diff --git a/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch b/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch new file mode 100644 index 0000000..f37f2f1 --- /dev/null +++ b/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch @@ -0,0 +1,216 @@ +From 0a0d0f66409eb83e06b7dc50543c2f6c15a36bc4 Mon Sep 17 00:00:00 2001 +From: Alexey A Nikitin +Date: Mon, 29 Oct 2018 20:40:36 -0700 +Subject: [PATCH] Make 'adcli info' DC location mechanism more compliant with + [MS-ADTS] and [MS-NRPC] + +AD specifications say that DC locator must attempt to find a suitable DC for the client. That means going through all of the DCs in SRV RRs one by one until one of them answers. + +The problem with adcli's original behavior is that it queries only five DCs from SRV, ever. This becomes a problem if for any reason there is a large number of DCs in the domain from which the client cannot get a CLDAP response. +--- + library/addisco.c | 146 +++++++++++++++++++++++++++++----------------- + 1 file changed, 94 insertions(+), 52 deletions(-) + +diff --git a/library/addisco.c b/library/addisco.c +index 8cc5bf0..6e73ead 100644 +--- a/library/addisco.c ++++ b/library/addisco.c +@@ -41,8 +41,10 @@ + #include + #include + +-/* Number of servers to do discovery against */ +-#define DISCO_COUNT 5 ++/* Number of servers to do discovery against. ++ * For AD DS maximum number of DCs is 1200. ++ */ ++#define DISCO_COUNT 1200 + + /* The time period in which to do rapid requests */ + #define DISCO_FEVER 1 +@@ -453,6 +455,51 @@ parse_disco (LDAP *ldap, + return usability; + } + ++static int ++ldap_disco_poller (LDAP **ldap, ++ LDAPMessage **message, ++ adcli_disco **results, ++ const char **addrs) ++{ ++ int found = ADCLI_DISCO_UNUSABLE; ++ int close_ldap; ++ int parsed; ++ int ret = 0; ++ struct timeval tvpoll = { 0, 0 }; ++ ++ switch (ldap_result (*ldap, LDAP_RES_ANY, 1, &tvpoll, message)) { ++ case LDAP_RES_SEARCH_ENTRY: ++ case LDAP_RES_SEARCH_RESULT: ++ parsed = parse_disco (*ldap, *addrs, *message, results); ++ if (parsed > found) ++ found = parsed; ++ ldap_msgfree (*message); ++ close_ldap = 1; ++ break; ++ case -1: ++ ldap_get_option (*ldap, LDAP_OPT_RESULT_CODE, &ret); ++ close_ldap = 1; ++ break; ++ default: ++ ldap_msgfree (*message); ++ close_ldap = 0; ++ break; ++ } ++ ++ if (ret != LDAP_SUCCESS) { ++ _adcli_ldap_handle_failure (*ldap, ADCLI_ERR_CONFIG, ++ "Couldn't perform discovery search"); ++ } ++ ++ /* Done with this connection */ ++ if (close_ldap) { ++ ldap_unbind_ext_s (*ldap, NULL, NULL); ++ *ldap = NULL; ++ } ++ ++ return found; ++} ++ + static int + ldap_disco (const char *domain, + srvinfo *srv, +@@ -477,6 +524,7 @@ ldap_disco (const char *domain, + int num, i; + int ret; + int have_any = 0; ++ struct timeval interval; + + if (domain) { + value = _adcli_ldap_escape_filter (domain); +@@ -540,7 +588,6 @@ ldap_disco (const char *domain, + version = LDAP_VERSION3; + ldap_set_option (ldap[num], LDAP_OPT_PROTOCOL_VERSION, &version); + ldap_set_option (ldap[num], LDAP_OPT_REFERRALS , 0); +- _adcli_info ("Sending netlogon pings to domain controller: %s", url); + addrs[num] = srv->hostname; + have_any = 1; + num++; +@@ -555,70 +602,65 @@ ldap_disco (const char *domain, + freeaddrinfo (res); + } + +- /* Wait for the first response. Poor mans fd watch */ +- for (started = now = time (NULL); +- have_any && found != ADCLI_DISCO_USABLE && now < started + DISCO_TIME; +- now = time (NULL)) { ++ /* Initial send and short time wait */ ++ interval.tv_sec = 0; ++ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) { ++ int parsed; ++ ++ if (NULL == ldap[i]) ++ continue; + +- struct timeval tvpoll = { 0, 0 }; +- struct timeval interval; ++ have_any = 1; ++ _adcli_info ("Sending NetLogon ping to domain controller: %s", addrs[i]); + +- /* If in the initial period, send feverishly */ +- if (now < started + DISCO_FEVER) { +- interval.tv_sec = 0; +- interval.tv_usec = 100 * 1000; ++ ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE, ++ filter, attrs, 0, NULL, NULL, NULL, ++ -1, &msgidp); ++ ++ if (ret != LDAP_SUCCESS) { ++ _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG, ++ "Couldn't perform discovery search"); ++ ldap_unbind_ext_s (ldap[i], NULL, NULL); ++ ldap[i] = NULL; ++ } ++ ++ /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first ++ * five DCs are given 0.4 seconds timeout, next five are given 0.2 ++ * seconds, and the rest are given 0.1 seconds ++ */ ++ if (i < 5) { ++ interval.tv_usec = 400000; ++ } else if (i < 10) { ++ interval.tv_usec = 200000; + } else { +- interval.tv_sec = 1; +- interval.tv_usec = 0; ++ interval.tv_usec = 100000; + } ++ select (0, NULL, NULL, NULL, &interval); ++ ++ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i])); ++ if (parsed > found) ++ found = parsed; ++ } ++ ++ /* Wait some more until LDAP timeout (DISCO_TIME) */ ++ for (started = now = time (NULL); ++ have_any && ADCLI_DISCO_UNUSABLE == found && now < started + DISCO_TIME; ++ now = time (NULL)) { + + select (0, NULL, NULL, NULL, &interval); + + have_any = 0; +- for (i = 0; found != ADCLI_DISCO_USABLE && i < num; i++) { +- int close_ldap; ++ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) { + int parsed; + + if (ldap[i] == NULL) + continue; + +- ret = 0; + have_any = 1; +- switch (ldap_result (ldap[i], LDAP_RES_ANY, 1, &tvpoll, &message)) { +- case LDAP_RES_SEARCH_ENTRY: +- case LDAP_RES_SEARCH_RESULT: +- parsed = parse_disco (ldap[i], addrs[i], message, results); +- if (parsed > found) +- found = parsed; +- ldap_msgfree (message); +- close_ldap = 1; +- break; +- case 0: +- ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE, +- filter, attrs, 0, NULL, NULL, NULL, +- -1, &msgidp); +- close_ldap = (ret != 0); +- break; +- case -1: +- ldap_get_option (ldap[i], LDAP_OPT_RESULT_CODE, &ret); +- close_ldap = 1; +- break; +- default: +- ldap_msgfree (message); +- close_ldap = 0; +- break; +- } +- +- if (ret != LDAP_SUCCESS) { +- _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG, +- "Couldn't perform discovery search"); +- } + +- /* Done with this connection */ +- if (close_ldap) { +- ldap_unbind_ext_s (ldap[i], NULL, NULL); +- ldap[i] = NULL; +- } ++ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i])); ++ if (parsed > found) ++ found = parsed; + } + } + +-- +2.26.2 + diff --git a/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch new file mode 100644 index 0000000..15aaf07 --- /dev/null +++ b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch @@ -0,0 +1,32 @@ +From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 5 Jun 2020 17:06:58 +0200 +Subject: [PATCH] delete: do not exit if keytab cannot be read + +Reading the keytab is not required when deleting a host object in AD. It +is only needed in the case where the host was added with a manual set +NetBIOS name (--computer-name option) which does not match the short +hostname and no computer name was given at the delete-computer command +line. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752 +--- + tools/computer.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/computer.c b/tools/computer.c +index 292c4d8..a90c4b2 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn, + if (res != ADCLI_SUCCESS) { + warnx ("couldn't lookup domain info from keytab: %s", + adcli_get_last_error ()); +- adcli_enroll_unref (enroll); +- return -res; + } + + res = adcli_conn_connect (conn); +-- +2.26.2 + diff --git a/SOURCES/0001-discovery-fix.patch b/SOURCES/0001-discovery-fix.patch new file mode 100644 index 0000000..7c1018d --- /dev/null +++ b/SOURCES/0001-discovery-fix.patch @@ -0,0 +1,27 @@ +From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 11 Feb 2020 17:42:03 +0100 +Subject: [PATCH] discovery fix + +Do not continue processing on closed connection. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258 +--- + library/addisco.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/library/addisco.c b/library/addisco.c +index 6e73ead..f3b3546 100644 +--- a/library/addisco.c ++++ b/library/addisco.c +@@ -622,6 +622,7 @@ ldap_disco (const char *domain, + "Couldn't perform discovery search"); + ldap_unbind_ext_s (ldap[i], NULL, NULL); + ldap[i] = NULL; ++ continue; + } + + /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first +-- +2.26.2 + diff --git a/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch new file mode 100644 index 0000000..191fa3e --- /dev/null +++ b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch @@ -0,0 +1,44 @@ +From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 15 Jun 2020 15:57:47 +0200 +Subject: [PATCH] man: explain optional parameter of login-ccache better + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545 +--- + doc/adcli.xml | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index acced25..ecf8726 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa + + + Use the specified kerberos credential +- cache to authenticate with the domain. If no credential +- cache is specified, the default kerberos credential +- cache will be used. Credential caches of type FILE can +- be given with the path to the file. For other +- credential cache types, e.g. DIR, KEYRING or KCM, the +- type must be specified explicitly together with a +- suitable identifier. ++ cache to authenticate with the domain. If no credential ++ cache is specified, the default kerberos credential ++ cache will be used. Credential caches of type FILE can ++ be given with the path to the file. For other ++ credential cache types, e.g. DIR, KEYRING or KCM, the ++ type must be specified explicitly together with a ++ suitable identifier. ++ Please note that since the ++ ccache_name is optional the ++ =(equal) sign is mandatory. If = is missing the ++ parameter is treated as optionless extra argument. How ++ this is handled depends on the specific sub-command. ++ + + + +-- +2.26.2 + diff --git a/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch b/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch new file mode 100644 index 0000000..3d5955a --- /dev/null +++ b/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch @@ -0,0 +1,41 @@ +From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 13 Aug 2020 17:10:01 +0200 +Subject: [PATCH] man: make handling of optional credential cache more clear + +The optional Kerberos credential cache can only be used with the long +option name --login-ccache and not with the short version -C. To make +this more clear each option get its own entry. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545 +--- + doc/adcli.xml | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index ecf8726..1437679 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa + + + +- +- Use the specified kerberos credential ++ ++ Use the default Kerberos credential ++ cache to authenticate with the domain. ++ ++ ++ ++ ++ Use the specified Kerberos credential + cache to authenticate with the domain. If no credential +- cache is specified, the default kerberos credential ++ cache is specified, the default Kerberos credential + cache will be used. Credential caches of type FILE can + be given with the path to the file. For other + credential cache types, e.g. DIR, KEYRING or KCM, the +-- +2.26.2 + diff --git a/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch new file mode 100644 index 0000000..07d791e --- /dev/null +++ b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch @@ -0,0 +1,41 @@ +From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 5 Jun 2020 17:28:28 +0200 +Subject: [PATCH] tools: disable SSSD's locator plugin + +MIT's libkrb5 checks available locator plugins first before checking the +config file. This might cause issues when the locator plugin returns a +different DC than the one used for the LDAP connection if some data must +be replicated. + +This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to +'true' to disable SSSD's locator plugin for adcli. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633 +--- + tools/tools.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tools.c b/tools/tools.c +index 9d422f2..1b6d879 100644 +--- a/tools/tools.c ++++ b/tools/tools.c +@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void) + } + + unsetenv ("KRB5_CONFIG"); ++ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE"); + } + + static void +@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn) + adcli_krb5_conf_filename = filename; + adcli_krb5_d_directory = snippets; + setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1); ++ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1); + + } else { + free (filename); +-- +2.26.2 + diff --git a/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch b/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch new file mode 100644 index 0000000..d82d49c --- /dev/null +++ b/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch @@ -0,0 +1,26 @@ +From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 15 Jun 2020 15:41:53 +0200 +Subject: [PATCH] tools: fix typo in show-password help output + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611 +--- + tools/computer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/computer.c b/tools/computer.c +index a90c4b2..24ea258 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = { + "accounts" }, + { opt_show_details, "show information about joining the domain after\n" + "a successful join" }, +- { opt_show_password, "show computer account password after after a\n" ++ { opt_show_password, "show computer account password after a\n" + "successful join" }, + { opt_add_samba_data, "add domain SID and computer account password\n" + "to the Samba specific configuration database" }, +-- +2.26.2 + diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec index 022476f..df51d54 100644 --- a/SPECS/adcli.spec +++ b/SPECS/adcli.spec @@ -1,6 +1,6 @@ Name: adcli Version: 0.8.2 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Active Directory enrollment License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/adcli @@ -107,6 +107,24 @@ Patch60: 0002-add-description-option-to-join-and-update.patch Patch61: 0001-Use-GSS-SPNEGO-if-available.patch Patch62: 0002-add-option-use-ldaps.patch +# rhbz#1806260 - [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 +Patch63: 0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch +Patch64: 0001-discovery-fix.patch + +# rhbz#1846882 - No longer able to delete computer from AD using adcli +Patch65: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch + +# rhbz#1846878 - adcli: presetting $computer in $domain domain failed: Cannot +# set computer password: Authentication error +Patch66: 0001-tools-disable-SSSD-s-locator-plugin.patch + +# rhbz#1791611 - Typo in adcli update --help option +Patch67: 0001-tools-fix-typo-in-show-password-help-output.patch + +# rhbz#1791545 - Manpage and help does not explain the use of "-C" option +Patch68: 0001-man-explain-optional-parameter-of-login-ccache-bette.patch +Patch69: 0001-man-make-handling-of-optional-credential-cache-more-.patch + BuildRequires: gcc BuildRequires: intltool pkgconfig BuildRequires: libtool @@ -167,6 +185,17 @@ documentation. %doc %{_datadir}/doc/adcli/* %changelog +* Thu Aug 13 2020 Sumit Bose - 0.8.2-7 +- Improve "-C" option description in man page even more [#1791545] + +* Mon Jun 15 2020 Sumit Bose - 0.8.2-6 +- [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 [#1806260] +- No longer able to delete computer from AD using adcli [#1846882] +- adcli: presetting $computer in $domain domain failed: Cannot set computer + password: Authentication error [#1846878] +- Typo in adcli update --help option [#1791611] +- Manpage and help does not explain the use of "-C" option [#1791545] + * Wed Jan 29 2020 Sumit Bose - 0.8.2-5 - adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd [#1762420]