset.patch Normal file
View File

@ -0,0 +1,30 @@
From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 26 Aug 2019 13:33:24 +0200
Subject: [PATCH] doc: explain how to force password reset
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
---
doc/adcli.xml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 094f577..4f201e0 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -330,7 +330,11 @@ Password for Administrator:
important here is currently the
<option>workgroup</option> option, see
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details.</para>
+ <para>Note that if the machine account password is not
+ older than 30 days, you have to pass
+ <option>--computer-password-lifetime=0</option> to
+ force the update.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
--
2.21.0

48
SOURCES/0001-man-move-note-to-the-right-section.patch Normal file
View File

@ -0,0 +1,48 @@
From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Nov 2019 18:26:44 +0100
Subject: [PATCH] man: move note to the right section
Unfortunately the note about the password lifetime was added to the join
section. This patch move it to the update section where it belongs to.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
https://bugzilla.redhat.com/show_bug.cgi?id=1745931
https://bugzilla.redhat.com/show_bug.cgi?id=1774622
---
doc/adcli.xml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 4f201e0..9faf96a 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -330,11 +330,7 @@ Password for Administrator:
important here is currently the
<option>workgroup</option> option, see
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.</para>
- <para>Note that if the machine account password is not
- older than 30 days, you have to pass
- <option>--computer-password-lifetime=0</option> to
- force the update.</para></listitem>
+ for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
important here is currently the
<option>workgroup</option> option, see
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details.</para>
+ <para>Note that if the machine account password is not
+ older than 30 days, you have to pass
+ <option>--computer-password-lifetime=0</option> to
+ force the update.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
--
2.21.0

338
SOURCES/0001-tools-add-show-computer-command.patch Normal file
View File

@ -0,0 +1,338 @@
From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Nov 2019 12:34:45 +0100
Subject: [PATCH 1/2] tools: add show-computer command
The show-computer command prints the LDAP attributes of the related
computer object from AD.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
---
doc/adcli.xml | 28 ++++++++++++++
library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
library/adenroll.h | 5 +++
tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++
tools/tools.c | 1 +
tools/tools.h | 4 ++
6 files changed, 191 insertions(+), 18 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 9faf96a..1f93186 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -93,6 +93,11 @@
<arg choice="opt">--domain=domain.example.com</arg>
<arg choice="plain">computer</arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>adcli show-computer</command>
+ <arg choice="opt">--domain=domain.example.com</arg>
+ <arg choice="plain">computer</arg>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='general_overview'>
@@ -811,6 +816,29 @@ Password for Administrator:
</refsect1>
+<refsect1 id='show_computer_account'>
+ <title>Show Computer Account Attributes</title>
+
+ <para><command>adcli show-computer</command> show the computer account
+ attributes stored in AD. The account must already exist.</para>
+
+<programlisting>
+$ adcli show-computer --domain=domain.example.com host2
+Password for Administrator:
+</programlisting>
+
+ <para>If the computer name contains a dot, then it is
+ treated as fully qualified host name, otherwise it is treated
+ as short computer name.</para>
+
+ <para>If no computer name is specified, then the host name of the
+ computer adcli is running on is used, as returned by
+ <literal>gethostname()</literal>.</para>
+
+ <para>The various global options can be used.</para>
+
+</refsect1>
+
<refsect1 id='bugs'>
<title>Bugs</title>
<para>
diff --git a/library/adenroll.c b/library/adenroll.c
index 524663a..8d2adeb 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
0
};
+static char *default_ad_ldap_attrs[] = {
+ "sAMAccountName",
+ "userPrincipalName",
+ "msDS-KeyVersionNumber",
+ "msDS-supportedEncryptionTypes",
+ "dNSHostName",
+ "servicePrincipalName",
+ "operatingSystem",
+ "operatingSystemVersion",
+ "operatingSystemServicePack",
+ "pwdLastSet",
+ "userAccountControl",
+ NULL,
+};
+
/* Some constants for the userAccountControl AD LDAP attribute, see e.g.
* https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
* for details. */
@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
char *end;
int ret;
- char *attrs[] = {
- "msDS-KeyVersionNumber",
- "msDS-supportedEncryptionTypes",
- "dNSHostName",
- "servicePrincipalName",
- "operatingSystem",
- "operatingSystemVersion",
- "operatingSystemServicePack",
- "pwdLastSet",
- "userAccountControl",
- NULL,
- };
-
assert (enroll->computer_dn != NULL);
assert (enroll->computer_attributes == NULL);
@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
assert (ldap != NULL);
ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
+ "(objectClass=*)", default_ad_ldap_attrs,
+ 0, NULL, NULL, NULL, -1,
&enroll->computer_attributes);
if (ret != LDAP_SUCCESS) {
@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
}
adcli_result
-adcli_enroll_update (adcli_enroll *enroll,
- adcli_enroll_flags flags)
+adcli_enroll_read_computer_account (adcli_enroll *enroll,
+ adcli_enroll_flags flags)
{
adcli_result res = ADCLI_SUCCESS;
LDAP *ldap;
- char *value;
return_unexpected_if_fail (enroll != NULL);
@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
}
/* Get information about the computer account */
- res = retrieve_computer_account (enroll);
+ return retrieve_computer_account (enroll);
+}
+
+adcli_result
+adcli_enroll_update (adcli_enroll *enroll,
+ adcli_enroll_flags flags)
+{
+ adcli_result res = ADCLI_SUCCESS;
+ LDAP *ldap;
+ char *value;
+
+ res = adcli_enroll_read_computer_account (enroll, flags);
if (res != ADCLI_SUCCESS)
return res;
@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
return enroll_join_or_update_tasks (enroll, flags);
}
+adcli_result
+adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
+{
+ LDAP *ldap;
+ size_t c;
+ char **vals;
+ size_t v;
+
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
+ assert (ldap != NULL);
+
+ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
+ vals = _adcli_ldap_parse_values (ldap,
+ enroll->computer_attributes,
+ default_ad_ldap_attrs[c]);
+ printf ("%s:\n", default_ad_ldap_attrs[c]);
+ if (vals == NULL) {
+ printf (" - not set -\n");
+ } else {
+ for (v = 0; vals[v] != NULL; v++) {
+ printf (" %s\n", vals[v]);
+ }
+ }
+ _adcli_strv_free (vals);
+ }
+
+ return ADCLI_SUCCESS;
+}
+
adcli_result
adcli_enroll_delete (adcli_enroll *enroll,
adcli_enroll_flags delete_flags)
diff --git a/library/adenroll.h b/library/adenroll.h
index 1d5d00d..11eb517 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll,
adcli_result adcli_enroll_update (adcli_enroll *enroll,
adcli_enroll_flags flags);
+adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll,
+ adcli_enroll_flags flags);
+
+adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
+
adcli_result adcli_enroll_delete (adcli_enroll *enroll,
adcli_enroll_flags delete_flags);
diff --git a/tools/computer.c b/tools/computer.c
index ac8a203..c8b96a4 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
adcli_enroll_unref (enroll);
return 0;
}
+
+int
+adcli_tool_computer_show (adcli_conn *conn,
+ int argc,
+ char *argv[])
+{
+ adcli_enroll *enroll;
+ adcli_result res;
+ int opt;
+
+ struct option options[] = {
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "login-type", required_argument, NULL, opt_login_type },
+ { "no-password", no_argument, 0, opt_no_password },
+ { "stdin-password", no_argument, 0, opt_stdin_password },
+ { "prompt-password", no_argument, 0, opt_prompt_password },
+ { "verbose", no_argument, NULL, opt_verbose },
+ { "help", no_argument, NULL, 'h' },
+ { 0 },
+ };
+
+ static adcli_tool_desc usages[] = {
+ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
+ { 0 },
+ };
+
+ enroll = adcli_enroll_new (conn);
+ if (enroll == NULL) {
+ warnx ("unexpected memory problems");
+ return -1;
+ }
+
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+ switch (opt) {
+ case 'h':
+ case '?':
+ case ':':
+ adcli_tool_usage (options, usages);
+ adcli_tool_usage (options, common_usages);
+ adcli_enroll_unref (enroll);
+ return opt == 'h' ? 0 : 2;
+ default:
+ res = parse_option ((Option)opt, optarg, conn, enroll);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ return res;
+ }
+ break;
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ res = adcli_conn_connect (conn);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't connect to %s domain: %s",
+ adcli_conn_get_domain_name (conn),
+ adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ if (argc == 1) {
+ parse_fqdn_or_name (enroll, argv[0]);
+ }
+
+ res = adcli_enroll_read_computer_account (enroll, 0);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't read data for %s: %s",
+ adcli_enroll_get_host_fqdn (enroll) != NULL
+ ? adcli_enroll_get_host_fqdn (enroll)
+ : adcli_enroll_get_computer_name (enroll),
+ adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ res = adcli_enroll_show_computer_attribute (enroll);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't print data for %s: %s",
+ argv[0], adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ adcli_enroll_unref (enroll);
+ return 0;
+}
diff --git a/tools/tools.c b/tools/tools.c
index fc9fa9a..9d422f2 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -59,6 +59,7 @@ struct {
{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
+ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
{ "create-user", adcli_tool_user_create, "Create a user account", },
{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
{ "create-group", adcli_tool_group_create, "Create a group", },
diff --git a/tools/tools.h b/tools/tools.h
index 8cebbf9..3702875 100644
--- a/tools/tools.h
+++ b/tools/tools.h
@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn,
int argc,
char *argv[]);
+int adcli_tool_computer_show (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+
int adcli_tool_user_create (adcli_conn *conn,
int argc,
char *argv[]);
--
2.21.0

183
SOURCES/0002-add-description-option-to-join-and-update.patch Normal file
View File

@ -0,0 +1,183 @@
From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Nov 2019 14:48:32 +0100
Subject: [PATCH 2/2] add description option to join and update
This new option allows to set the description LDAP attribute for the AD
computer object.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
---
doc/adcli.xml | 10 ++++++++++
library/adenroll.c | 29 +++++++++++++++++++++++++++++
library/adenroll.h | 4 ++++
tools/computer.c | 7 +++++++
4 files changed, 50 insertions(+)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 1f93186..dd30435 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -275,6 +275,11 @@ Password for Administrator:
<listitem><para>Set the operating system version on the computer
account. Not set by default.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--description=<parameter>description</parameter></option></term>
+ <listitem><para>Set the description attribute on the computer
+ account. Not set by default.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--service-name=<parameter>service</parameter></option></term>
<listitem><para>Additional service name for a kerberos
@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
<listitem><para>Set the operating system version on the computer
account. Not set by default.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--description=<parameter>description</parameter></option></term>
+ <listitem><para>Set the description attribute on the computer
+ account. Not set by default.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--service-name=<parameter>service</parameter></option></term>
<listitem><para>Additional service name for a Kerberos
diff --git a/library/adenroll.c b/library/adenroll.c
index 8d2adeb..246f658 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] = {
"operatingSystemServicePack",
"pwdLastSet",
"userAccountControl",
+ "description",
NULL,
};
@@ -143,6 +144,7 @@ struct _adcli_enroll {
char *samba_data_tool;
bool trusted_for_delegation;
int trusted_for_delegation_explicit;
+ char *description;
};
static adcli_result
@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
+ char *vals_description[] = { enroll->description, NULL };
+ LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
char *val = NULL;
@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
&operatingSystemServicePack,
&userPrincipalName,
&servicePrincipalName,
+ &description,
NULL
};
@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
res |= update_computer_attribute (enroll, ldap, mods);
}
+ if (res == ADCLI_SUCCESS && enroll->description != NULL) {
+ char *vals_description[] = { enroll->description, NULL };
+ LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
+ LDAPMod *mods[] = { &description, NULL, };
+
+ res |= update_computer_attribute (enroll, ldap, mods);
+ }
+
if (res != 0)
_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
}
@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
enroll->trusted_for_delegation_explicit = 1;
}
+void
+adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
+{
+ return_if_fail (enroll != NULL);
+ if (value != NULL && value[0] != '\0') {
+ _adcli_str_set (&enroll->description, value);
+ }
+}
+
+const char *
+adcli_enroll_get_desciption (adcli_enroll *enroll)
+{
+ return_val_if_fail (enroll != NULL, NULL);
+ return enroll->description;
+}
+
const char **
adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
{
diff --git a/library/adenroll.h b/library/adenroll.h
index 11eb517..0606169 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -126,6 +126,10 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
bool value);
+const char * adcli_enroll_get_desciption (adcli_enroll *enroll);
+void adcli_enroll_set_description (adcli_enroll *enroll,
+ const char *value);
+
krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll);
void adcli_enroll_set_kvno (adcli_enroll *enroll,
diff --git a/tools/computer.c b/tools/computer.c
index c8b96a4..840e334 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -112,6 +112,7 @@ typedef enum {
opt_trusted_for_delegation,
opt_add_service_principal,
opt_remove_service_principal,
+ opt_description,
} Option;
static adcli_tool_desc common_usages[] = {
@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
"in the userAccountControl attribute", },
{ opt_add_service_principal, "add the given service principal to the account\n" },
{ opt_remove_service_principal, "remove the given service principal from the account\n" },
+ { opt_description, "add a description to the account\n" },
{ opt_no_password, "don't prompt for or read a password" },
{ opt_prompt_password, "prompt for a password if necessary" },
{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
@@ -306,6 +308,9 @@ parse_option (Option opt,
case opt_remove_service_principal:
adcli_enroll_add_service_principal_to_remove (enroll, optarg);
return ADCLI_SUCCESS;
+ case opt_description:
+ adcli_enroll_set_description (enroll, optarg);
+ return ADCLI_SUCCESS;
case opt_verbose:
return ADCLI_SUCCESS;
@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
{ "os-name", required_argument, NULL, opt_os_name },
{ "os-version", required_argument, NULL, opt_os_version },
{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
+ { "description", optional_argument, NULL, opt_description },
{ "user-principal", optional_argument, NULL, opt_user_principal },
{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
{ "os-name", required_argument, NULL, opt_os_name },
{ "os-version", required_argument, NULL, opt_os_version },
{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
+ { "description", optional_argument, NULL, opt_description },
{ "user-principal", optional_argument, NULL, opt_user_principal },
{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
--
2.21.0

378
SOURCES/0002-add-option-use-ldaps.patch Normal file
View File

@ -0,0 +1,378 @@
From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 19 Dec 2019 07:22:33 +0100
Subject: [PATCH 2/2] add option use-ldaps
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
---
doc/adcli.xml | 24 +++++++++++++++
library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
library/adconn.h | 4 +++
tools/computer.c | 10 ++++++
tools/entry.c | 11 +++++++
5 files changed, 119 insertions(+), 9 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index dd30435..acced25 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -128,6 +128,30 @@
If not specified, then an appropriate domain controller
is automatically discovered.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>Connect to the domain controller
+ with LDAPS. By default the LDAP port is used and SASL
+ GSS-SPNEGO or GSSAPI is used for authentication and to
+ establish encryption. This should satisfy all
+ requirements set on the server side and LDAPS should
+ only be used if the LDAP port is not accessible due to
+ firewalls or other reasons.</para>
+ <para> Please note that the place where CA certificates
+ can be found to validate the AD DC certificates
+ must be configured in the OpenLDAP configuration
+ file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
+ As an alternative it can be specified with the help of
+ an environment variable, e.g.
+<programlisting>
+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
+...
+</programlisting>
+ Please see
+ <citerefentry><refentrytitle>ldap.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> for details.
+ </para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
<listitem><para>Use the specified kerberos credential
diff --git a/library/adconn.c b/library/adconn.c
index ffb54f9..7bab852 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
char *domain_name;
char *domain_realm;
char *domain_controller;
+ bool use_ldaps;
char *canonical_host;
char *domain_short;
char *domain_sid;
@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
static LDAP *
connect_to_address (const char *host,
- const char *canonical_host)
+ const char *canonical_host,
+ bool use_ldaps)
{
struct addrinfo *res = NULL;
struct addrinfo *ai;
@@ -783,6 +785,16 @@ connect_to_address (const char *host,
char *url;
int sock;
int rc;
+ int opt_rc;
+ const char *port = "389";
+ const char *proto = "ldap";
+ const char *errmsg = NULL;
+
+ if (use_ldaps) {
+ port = "636";
+ proto = "ldaps";
+ _adcli_info ("Using LDAPS to connect to %s", host);
+ }
memset (&hints, '\0', sizeof(hints));
#ifdef AI_ADDRCONFIG
@@ -794,7 +806,7 @@ connect_to_address (const char *host,
if (!canonical_host)
canonical_host = host;
- rc = getaddrinfo (host, "389", &hints, &res);
+ rc = getaddrinfo (host, port, &hints, &res);
if (rc != 0) {
_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
return NULL;
@@ -810,7 +822,7 @@ connect_to_address (const char *host,
close (sock);
} else {
error = 0;
- if (asprintf (&url, "ldap://%s", canonical_host) < 0)
+ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
return_val_if_reached (NULL);
rc = ldap_init_fd (sock, 1, url, &ldap);
free (url);
@@ -820,6 +832,25 @@ connect_to_address (const char *host,
ldap_err2string (rc));
break;
}
+
+ if (use_ldaps) {
+ rc = ldap_install_tls (ldap);
+ if (rc != LDAP_SUCCESS) {
+ opt_rc = ldap_get_option (ldap,
+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
+ (void *) &errmsg);
+ if (opt_rc != LDAP_SUCCESS) {
+ errmsg = NULL;
+ }
+ _adcli_err ("Couldn't initialize TLS [%s]: %s",
+ ldap_err2string (rc),
+ errmsg == NULL ? "- no details -"
+ : errmsg);
+ ldap_unbind_ext_s (ldap, NULL, NULL);
+ ldap = NULL;
+ break;
+ }
+ }
}
}
@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
if (!canonical_host)
canonical_host = disco->host_addr;
- ldap = connect_to_address (disco->host_addr, canonical_host);
+ ldap = connect_to_address (disco->host_addr, canonical_host,
+ adcli_conn_get_use_ldaps (conn));
if (ldap == NULL)
return ADCLI_ERR_DIRECTORY;
@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
return_unexpected_if_fail (status == 0);
- /* Clumsily tell ldap + cyrus-sasl that we want encryption */
- ssf = 1;
- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
- return_unexpected_if_fail (ret == 0);
+ if (adcli_conn_get_use_ldaps (conn)) {
+ /* do not use SASL encryption on LDAPS connection */
+ ssf = 0;
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+ return_unexpected_if_fail (ret == 0);
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
+ return_unexpected_if_fail (ret == 0);
+ } else {
+ /* Clumsily tell ldap + cyrus-sasl that we want encryption */
+ ssf = 1;
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+ return_unexpected_if_fail (ret == 0);
+ }
- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
+ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
+ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
+ * without LDAPS. */
+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
+ && !adcli_conn_get_use_ldaps (conn)) {
mech = "GSS-SPNEGO";
}
+ _adcli_info ("Using %s for SASL bind", mech);
ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
LDAP_SASL_QUIET, sasl_interact, NULL);
@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
conn->refs = 1;
conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
adcli_conn_set_domain_name (conn, domain_name);
+ adcli_conn_set_use_ldaps (conn, false);
return conn;
}
@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
no_more_disco (conn);
}
+bool
+adcli_conn_get_use_ldaps (adcli_conn *conn)
+{
+ return_val_if_fail (conn != NULL, NULL);
+ return conn->use_ldaps;
+}
+
+void
+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
+{
+ return_if_fail (conn != NULL);
+ conn->use_ldaps = value;
+}
+
const char *
adcli_conn_get_domain_short (adcli_conn *conn)
{
diff --git a/library/adconn.h b/library/adconn.h
index 37ebdd9..1d5faa8 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn);
void adcli_conn_set_domain_controller (adcli_conn *conn,
const char *value);
+bool adcli_conn_get_use_ldaps (adcli_conn *conn);
+void adcli_conn_set_use_ldaps (adcli_conn *conn,
+ bool value);
+
const char * adcli_conn_get_domain_short (adcli_conn *conn);
const char * adcli_conn_get_domain_sid (adcli_conn *conn);
diff --git a/tools/computer.c b/tools/computer.c
index 840e334..292c4d8 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -113,12 +113,14 @@ typedef enum {
opt_add_service_principal,
opt_remove_service_principal,
opt_description,
+ opt_use_ldaps,
} Option;
static adcli_tool_desc common_usages[] = {
{ opt_domain, "active directory domain name" },
{ opt_domain_realm, "kerberos realm for the domain" },
{ opt_domain_controller, "domain controller to connect to" },
+ { opt_use_ldaps, "use LDAPS port for communication" },
{ opt_host_fqdn, "override the fully qualified domain name of the\n"
"local machine" },
{ opt_host_keytab, "filename for the host kerberos keytab" },
@@ -311,6 +313,9 @@ parse_option (Option opt,
case opt_description:
adcli_enroll_set_description (enroll, optarg);
return ADCLI_SUCCESS;
+ case opt_use_ldaps:
+ adcli_conn_set_use_ldaps (conn, true);
+ return ADCLI_SUCCESS;
case opt_verbose:
return ADCLI_SUCCESS;
@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "user", required_argument, NULL, opt_login_user }, /* compat */
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "domain-ou", required_argument, NULL, opt_domain_ou },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "login-type", required_argument, NULL, opt_login_type },
@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "no-password", no_argument, 0, opt_no_password },
@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "login-type", required_argument, NULL, opt_login_type },
diff --git a/tools/entry.c b/tools/entry.c
index f361845..05e4313 100644
--- a/tools/entry.c
+++ b/tools/entry.c
@@ -53,6 +53,7 @@ typedef enum {
opt_unix_gid,
opt_unix_shell,
opt_nis_domain,
+ opt_use_ldaps,
} Option;
static adcli_tool_desc common_usages[] = {
@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
{ opt_domain, "active directory domain name" },
{ opt_domain_realm, "kerberos realm for the domain" },
{ opt_domain_controller, "domain directory server to connect to" },
+ { opt_use_ldaps, "use LDAPS port for communication" },
{ opt_login_ccache, "kerberos credential cache file which contains\n"
"ticket to used to connect to the domain" },
{ opt_login_user, "user (usually administrative) login name of\n"
@@ -136,6 +138,9 @@ parse_option (Option opt,
stdin_password = 1;
}
return ADCLI_SUCCESS;
+ case opt_use_ldaps:
+ adcli_conn_set_use_ldaps (conn, true);
+ return ADCLI_SUCCESS;
case opt_verbose:
return ADCLI_SUCCESS;
default:
@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "no-password", no_argument, 0, opt_no_password },
@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "no-password", no_argument, 0, opt_no_password },
@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "domain-ou", required_argument, NULL, opt_domain_ou },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "no-password", no_argument, 0, opt_no_password },
@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "no-password", no_argument, 0, opt_no_password },
@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "login-user", required_argument, NULL, opt_login_user },
{ "login-ccache", optional_argument, NULL, opt_login_ccache },
{ "no-password", no_argument, 0, opt_no_password },
--
2.21.0

29
SPECS/adcli.spec
View File

@ -1,6 +1,6 @@
Name: adcli
Version: 0.8.2
Release: 3%{?dist}
Release: 5%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli
@ -90,6 +90,23 @@ Patch52: 0002-adconn-add-adcli_conn_set_krb5_context.patch
Patch53: 0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
Patch54: 0004-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
# rhbz#1745931 - adcli update --add-samba-data does not work as expected
Patch55: 0001-doc-explain-how-to-force-password-reset.patch
Patch56: 0001-man-move-note-to-the-right-section.patch
# rhbz#1745932 - Issue is that with arcfour-hmac as first encryption type
Patch57: 0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
Patch58: 0001-Fix-for-issue-found-by-Coverity.patch
# rhbz#1737342 - [RFE] enhancement adcli to set description attribute and to
# show all AD attributes
Patch59: 0001-tools-add-show-computer-command.patch
Patch60: 0002-add-description-option-to-join-and-update.patch
Patch61: 0001-Use-GSS-SPNEGO-if-available.patch
Patch62: 0002-add-option-use-ldaps.patch
BuildRequires: gcc
BuildRequires: intltool pkgconfig
BuildRequires: libtool
@ -150,6 +167,16 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
* Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
sssd [#1762420]
* Thu Nov 28 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
- adcli update --add-samba-data does not work as expected [#1745931]
- Issue is that with arcfour-hmac as first encryption type [#1745932]
- [RFE] enhancement adcli to set description attribute and to show all AD
attributes [#1737342]
* Fri Jun 14 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-3
- use autosetup macro to simplify patch handling
- fixed rpmlint warnings in the spec file