various fixes and improvements
Resolves: rhbz#1593240, rhbz#1608212, rhbz#1547014, rhbz#1547014, rhbz#1649868, rhbz#1588596, rhbz#1642546, rhbz#1595911, rhbz#1644311, rhbz#1337489, rhbz#1630187, rhbz#1622583
This commit is contained in:
parent
8490450af9
commit
8fc58f61c3
181
0001-Implement-adcli-testjoin.patch
Normal file
181
0001-Implement-adcli-testjoin.patch
Normal file
@ -0,0 +1,181 @@
|
|||||||
|
From 6fd99ff6c5dd6ef0be8d942989b1c6dcee3102d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 22 Mar 2019 12:37:39 +0100
|
||||||
|
Subject: [PATCH] Implement 'adcli testjoin'
|
||||||
|
|
||||||
|
By calling adcli testjoin it will be checked if the host credentials
|
||||||
|
stored in the keytab are still valid.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1622583
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 34 +++++++++++++++++++++++
|
||||||
|
tools/computer.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tools/tools.c | 1 +
|
||||||
|
tools/tools.h | 4 +++
|
||||||
|
4 files changed, 111 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index af73433..9605b4a 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -43,6 +43,9 @@
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>adcli update</command>
|
||||||
|
</cmdsynopsis>
|
||||||
|
+ <cmdsynopsis>
|
||||||
|
+ <command>adcli testjoin</command>
|
||||||
|
+ </cmdsynopsis>
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>adcli create-user</command>
|
||||||
|
<arg choice="opt">--domain=domain.example.com</arg>
|
||||||
|
@@ -474,6 +477,37 @@ $ adcli update --login-ccache=/tmp/krbcc_123
|
||||||
|
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
+<refsect1 id='testjoin'>
|
||||||
|
+ <title>Testing if the machine account password is valid</title>
|
||||||
|
+
|
||||||
|
+ <para><command>adcli testjoin</command> uses the current credentials in
|
||||||
|
+ the keytab and tries to authenticate with the machine account to the AD
|
||||||
|
+ domain. If this works the machine account password and the join are
|
||||||
|
+ still valid. If it fails the machine account password or the whole
|
||||||
|
+ machine account have to be refreshed with
|
||||||
|
+ <command>adcli join</command> or <command>adcli update</command>.
|
||||||
|
+ </para>
|
||||||
|
+
|
||||||
|
+<programlisting>
|
||||||
|
+$ adcli testjoin
|
||||||
|
+</programlisting>
|
||||||
|
+
|
||||||
|
+ <para>Only the global options not related to authentication are
|
||||||
|
+ available, additionally you can specify the following options to
|
||||||
|
+ control how this operation is done.</para>
|
||||||
|
+
|
||||||
|
+ <variablelist>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
||||||
|
+ <listitem><para>Specify the path to the host keytab where
|
||||||
|
+ current host credentials are stored and the new ones
|
||||||
|
+ will be written to. If not specified, the default
|
||||||
|
+ location will be used, usually
|
||||||
|
+ <filename>/etc/krb5.keytab</filename>.</para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+ </variablelist>
|
||||||
|
+</refsect1>
|
||||||
|
+
|
||||||
|
<refsect1 id='create_user'>
|
||||||
|
<title>Creating a User</title>
|
||||||
|
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index 112340e..610ed2b 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -566,6 +566,78 @@ adcli_tool_computer_update (adcli_conn *conn,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int
|
||||||
|
+adcli_tool_computer_testjoin (adcli_conn *conn,
|
||||||
|
+ int argc,
|
||||||
|
+ char *argv[])
|
||||||
|
+{
|
||||||
|
+ adcli_enroll *enroll;
|
||||||
|
+ adcli_result res;
|
||||||
|
+ const char *ktname;
|
||||||
|
+ int opt;
|
||||||
|
+
|
||||||
|
+ struct option options[] = {
|
||||||
|
+ { "domain", required_argument, NULL, opt_domain },
|
||||||
|
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
|
||||||
|
+ { "host-keytab", required_argument, 0, opt_host_keytab },
|
||||||
|
+ { "verbose", no_argument, NULL, opt_verbose },
|
||||||
|
+ { "help", no_argument, NULL, 'h' },
|
||||||
|
+ { 0 },
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ static adcli_tool_desc usages[] = {
|
||||||
|
+ { 0, "usage: adcli testjoin" },
|
||||||
|
+ { 0 },
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ enroll = adcli_enroll_new (conn);
|
||||||
|
+ if (enroll == NULL)
|
||||||
|
+ errx (-1, "unexpected memory problems");
|
||||||
|
+
|
||||||
|
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
|
||||||
|
+ switch (opt) {
|
||||||
|
+ case 'h':
|
||||||
|
+ case '?':
|
||||||
|
+ case ':':
|
||||||
|
+ adcli_tool_usage (options, usages);
|
||||||
|
+ adcli_tool_usage (options, common_usages);
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ return opt == 'h' ? 0 : 2;
|
||||||
|
+ default:
|
||||||
|
+ parse_option ((Option)opt, optarg, conn, enroll);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Force use of a keytab to test the join/machine account password */
|
||||||
|
+ adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT);
|
||||||
|
+ ktname = adcli_enroll_get_keytab_name (enroll);
|
||||||
|
+ adcli_conn_set_login_keytab_name (conn, ktname ? ktname : "");
|
||||||
|
+
|
||||||
|
+ res = adcli_enroll_load (enroll);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
+ errx (-res, "couldn't lookup domain info from keytab: %s",
|
||||||
|
+ adcli_get_last_error ());
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ res = adcli_conn_connect (conn);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
+ errx (-res, "couldn't connect to %s domain: %s",
|
||||||
|
+ adcli_conn_get_domain_name (conn),
|
||||||
|
+ adcli_get_last_error ());
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ printf ("Sucessfully validated join to domain %s\n",
|
||||||
|
+ adcli_conn_get_domain_name (conn));
|
||||||
|
+
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
|
||||||
|
int
|
||||||
|
adcli_tool_computer_preset (adcli_conn *conn,
|
||||||
|
diff --git a/tools/tools.c b/tools/tools.c
|
||||||
|
index 915130e..c4e2851 100644
|
||||||
|
--- a/tools/tools.c
|
||||||
|
+++ b/tools/tools.c
|
||||||
|
@@ -55,6 +55,7 @@ struct {
|
||||||
|
{ "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS },
|
||||||
|
{ "join", adcli_tool_computer_join, "Join this machine to a domain", },
|
||||||
|
{ "update", adcli_tool_computer_update, "Update machine membership in a domain", },
|
||||||
|
+ { "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", },
|
||||||
|
{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
|
||||||
|
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
|
||||||
|
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
|
||||||
|
diff --git a/tools/tools.h b/tools/tools.h
|
||||||
|
index 6c97ccf..8cebbf9 100644
|
||||||
|
--- a/tools/tools.h
|
||||||
|
+++ b/tools/tools.h
|
||||||
|
@@ -70,6 +70,10 @@ int adcli_tool_computer_update (adcli_conn *conn,
|
||||||
|
int argc,
|
||||||
|
char *argv[]);
|
||||||
|
|
||||||
|
+int adcli_tool_computer_testjoin (adcli_conn *conn,
|
||||||
|
+ int argc,
|
||||||
|
+ char *argv[]);
|
||||||
|
+
|
||||||
|
int adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
int argc,
|
||||||
|
char *argv[]);
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,32 @@
|
|||||||
|
From 5cf1723c308e21cdbe9b98ed2aaa42cb997456fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 15 Mar 2019 14:31:12 +0100
|
||||||
|
Subject: [PATCH] Increment kvno after password change with user creds
|
||||||
|
|
||||||
|
Originally only the host credential part was fixed in the context of
|
||||||
|
https://bugs.freedesktop.org/show_bug.cgi?id=91185. This patch adds the
|
||||||
|
fix to the case when user credentials are used.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1642546
|
||||||
|
---
|
||||||
|
library/adenroll.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index e02f403..58362c2 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -1057,6 +1057,10 @@ set_password_with_user_creds (adcli_enroll *enroll)
|
||||||
|
#endif
|
||||||
|
} else {
|
||||||
|
_adcli_info ("Set computer password");
|
||||||
|
+ if (enroll->kvno > 0) {
|
||||||
|
+ enroll->kvno++;
|
||||||
|
+ _adcli_info ("kvno incremented to %d", enroll->kvno);
|
||||||
|
+ }
|
||||||
|
res = ADCLI_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
134
0001-adutil-add-_adcli_strv_add_unique.patch
Normal file
134
0001-adutil-add-_adcli_strv_add_unique.patch
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
From 85d127fd52a8469f9f3ce0d1130fe17e756fdd75 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 16 Nov 2018 13:32:33 +0100
|
||||||
|
Subject: [PATCH 1/2] adutil: add _adcli_strv_add_unique
|
||||||
|
|
||||||
|
_adcli_strv_add_unique checks is the new value already exists in the
|
||||||
|
strv before adding it. Check can be done case-sensitive or not.
|
||||||
|
|
||||||
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/16
|
||||||
|
---
|
||||||
|
library/adprivate.h | 5 ++++
|
||||||
|
library/adutil.c | 65 ++++++++++++++++++++++++++++++++++++++-------
|
||||||
|
2 files changed, 61 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adprivate.h b/library/adprivate.h
|
||||||
|
index bc9df6d..0806430 100644
|
||||||
|
--- a/library/adprivate.h
|
||||||
|
+++ b/library/adprivate.h
|
||||||
|
@@ -111,6 +111,11 @@ char ** _adcli_strv_add (char **strv,
|
||||||
|
char *string,
|
||||||
|
int *length) GNUC_WARN_UNUSED;
|
||||||
|
|
||||||
|
+char ** _adcli_strv_add_unique (char **strv,
|
||||||
|
+ char *string,
|
||||||
|
+ int *length,
|
||||||
|
+ bool case_sensitive) GNUC_WARN_UNUSED;
|
||||||
|
+
|
||||||
|
void _adcli_strv_remove_unsorted (char **strv,
|
||||||
|
const char *string,
|
||||||
|
int *length);
|
||||||
|
diff --git a/library/adutil.c b/library/adutil.c
|
||||||
|
index 17d2caa..76ea158 100644
|
||||||
|
--- a/library/adutil.c
|
||||||
|
+++ b/library/adutil.c
|
||||||
|
@@ -221,6 +221,34 @@ _adcli_strv_add (char **strv,
|
||||||
|
return seq_push (strv, length, string);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+_adcli_strv_has_ex (char **strv,
|
||||||
|
+ const char *str,
|
||||||
|
+ int (* compare) (const char *match, const char*value))
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; strv && strv[i] != NULL; i++) {
|
||||||
|
+ if (compare (strv[i], str) == 0)
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+char **
|
||||||
|
+_adcli_strv_add_unique (char **strv,
|
||||||
|
+ char *string,
|
||||||
|
+ int *length,
|
||||||
|
+ bool case_sensitive)
|
||||||
|
+{
|
||||||
|
+ if (_adcli_strv_has_ex (strv, string, case_sensitive ? strcmp : strcasecmp) == 1) {
|
||||||
|
+ return strv;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return _adcli_strv_add (strv, string, length);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -241,19 +269,11 @@ _adcli_strv_remove_unsorted (char **strv,
|
||||||
|
(seq_compar)strcasecmp, free);
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
int
|
||||||
|
_adcli_strv_has (char **strv,
|
||||||
|
const char *str)
|
||||||
|
{
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- for (i = 0; strv && strv[i] != NULL; i++) {
|
||||||
|
- if (strcmp (strv[i], str) == 0)
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return 0;
|
||||||
|
+ return _adcli_strv_has_ex (strv, str, strcmp);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -704,6 +724,32 @@ test_strv_add_free (void)
|
||||||
|
_adcli_strv_free (strv);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+test_strv_add_unique_free (void)
|
||||||
|
+{
|
||||||
|
+ char **strv = NULL;
|
||||||
|
+
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("one"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("one"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("two"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("two"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("tWo"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("three"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("three"), NULL, false);
|
||||||
|
+ strv = _adcli_strv_add_unique (strv, strdup ("TWO"), NULL, true);
|
||||||
|
+
|
||||||
|
+ assert_num_eq (_adcli_strv_len (strv), 4);
|
||||||
|
+
|
||||||
|
+ assert_str_eq (strv[0], "one");
|
||||||
|
+ assert_str_eq (strv[1], "two");
|
||||||
|
+ assert_str_eq (strv[2], "three");
|
||||||
|
+ assert_str_eq (strv[3], "TWO");
|
||||||
|
+ assert (strv[4] == NULL);
|
||||||
|
+
|
||||||
|
+ _adcli_strv_free (strv);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
test_strv_dup (void)
|
||||||
|
{
|
||||||
|
@@ -856,6 +902,7 @@ main (int argc,
|
||||||
|
char *argv[])
|
||||||
|
{
|
||||||
|
test_func (test_strv_add_free, "/util/strv_add_free");
|
||||||
|
+ test_func (test_strv_add_unique_free, "/util/strv_add_unique_free");
|
||||||
|
test_func (test_strv_dup, "/util/strv_dup");
|
||||||
|
test_func (test_strv_count, "/util/strv_count");
|
||||||
|
test_func (test_check_nt_time_string_lifetime, "/util/check_nt_time_string_lifetime");
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
71
0001-create-user-add-nis-domain-option.patch
Normal file
71
0001-create-user-add-nis-domain-option.patch
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
From 1457b4a7623a8ae58fb8d6a652d1cc44904b8863 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 18 Mar 2019 11:02:57 +0100
|
||||||
|
Subject: [PATCH 1/2] create-user: add nis-domain option
|
||||||
|
|
||||||
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/2
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 8 ++++++++
|
||||||
|
tools/entry.c | 6 ++++++
|
||||||
|
2 files changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index 4722c3a..18620c0 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -531,6 +531,14 @@ $ adcli create-user Fry --domain=domain.example.com \
|
||||||
|
the new created user account, which should be the user's
|
||||||
|
numeric primary user id.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>--nis-domain=<parameter>nis_domain</parameter></option></term>
|
||||||
|
+ <listitem><para>Set the <code>msSFU30NisDomain</code> attribute of
|
||||||
|
+ the new created user account, which should be the user's
|
||||||
|
+ NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
|
||||||
|
+ are used. This is needed to let the 'UNIX attributes' tab of older Active
|
||||||
|
+ Directoy versions show the set UNIX specific attributes.</para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
</refsect1>
|
||||||
|
diff --git a/tools/entry.c b/tools/entry.c
|
||||||
|
index 7b6a200..69ce62c 100644
|
||||||
|
--- a/tools/entry.c
|
||||||
|
+++ b/tools/entry.c
|
||||||
|
@@ -52,6 +52,7 @@ typedef enum {
|
||||||
|
opt_unix_uid,
|
||||||
|
opt_unix_gid,
|
||||||
|
opt_unix_shell,
|
||||||
|
+ opt_nis_domain,
|
||||||
|
} Option;
|
||||||
|
|
||||||
|
static adcli_tool_desc common_usages[] = {
|
||||||
|
@@ -62,6 +63,7 @@ static adcli_tool_desc common_usages[] = {
|
||||||
|
{ opt_unix_uid, "unix uid number" },
|
||||||
|
{ opt_unix_gid, "unix gid number" },
|
||||||
|
{ opt_unix_shell, "unix shell" },
|
||||||
|
+ { opt_nis_domain, "NIS domain" },
|
||||||
|
{ opt_domain, "active directory domain name" },
|
||||||
|
{ opt_domain_realm, "kerberos realm for the domain" },
|
||||||
|
{ opt_domain_controller, "domain directory server to connect to" },
|
||||||
|
@@ -159,6 +161,7 @@ adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
{ "unix-uid", required_argument, NULL, opt_unix_uid },
|
||||||
|
{ "unix-gid", required_argument, NULL, opt_unix_gid },
|
||||||
|
{ "unix-shell", required_argument, NULL, opt_unix_shell },
|
||||||
|
+ { "nis-domain", required_argument, NULL, opt_nis_domain },
|
||||||
|
{ "domain-ou", required_argument, NULL, opt_domain_ou },
|
||||||
|
{ "domain", required_argument, NULL, opt_domain },
|
||||||
|
{ "domain-realm", required_argument, NULL, opt_domain_realm },
|
||||||
|
@@ -200,6 +203,9 @@ adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
case opt_unix_shell:
|
||||||
|
adcli_attrs_add (attrs, "loginShell", optarg, NULL);
|
||||||
|
break;
|
||||||
|
+ case opt_nis_domain:
|
||||||
|
+ adcli_attrs_add (attrs, "msSFU30NisDomain", optarg, NULL);
|
||||||
|
+ break;
|
||||||
|
case opt_domain_ou:
|
||||||
|
ou = optarg;
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,72 @@
|
|||||||
|
From 3a84c2469c31967bc22c0490456f07723ef5fc86 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 20 Mar 2019 11:01:50 +0100
|
||||||
|
Subject: [PATCH 1/4] ensure_keytab_principals: do not leak memory when called
|
||||||
|
twice
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
||||||
|
---
|
||||||
|
library/adenroll.c | 32 +++++++++++++++++++++-----------
|
||||||
|
1 file changed, 21 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index d1f746c..48cb4cf 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -413,6 +413,25 @@ ensure_service_principals (adcli_result res,
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void enroll_clear_keytab_principals (adcli_enroll *enroll)
|
||||||
|
+{
|
||||||
|
+ krb5_context k5;
|
||||||
|
+ size_t c;
|
||||||
|
+
|
||||||
|
+ if (enroll->keytab_principals) {
|
||||||
|
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
|
||||||
|
+ return_if_fail (k5 != NULL);
|
||||||
|
+
|
||||||
|
+ for (c = 0; enroll->keytab_principals[c] != NULL; c++)
|
||||||
|
+ krb5_free_principal (k5, enroll->keytab_principals[c]);
|
||||||
|
+
|
||||||
|
+ free (enroll->keytab_principals);
|
||||||
|
+ enroll->keytab_principals = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static adcli_result
|
||||||
|
ensure_keytab_principals (adcli_result res,
|
||||||
|
adcli_enroll *enroll)
|
||||||
|
@@ -430,6 +449,7 @@ ensure_keytab_principals (adcli_result res,
|
||||||
|
k5 = adcli_conn_get_krb5_context (enroll->conn);
|
||||||
|
return_unexpected_if_fail (k5 != NULL);
|
||||||
|
|
||||||
|
+ enroll_clear_keytab_principals (enroll);
|
||||||
|
enroll->keytab_principals = calloc (count + 3, sizeof (krb5_principal));
|
||||||
|
return_unexpected_if_fail (enroll->keytab_principals != NULL);
|
||||||
|
at = 0;
|
||||||
|
@@ -1860,18 +1880,8 @@ static void
|
||||||
|
enroll_clear_state (adcli_enroll *enroll)
|
||||||
|
{
|
||||||
|
krb5_context k5;
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- if (enroll->keytab_principals) {
|
||||||
|
- k5 = adcli_conn_get_krb5_context (enroll->conn);
|
||||||
|
- return_if_fail (k5 != NULL);
|
||||||
|
-
|
||||||
|
- for (i = 0; enroll->keytab_principals[i] != NULL; i++)
|
||||||
|
- krb5_free_principal (k5, enroll->keytab_principals[i]);
|
||||||
|
|
||||||
|
- free (enroll->keytab_principals);
|
||||||
|
- enroll->keytab_principals = NULL;
|
||||||
|
- }
|
||||||
|
+ enroll_clear_keytab_principals (enroll);
|
||||||
|
|
||||||
|
if (enroll->keytab) {
|
||||||
|
k5 = adcli_conn_get_krb5_context (enroll->conn);
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
25
0001-fix-typo-in-flag-value.patch
Normal file
25
0001-fix-typo-in-flag-value.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
From 870ecd8f982ebb97092a93d730ad4006bd78505c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 8 Aug 2018 12:03:01 +0200
|
||||||
|
Subject: [PATCH 1/4] fix typo in flag value
|
||||||
|
|
||||||
|
---
|
||||||
|
library/adenroll.h | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.h b/library/adenroll.h
|
||||||
|
index f87dffa..abbbfd4 100644
|
||||||
|
--- a/library/adenroll.h
|
||||||
|
+++ b/library/adenroll.h
|
||||||
|
@@ -30,7 +30,7 @@ typedef enum {
|
||||||
|
ADCLI_ENROLL_NO_KEYTAB = 1 << 1,
|
||||||
|
ADCLI_ENROLL_ALLOW_OVERWRITE = 1 << 2,
|
||||||
|
ADCLI_ENROLL_PASSWORD_VALID = 1 << 3,
|
||||||
|
- ADCLI_ENROLL_ADD_SAMBA_DATA = 1 << 3,
|
||||||
|
+ ADCLI_ENROLL_ADD_SAMBA_DATA = 1 << 4,
|
||||||
|
} adcli_enroll_flags;
|
||||||
|
|
||||||
|
typedef struct _adcli_enroll adcli_enroll;
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
86
0001-join-always-add-service-principals.patch
Normal file
86
0001-join-always-add-service-principals.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From cd296bf24e7cc56fb8d00bad7e9a56c539894309 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 19 Mar 2019 20:44:36 +0100
|
||||||
|
Subject: [PATCH 1/2] join: always add service principals
|
||||||
|
|
||||||
|
If currently --service-name is given during the join only the service
|
||||||
|
names given by this option are added as service principal names. As a
|
||||||
|
result the default 'host' service principal name might be missing which
|
||||||
|
might cause issues e.g. with SSSD and sshd.
|
||||||
|
|
||||||
|
The patch makes sure the default service principals 'host' and
|
||||||
|
'RestrictedKrbHost' are always added during join.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1644311
|
||||||
|
---
|
||||||
|
library/adenroll.c | 36 ++++++++++++++++++++++++++++++------
|
||||||
|
1 file changed, 30 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index 58362c2..d1f746c 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -288,16 +288,23 @@ ensure_computer_password (adcli_result res,
|
||||||
|
}
|
||||||
|
|
||||||
|
static adcli_result
|
||||||
|
-ensure_service_names (adcli_result res,
|
||||||
|
- adcli_enroll *enroll)
|
||||||
|
+ensure_default_service_names (adcli_enroll *enroll)
|
||||||
|
{
|
||||||
|
int length = 0;
|
||||||
|
|
||||||
|
- if (res != ADCLI_SUCCESS)
|
||||||
|
- return res;
|
||||||
|
+ if (enroll->service_names != NULL) {
|
||||||
|
+ length = seq_count (enroll->service_names);
|
||||||
|
|
||||||
|
- if (enroll->service_names || enroll->service_principals)
|
||||||
|
- return ADCLI_SUCCESS;
|
||||||
|
+ /* Make sure there is no entry with an unexpected case. AD
|
||||||
|
+ * would not care but since the client side is case-sensitive
|
||||||
|
+ * we should make sure we use the expected spelling. */
|
||||||
|
+ seq_remove_unsorted (enroll->service_names,
|
||||||
|
+ &length, "host",
|
||||||
|
+ (seq_compar)strcasecmp, free);
|
||||||
|
+ seq_remove_unsorted (enroll->service_names,
|
||||||
|
+ &length, "RestrictedKrbHost",
|
||||||
|
+ (seq_compar)strcasecmp, free);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* The default ones specified by MS */
|
||||||
|
enroll->service_names = _adcli_strv_add (enroll->service_names,
|
||||||
|
@@ -307,6 +314,19 @@ ensure_service_names (adcli_result res,
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static adcli_result
|
||||||
|
+ensure_service_names (adcli_result res,
|
||||||
|
+ adcli_enroll *enroll)
|
||||||
|
+{
|
||||||
|
+ if (res != ADCLI_SUCCESS)
|
||||||
|
+ return res;
|
||||||
|
+
|
||||||
|
+ if (enroll->service_names || enroll->service_principals)
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
+
|
||||||
|
+ return ensure_default_service_names (enroll);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static adcli_result
|
||||||
|
add_service_names_to_service_principals (adcli_enroll *enroll)
|
||||||
|
{
|
||||||
|
@@ -2039,6 +2059,10 @@ adcli_enroll_join (adcli_enroll *enroll,
|
||||||
|
if (res != ADCLI_SUCCESS)
|
||||||
|
return res;
|
||||||
|
|
||||||
|
+ res = ensure_default_service_names (enroll);
|
||||||
|
+ if (res != ADCLI_SUCCESS)
|
||||||
|
+ return res;
|
||||||
|
+
|
||||||
|
res = adcli_enroll_prepare (enroll, flags);
|
||||||
|
if (res != ADCLI_SUCCESS)
|
||||||
|
return res;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,92 @@
|
|||||||
|
From 85b835f8258a57e3b23de47a255dddd822d5bfb3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 15 Mar 2019 17:33:44 +0100
|
||||||
|
Subject: [PATCH] library: use getaddrinfo with AI_CANONNAME to find a FQDN
|
||||||
|
|
||||||
|
Currently adcli creates service principals only with a short name if the
|
||||||
|
hostname of the client is a short name. This would fail is
|
||||||
|
Kerberos/GSSAPI clients will use the fully-qualified domain name (FQDN)
|
||||||
|
to access the host.
|
||||||
|
|
||||||
|
With this patch adcli tries to expand the short name by calling
|
||||||
|
getaddrinfo with the AI_CANONNAME hint.
|
||||||
|
|
||||||
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/1
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 6 +++++-
|
||||||
|
library/adconn.c | 30 +++++++++++++++++++++++++++++-
|
||||||
|
2 files changed, 34 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index 97dec08..4722c3a 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -228,7 +228,11 @@ Password for Administrator:
|
||||||
|
<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
|
||||||
|
<listitem><para>Override the local machine's fully qualified
|
||||||
|
domain name. If not specified, the local machine's hostname
|
||||||
|
- will be retrieved via <function>gethostname()</function>.</para></listitem>
|
||||||
|
+ will be retrieved via <function>gethostname()</function>.
|
||||||
|
+ If <function>gethostname()</function> only returns a short name
|
||||||
|
+ <function>getaddrinfo()</function> with the AI_CANONNAME hint
|
||||||
|
+ is called to expand the name to a fully qualified domain
|
||||||
|
+ name.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
||||||
|
diff --git a/library/adconn.c b/library/adconn.c
|
||||||
|
index e2250e3..f6c23d3 100644
|
||||||
|
--- a/library/adconn.c
|
||||||
|
+++ b/library/adconn.c
|
||||||
|
@@ -86,11 +86,36 @@ struct _adcli_conn_ctx {
|
||||||
|
krb5_keytab keytab;
|
||||||
|
};
|
||||||
|
|
||||||
|
+static char *try_to_get_fqdn (const char *host_name)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ char *fqdn = NULL;
|
||||||
|
+ struct addrinfo *res;
|
||||||
|
+ struct addrinfo hints;
|
||||||
|
+
|
||||||
|
+ memset (&hints, 0, sizeof (struct addrinfo));
|
||||||
|
+ hints.ai_socktype = SOCK_DGRAM;
|
||||||
|
+ hints.ai_flags = AI_CANONNAME;
|
||||||
|
+
|
||||||
|
+ ret = getaddrinfo (host_name, NULL, &hints, &res);
|
||||||
|
+ if (ret != 0) {
|
||||||
|
+ _adcli_err ("Failed to find FQDN: %s", gai_strerror (ret));
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ fqdn = strdup (res->ai_canonname);
|
||||||
|
+
|
||||||
|
+ freeaddrinfo (res);
|
||||||
|
+
|
||||||
|
+ return fqdn;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static adcli_result
|
||||||
|
ensure_host_fqdn (adcli_result res,
|
||||||
|
adcli_conn *conn)
|
||||||
|
{
|
||||||
|
char hostname[HOST_NAME_MAX + 1];
|
||||||
|
+ char *fqdn = NULL;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if (res != ADCLI_SUCCESS)
|
||||||
|
@@ -107,7 +132,10 @@ ensure_host_fqdn (adcli_result res,
|
||||||
|
return ADCLI_ERR_UNEXPECTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- conn->host_fqdn = strdup (hostname);
|
||||||
|
+ if (strchr (hostname, '.') == NULL) {
|
||||||
|
+ fqdn = try_to_get_fqdn (hostname);
|
||||||
|
+ }
|
||||||
|
+ conn->host_fqdn = fqdn != NULL ? fqdn : strdup (hostname);
|
||||||
|
return_unexpected_if_fail (conn->host_fqdn != NULL);
|
||||||
|
return ADCLI_SUCCESS;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
152
0001-tools-properly-release-internal-data-on-error.patch
Normal file
152
0001-tools-properly-release-internal-data-on-error.patch
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
From 41fdcb1af885d99a91e27406e9343b322f67756a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 28 Jun 2018 20:13:26 +0200
|
||||||
|
Subject: [PATCH] tools: properly release internal data on error
|
||||||
|
|
||||||
|
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1588596
|
||||||
|
---
|
||||||
|
tools/computer.c | 39 ++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 36 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/computer.c b/tools/computer.c
|
||||||
|
index 3813f0a..112340e 100644
|
||||||
|
--- a/tools/computer.c
|
||||||
|
+++ b/tools/computer.c
|
||||||
|
@@ -415,11 +415,16 @@ adcli_tool_computer_join (adcli_conn *conn,
|
||||||
|
|
||||||
|
if (argc == 1)
|
||||||
|
adcli_conn_set_domain_name (conn, argv[0]);
|
||||||
|
- else if (argc > 1)
|
||||||
|
+ else if (argc > 1) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (2, "extra arguments specified");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
res = adcli_conn_connect (conn);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't connect to %s domain: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -427,6 +432,8 @@ adcli_tool_computer_join (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_enroll_join (enroll, flags);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "joining domain %s failed: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -525,12 +532,16 @@ adcli_tool_computer_update (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_enroll_load (enroll);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't lookup domain info from keytab: %s",
|
||||||
|
adcli_get_last_error ());
|
||||||
|
}
|
||||||
|
|
||||||
|
res = adcli_conn_connect (conn);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't connect to %s domain: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -538,6 +549,8 @@ adcli_tool_computer_update (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_enroll_update (enroll, flags);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "updating membership with domain %s failed: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -630,6 +643,8 @@ adcli_tool_computer_preset (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_conn_connect (conn);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't connect to %s domain: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -643,6 +658,8 @@ adcli_tool_computer_preset (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_enroll_join (enroll, flags);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "presetting %s in %s domain failed: %s", argv[i],
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -707,11 +724,16 @@ adcli_tool_computer_reset (adcli_conn *conn,
|
||||||
|
argc -= optind;
|
||||||
|
argv += optind;
|
||||||
|
|
||||||
|
- if (argc != 1)
|
||||||
|
+ if (argc != 1) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (EUSAGE, "specify one host name of computer account to reset");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
res = adcli_conn_connect (conn);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't connect to %s domain: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -722,6 +744,8 @@ adcli_tool_computer_reset (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_enroll_password (enroll, 0);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "resetting %s in %s domain failed: %s", argv[0],
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -781,19 +805,26 @@ adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
argc -= optind;
|
||||||
|
argv += optind;
|
||||||
|
|
||||||
|
- if (argc > 1)
|
||||||
|
+ if (argc > 1) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (EUSAGE, "specify one host name of computer account to delete");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT);
|
||||||
|
|
||||||
|
res = adcli_enroll_load (enroll);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't lookup domain info from keytab: %s",
|
||||||
|
adcli_get_last_error ());
|
||||||
|
}
|
||||||
|
|
||||||
|
res = adcli_conn_connect (conn);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "couldn't connect to %s domain: %s",
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
@@ -804,6 +835,8 @@ adcli_tool_computer_delete (adcli_conn *conn,
|
||||||
|
|
||||||
|
res = adcli_enroll_delete (enroll, 0);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_enroll_unref (enroll);
|
||||||
|
+ adcli_conn_unref (conn);
|
||||||
|
errx (-res, "deleting %s in %s domain failed: %s", argv[0],
|
||||||
|
adcli_conn_get_domain_name (conn),
|
||||||
|
adcli_get_last_error ());
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,25 @@
|
|||||||
|
From 8cc4ef1cae7d4d753f2cf9aeb8021dd96cb75d36 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 8 Aug 2018 12:17:18 +0200
|
||||||
|
Subject: [PATCH 2/4] _adcli_call_external_program: silence noisy debug message
|
||||||
|
|
||||||
|
---
|
||||||
|
library/adutil.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/library/adutil.c b/library/adutil.c
|
||||||
|
index 6334b52..17d2caa 100644
|
||||||
|
--- a/library/adutil.c
|
||||||
|
+++ b/library/adutil.c
|
||||||
|
@@ -672,7 +672,7 @@ done:
|
||||||
|
if (wret == -1) {
|
||||||
|
_adcli_err ("No sure what happend to net command.");
|
||||||
|
} else {
|
||||||
|
- if (WIFEXITED (status)) {
|
||||||
|
+ if (WIFEXITED (status) && WEXITSTATUS (status) != 0) {
|
||||||
|
_adcli_err ("net command failed with %d.",
|
||||||
|
WEXITSTATUS (status));
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -0,0 +1,83 @@
|
|||||||
|
From 0c027538f398b3823bedbfbf5f388ad97784a0ec Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 16 Nov 2018 13:32:59 +0100
|
||||||
|
Subject: [PATCH 2/2] adenroll: use _adcli_strv_add_unique for service
|
||||||
|
principals
|
||||||
|
|
||||||
|
Check if service principals is already in the list before adding it.
|
||||||
|
|
||||||
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/16
|
||||||
|
---
|
||||||
|
library/adenroll.c | 31 ++++++++-----------------------
|
||||||
|
1 file changed, 8 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index de2242a..e02f403 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -313,7 +313,6 @@ add_service_names_to_service_principals (adcli_enroll *enroll)
|
||||||
|
char *name;
|
||||||
|
int length = 0;
|
||||||
|
int i;
|
||||||
|
- size_t c;
|
||||||
|
|
||||||
|
if (enroll->service_principals != NULL) {
|
||||||
|
length = seq_count (enroll->service_principals);
|
||||||
|
@@ -322,28 +321,14 @@ add_service_names_to_service_principals (adcli_enroll *enroll)
|
||||||
|
for (i = 0; enroll->service_names[i] != NULL; i++) {
|
||||||
|
if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->computer_name) < 0)
|
||||||
|
return_unexpected_if_reached ();
|
||||||
|
- for (c = 0; enroll->service_principals != NULL && enroll->service_principals[c] != NULL; c++) {
|
||||||
|
- if (strcmp (name, enroll->service_principals[c]) == 0) {
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- if (enroll->service_principals == NULL || enroll->service_principals[c] == NULL) {
|
||||||
|
- enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
- name, &length);
|
||||||
|
- }
|
||||||
|
+ enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals,
|
||||||
|
+ name, &length, false);
|
||||||
|
|
||||||
|
if (enroll->host_fqdn) {
|
||||||
|
if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->host_fqdn) < 0)
|
||||||
|
return_unexpected_if_reached ();
|
||||||
|
- for (c = 0; enroll->service_principals != NULL && enroll->service_principals[c] != NULL; c++) {
|
||||||
|
- if (strcmp (name, enroll->service_principals[c]) == 0) {
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- if (enroll->service_principals == NULL || enroll->service_principals[c] == NULL) {
|
||||||
|
- enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
- name, &length);
|
||||||
|
- }
|
||||||
|
+ enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals,
|
||||||
|
+ name, &length, false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -364,9 +349,9 @@ add_and_remove_service_principals (adcli_enroll *enroll)
|
||||||
|
list = adcli_enroll_get_service_principals_to_add (enroll);
|
||||||
|
if (list != NULL) {
|
||||||
|
for (c = 0; list[c] != NULL; c++) {
|
||||||
|
- enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
- strdup (list[c]),
|
||||||
|
- &length);
|
||||||
|
+ enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals,
|
||||||
|
+ strdup (list[c]),
|
||||||
|
+ &length, false);
|
||||||
|
if (enroll->service_principals == NULL) {
|
||||||
|
return ADCLI_ERR_UNEXPECTED;
|
||||||
|
}
|
||||||
|
@@ -1525,7 +1510,7 @@ load_keytab_entry (krb5_context k5,
|
||||||
|
value = strdup (name);
|
||||||
|
return_val_if_fail (value != NULL, FALSE);
|
||||||
|
_adcli_info ("Found service principal in keytab: %s", value);
|
||||||
|
- enroll->service_principals = _adcli_strv_add (enroll->service_principals, value, NULL);
|
||||||
|
+ enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, value, NULL, false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
147
0002-create-user-try-to-find-NIS-domain-if-needed.patch
Normal file
147
0002-create-user-try-to-find-NIS-domain-if-needed.patch
Normal file
@ -0,0 +1,147 @@
|
|||||||
|
From 408880a11879b1a57a450e25c77ef2e310bdffd5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 18 Mar 2019 16:45:54 +0100
|
||||||
|
Subject: [PATCH 2/2] create-user: try to find NIS domain if needed
|
||||||
|
|
||||||
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/2
|
||||||
|
---
|
||||||
|
doc/adcli.xml | 4 +++-
|
||||||
|
library/adentry.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
library/adentry.h | 2 ++
|
||||||
|
tools/entry.c | 16 ++++++++++++++++
|
||||||
|
4 files changed, 65 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
||||||
|
index 18620c0..af73433 100644
|
||||||
|
--- a/doc/adcli.xml
|
||||||
|
+++ b/doc/adcli.xml
|
||||||
|
@@ -537,7 +537,9 @@ $ adcli create-user Fry --domain=domain.example.com \
|
||||||
|
the new created user account, which should be the user's
|
||||||
|
NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
|
||||||
|
are used. This is needed to let the 'UNIX attributes' tab of older Active
|
||||||
|
- Directoy versions show the set UNIX specific attributes.</para></listitem>
|
||||||
|
+ Directoy versions show the set UNIX specific attributes. If not specified
|
||||||
|
+ adcli will try to determine the NIS domain automatically if needed.
|
||||||
|
+ </para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
diff --git a/library/adentry.c b/library/adentry.c
|
||||||
|
index 9b9e1c6..1cc0518 100644
|
||||||
|
--- a/library/adentry.c
|
||||||
|
+++ b/library/adentry.c
|
||||||
|
@@ -484,3 +484,47 @@ adcli_entry_new_group (adcli_conn *conn,
|
||||||
|
return_val_if_fail (sam_name != NULL, NULL);
|
||||||
|
return entry_new (conn, "group", group_entry_builder, sam_name);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+adcli_result
|
||||||
|
+adcli_get_nis_domain (adcli_entry *entry,
|
||||||
|
+ adcli_attrs *attrs)
|
||||||
|
+{
|
||||||
|
+ LDAP *ldap;
|
||||||
|
+ const char *ldap_attrs[] = { "cn", NULL };
|
||||||
|
+ LDAPMessage *results;
|
||||||
|
+ LDAPMessage *ldap_entry;
|
||||||
|
+ char *base;
|
||||||
|
+ const char *filter = "objectClass=msSFU30DomainInfo";
|
||||||
|
+ char *cn;
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ ldap = adcli_conn_get_ldap_connection (entry->conn);
|
||||||
|
+ return_unexpected_if_fail (ldap != NULL);
|
||||||
|
+
|
||||||
|
+ if (asprintf (&base, "CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,%s",
|
||||||
|
+ adcli_conn_get_default_naming_context (entry->conn)) < 0) {
|
||||||
|
+ return_unexpected_if_reached ();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_SUB, filter, (char **)ldap_attrs,
|
||||||
|
+ 0, NULL, NULL, NULL, -1, &results);
|
||||||
|
+
|
||||||
|
+ free (base);
|
||||||
|
+
|
||||||
|
+ if (ret != LDAP_SUCCESS) {
|
||||||
|
+ /* No NIS domain available */
|
||||||
|
+ ldap_msgfree (results);
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ldap_entry = ldap_first_entry (ldap, results);
|
||||||
|
+ if (ldap_entry != NULL) {
|
||||||
|
+ cn = _adcli_ldap_parse_value (ldap, ldap_entry, "cn");
|
||||||
|
+ return_unexpected_if_fail (cn != NULL);
|
||||||
|
+
|
||||||
|
+ adcli_attrs_add (attrs, "msSFU30NisDomain", cn, NULL);
|
||||||
|
+ }
|
||||||
|
+ ldap_msgfree (results);
|
||||||
|
+
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
+}
|
||||||
|
diff --git a/library/adentry.h b/library/adentry.h
|
||||||
|
index eb8bc00..ae90689 100644
|
||||||
|
--- a/library/adentry.h
|
||||||
|
+++ b/library/adentry.h
|
||||||
|
@@ -58,4 +58,6 @@ const char * adcli_entry_get_sam_name (adcli_entry *entry);
|
||||||
|
|
||||||
|
const char * adcli_entry_get_dn (adcli_entry *entry);
|
||||||
|
|
||||||
|
+adcli_result adcli_get_nis_domain (adcli_entry *entry,
|
||||||
|
+ adcli_attrs *attrs);
|
||||||
|
#endif /* ADENTRY_H_ */
|
||||||
|
diff --git a/tools/entry.c b/tools/entry.c
|
||||||
|
index 69ce62c..de56586 100644
|
||||||
|
--- a/tools/entry.c
|
||||||
|
+++ b/tools/entry.c
|
||||||
|
@@ -153,6 +153,8 @@ adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
adcli_attrs *attrs;
|
||||||
|
const char *ou = NULL;
|
||||||
|
int opt;
|
||||||
|
+ bool has_unix_attr = false;
|
||||||
|
+ bool has_nis_domain = false;
|
||||||
|
|
||||||
|
struct option options[] = {
|
||||||
|
{ "display-name", required_argument, NULL, opt_display_name },
|
||||||
|
@@ -193,18 +195,23 @@ adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
break;
|
||||||
|
case opt_unix_home:
|
||||||
|
adcli_attrs_add (attrs, "unixHomeDirectory", optarg, NULL);
|
||||||
|
+ has_unix_attr = true;
|
||||||
|
break;
|
||||||
|
case opt_unix_uid:
|
||||||
|
adcli_attrs_add (attrs, "uidNumber", optarg, NULL);
|
||||||
|
+ has_unix_attr = true;
|
||||||
|
break;
|
||||||
|
case opt_unix_gid:
|
||||||
|
adcli_attrs_add (attrs, "gidNumber", optarg, NULL);
|
||||||
|
+ has_unix_attr = true;
|
||||||
|
break;
|
||||||
|
case opt_unix_shell:
|
||||||
|
adcli_attrs_add (attrs, "loginShell", optarg, NULL);
|
||||||
|
+ has_unix_attr = true;
|
||||||
|
break;
|
||||||
|
case opt_nis_domain:
|
||||||
|
adcli_attrs_add (attrs, "msSFU30NisDomain", optarg, NULL);
|
||||||
|
+ has_nis_domain = true;
|
||||||
|
break;
|
||||||
|
case opt_domain_ou:
|
||||||
|
ou = optarg;
|
||||||
|
@@ -242,6 +249,15 @@ adcli_tool_user_create (adcli_conn *conn,
|
||||||
|
adcli_get_last_error ());
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (has_unix_attr && !has_nis_domain) {
|
||||||
|
+ res = adcli_get_nis_domain (entry, attrs);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ adcli_entry_unref (entry);
|
||||||
|
+ adcli_attrs_free (attrs);
|
||||||
|
+ errx (-res, "couldn't get NIS domain");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
res = adcli_entry_create (entry, attrs);
|
||||||
|
if (res != ADCLI_SUCCESS) {
|
||||||
|
errx (-res, "creating user %s in domain %s failed: %s",
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
42
0002-library-make-_adcli_strv_has_ex-public.patch
Normal file
42
0002-library-make-_adcli_strv_has_ex-public.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From e1b45e66bc185f5db4c252e1f3fb1b4400b4538e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 22 Mar 2019 10:36:38 +0100
|
||||||
|
Subject: [PATCH 2/4] library: make _adcli_strv_has_ex public
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
||||||
|
---
|
||||||
|
library/adprivate.h | 4 ++++
|
||||||
|
library/adutil.c | 2 +-
|
||||||
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/library/adprivate.h b/library/adprivate.h
|
||||||
|
index 0806430..55e6234 100644
|
||||||
|
--- a/library/adprivate.h
|
||||||
|
+++ b/library/adprivate.h
|
||||||
|
@@ -125,6 +125,10 @@ void _adcli_strv_free (char **strv);
|
||||||
|
int _adcli_strv_has (char **strv,
|
||||||
|
const char *str);
|
||||||
|
|
||||||
|
+int _adcli_strv_has_ex (char **strv,
|
||||||
|
+ const char *str,
|
||||||
|
+ int (* compare) (const char *match, const char*value));
|
||||||
|
+
|
||||||
|
char ** _adcli_strv_dup (char **strv) GNUC_WARN_UNUSED;
|
||||||
|
|
||||||
|
char * _adcli_strv_join (char **strv,
|
||||||
|
diff --git a/library/adutil.c b/library/adutil.c
|
||||||
|
index 76ea158..9b0c47f 100644
|
||||||
|
--- a/library/adutil.c
|
||||||
|
+++ b/library/adutil.c
|
||||||
|
@@ -221,7 +221,7 @@ _adcli_strv_add (char **strv,
|
||||||
|
return seq_push (strv, length, string);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int
|
||||||
|
+int
|
||||||
|
_adcli_strv_has_ex (char **strv,
|
||||||
|
const char *str,
|
||||||
|
int (* compare) (const char *match, const char*value))
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
35
0002-library-return-error-if-no-matching-key-was-found.patch
Normal file
35
0002-library-return-error-if-no-matching-key-was-found.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 4987a21f4839ab7ea50e932c72df05075efb89b3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 21 Mar 2019 15:05:33 +0100
|
||||||
|
Subject: [PATCH 2/2] library: return error if no matching key was found
|
||||||
|
|
||||||
|
To avoid a misleading debug message indicating success a proper erro
|
||||||
|
code should be returned the no matching key was found when trying to
|
||||||
|
copy an keytab entry for a new principal.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1644311
|
||||||
|
---
|
||||||
|
library/adkrb5.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adkrb5.c b/library/adkrb5.c
|
||||||
|
index 033c181..7f77373 100644
|
||||||
|
--- a/library/adkrb5.c
|
||||||
|
+++ b/library/adkrb5.c
|
||||||
|
@@ -298,11 +298,10 @@ _adcli_krb5_keytab_copy_entries (krb5_context k5,
|
||||||
|
|
||||||
|
code = _adcli_krb5_get_keyblock (k5, keytab, &entry.key,
|
||||||
|
match_enctype_and_kvno, &closure);
|
||||||
|
- if (code != 0) {
|
||||||
|
- return code;
|
||||||
|
+ if (code != 0 || closure.matched == 0) {
|
||||||
|
+ return code != 0 ? code : ENOKEY;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
entry.principal = principal;
|
||||||
|
entry.vno = kvno;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
57
0003-Do-not-add-service-principals-twice.patch
Normal file
57
0003-Do-not-add-service-principals-twice.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From f05adc23d5cc9f1dfa5638e31949dcd81d632df9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 13 Aug 2018 17:32:24 +0200
|
||||||
|
Subject: [PATCH 3/4] Do not add service principals twice
|
||||||
|
|
||||||
|
---
|
||||||
|
library/adenroll.c | 23 +++++++++++++++++++----
|
||||||
|
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index c4ba537..bb50365 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -313,6 +313,7 @@ add_service_names_to_service_principals (adcli_enroll *enroll)
|
||||||
|
char *name;
|
||||||
|
int length = 0;
|
||||||
|
int i;
|
||||||
|
+ size_t c;
|
||||||
|
|
||||||
|
if (enroll->service_principals != NULL) {
|
||||||
|
length = seq_count (enroll->service_principals);
|
||||||
|
@@ -321,14 +322,28 @@ add_service_names_to_service_principals (adcli_enroll *enroll)
|
||||||
|
for (i = 0; enroll->service_names[i] != NULL; i++) {
|
||||||
|
if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->computer_name) < 0)
|
||||||
|
return_unexpected_if_reached ();
|
||||||
|
- enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
- name, &length);
|
||||||
|
+ for (c = 0; enroll->service_principals != NULL && enroll->service_principals[c] != NULL; c++) {
|
||||||
|
+ if (strcmp (name, enroll->service_principals[c]) == 0) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (enroll->service_principals == NULL || enroll->service_principals[c] == NULL) {
|
||||||
|
+ enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
+ name, &length);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (enroll->host_fqdn) {
|
||||||
|
if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->host_fqdn) < 0)
|
||||||
|
return_unexpected_if_reached ();
|
||||||
|
- enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
- name, &length);
|
||||||
|
+ for (c = 0; enroll->service_principals != NULL && enroll->service_principals[c] != NULL; c++) {
|
||||||
|
+ if (strcmp (name, enroll->service_principals[c]) == 0) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (enroll->service_principals == NULL || enroll->service_principals[c] == NULL) {
|
||||||
|
+ enroll->service_principals = _adcli_strv_add (enroll->service_principals,
|
||||||
|
+ name, &length);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 10a4dbb5978b6f05cf75f820d97da908e735ace8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 22 Mar 2019 10:37:11 +0100
|
||||||
|
Subject: [PATCH 3/4] library: _adcli_krb5_build_principal allow principals as
|
||||||
|
names
|
||||||
|
|
||||||
|
Make _adcli_krb5_build_principal a bit more robust by checking if the
|
||||||
|
given name already contains a realm suffix.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
||||||
|
---
|
||||||
|
library/adkrb5.c | 12 ++++++++----
|
||||||
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/library/adkrb5.c b/library/adkrb5.c
|
||||||
|
index 7f77373..da835d7 100644
|
||||||
|
--- a/library/adkrb5.c
|
||||||
|
+++ b/library/adkrb5.c
|
||||||
|
@@ -41,12 +41,16 @@ _adcli_krb5_build_principal (krb5_context k5,
|
||||||
|
krb5_principal *principal)
|
||||||
|
{
|
||||||
|
krb5_error_code code;
|
||||||
|
- char *name;
|
||||||
|
+ char *name = NULL;
|
||||||
|
|
||||||
|
- if (asprintf (&name, "%s@%s", user, realm) < 0)
|
||||||
|
- return_val_if_reached (ENOMEM);
|
||||||
|
+ /* Use user if user contains a @-character and add @realm otherwise */
|
||||||
|
+ if (strchr (user, '@') == NULL) {
|
||||||
|
+ if (asprintf (&name, "%s@%s", user, realm) < 0) {
|
||||||
|
+ return_val_if_reached (ENOMEM);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- code = krb5_parse_name (k5, name, principal);
|
||||||
|
+ code = krb5_parse_name (k5, name != NULL ? name : user, principal);
|
||||||
|
return_val_if_fail (code == 0, code);
|
||||||
|
|
||||||
|
free (name);
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
27
0004-Do-not-depend-on-default_realm-in-krb5.conf.patch
Normal file
27
0004-Do-not-depend-on-default_realm-in-krb5.conf.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 8f726817b9ff643a382fa12ea9ff489cd5ab9068 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 13 Aug 2018 18:24:58 +0200
|
||||||
|
Subject: [PATCH 4/4] Do not depend on default_realm in krb5.conf
|
||||||
|
|
||||||
|
---
|
||||||
|
library/adenroll.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index bb50365..02bd9e3 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -1661,7 +1661,9 @@ remove_principal_from_keytab (adcli_enroll *enroll,
|
||||||
|
krb5_principal principal;
|
||||||
|
match_principal_kvno closure;
|
||||||
|
|
||||||
|
- code = krb5_parse_name (k5, principal_name, &principal);
|
||||||
|
+ code = _adcli_krb5_build_principal (k5, principal_name,
|
||||||
|
+ adcli_conn_get_domain_realm (enroll->conn),
|
||||||
|
+ &principal);
|
||||||
|
if (code != 0) {
|
||||||
|
_adcli_err ("Couldn't parse principal: %s: %s",
|
||||||
|
principal_name, krb5_get_error_message (k5, code));
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
82
0004-library-make-sure-server-side-SPNs-are-preserved.patch
Normal file
82
0004-library-make-sure-server-side-SPNs-are-preserved.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
From 972f1a2f35829ed89f5353bd204683aa9ad6a2d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 22 Mar 2019 10:37:57 +0100
|
||||||
|
Subject: [PATCH 4/4] library: make sure server side SPNs are preserved
|
||||||
|
|
||||||
|
adcli should not delete service principal names (SPNs) unexpectedly. If
|
||||||
|
a SPN was added on the server while presetting a host or updating an
|
||||||
|
existing entry and upcoming adcli join or update should preserver this
|
||||||
|
change.
|
||||||
|
|
||||||
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
||||||
|
---
|
||||||
|
library/adenroll.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 46 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
||||||
|
index 48cb4cf..1cce86a 100644
|
||||||
|
--- a/library/adenroll.c
|
||||||
|
+++ b/library/adenroll.c
|
||||||
|
@@ -1961,6 +1961,47 @@ adcli_enroll_prepare (adcli_enroll *enroll,
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static adcli_result
|
||||||
|
+add_server_side_service_principals (adcli_enroll *enroll)
|
||||||
|
+{
|
||||||
|
+ char **spn_list;
|
||||||
|
+ LDAP *ldap;
|
||||||
|
+ size_t c;
|
||||||
|
+ int length = 0;
|
||||||
|
+ adcli_result res;
|
||||||
|
+
|
||||||
|
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
||||||
|
+ assert (ldap != NULL);
|
||||||
|
+
|
||||||
|
+ spn_list = _adcli_ldap_parse_values (ldap, enroll->computer_attributes,
|
||||||
|
+ "servicePrincipalName");
|
||||||
|
+ if (spn_list == NULL) {
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (enroll->service_principals != NULL) {
|
||||||
|
+ length = seq_count (enroll->service_principals);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (c = 0; spn_list[c] != NULL; c++) {
|
||||||
|
+ _adcli_info ("Checking %s", spn_list[c]);
|
||||||
|
+ if (!_adcli_strv_has_ex (enroll->service_principals_to_remove, spn_list[c], strcasecmp)) {
|
||||||
|
+ enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals,
|
||||||
|
+ spn_list[c], &length, false);
|
||||||
|
+ assert (enroll->service_principals != NULL);
|
||||||
|
+ _adcli_info (" Added %s", spn_list[c]);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ _adcli_strv_free (spn_list);
|
||||||
|
+
|
||||||
|
+ res = ensure_keytab_principals (ADCLI_SUCCESS, enroll);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ return res;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ADCLI_SUCCESS;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static adcli_result
|
||||||
|
enroll_join_or_update_tasks (adcli_enroll *enroll,
|
||||||
|
adcli_enroll_flags flags)
|
||||||
|
@@ -2019,6 +2060,11 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
||||||
|
update_and_calculate_enctypes (enroll);
|
||||||
|
update_computer_account (enroll);
|
||||||
|
|
||||||
|
+ res = add_server_side_service_principals (enroll);
|
||||||
|
+ if (res != ADCLI_SUCCESS) {
|
||||||
|
+ return res;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* service_names is only set from input on the command line, so no
|
||||||
|
* additional check for explicit is needed here */
|
||||||
|
if (enroll->service_names != NULL) {
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
76
adcli.spec
76
adcli.spec
@ -1,6 +1,6 @@
|
|||||||
Name: adcli
|
Name: adcli
|
||||||
Version: 0.8.2
|
Version: 0.8.2
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: Active Directory enrollment
|
Summary: Active Directory enrollment
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://cgit.freedesktop.org/realmd/adcli
|
URL: http://cgit.freedesktop.org/realmd/adcli
|
||||||
@ -31,6 +31,48 @@ Patch22: 0022-Add-add-service-principal-and-remove-service-princip.patch
|
|||||||
Patch23: 0023-adcli_conn_is_writeable-do-not-crash-id-domain_disco.patch
|
Patch23: 0023-adcli_conn_is_writeable-do-not-crash-id-domain_disco.patch
|
||||||
Patch24: 0024-doc-fix-typos-in-the-adcli-man-page.patch
|
Patch24: 0024-doc-fix-typos-in-the-adcli-man-page.patch
|
||||||
|
|
||||||
|
# Additional fixes for rhbz#1593240
|
||||||
|
Patch25: 0001-fix-typo-in-flag-value.patch
|
||||||
|
Patch26: 0002-_adcli_call_external_program-silence-noisy-debug-mes.patch
|
||||||
|
|
||||||
|
# rhbz#1608212
|
||||||
|
Patch27: 0003-Do-not-add-service-principals-twice.patch
|
||||||
|
|
||||||
|
# Additional fixed for rhbz#1547014
|
||||||
|
Patch28: 0004-Do-not-depend-on-default_realm-in-krb5.conf.patch
|
||||||
|
|
||||||
|
# rhbz#1649868
|
||||||
|
Patch29: 0001-adutil-add-_adcli_strv_add_unique.patch
|
||||||
|
Patch30: 0002-adenroll-use-_adcli_strv_add_unique-for-service-prin.patch
|
||||||
|
|
||||||
|
# rhbz#1588596 - many adcli-krb5-????? directories are created /tmp
|
||||||
|
Patch31: 0001-tools-properly-release-internal-data-on-error.patch
|
||||||
|
|
||||||
|
# rhbz#1642546 - adcli exports kerberos ticket with old kvno
|
||||||
|
Patch32: 0001-Increment-kvno-after-password-change-with-user-creds.patch
|
||||||
|
|
||||||
|
# rhbz#1595911 - [RFE] Have `adcli join` work without FQDN in `hostname` output
|
||||||
|
# with some additional man page fixes from rhbz#1440533
|
||||||
|
Patch33: 0001-library-use-getaddrinfo-with-AI_CANONNAME-to-find-a-.patch
|
||||||
|
|
||||||
|
# rhbz#1644311 - Improve handling of service principals
|
||||||
|
Patch34: 0001-join-always-add-service-principals.patch
|
||||||
|
Patch35: 0002-library-return-error-if-no-matching-key-was-found.patch
|
||||||
|
|
||||||
|
# rhbz#1337489 - [RFE] adcli command with --unix-* options doesn't update
|
||||||
|
# values in UnixAttributes Tab for user
|
||||||
|
Patch36: 0001-create-user-add-nis-domain-option.patch
|
||||||
|
Patch37: 0002-create-user-try-to-find-NIS-domain-if-needed.patch
|
||||||
|
|
||||||
|
# rhbz#1630187 - [RFE] adcli join should preserve SPN added by adcli preset-computer
|
||||||
|
Patch38: 0001-ensure_keytab_principals-do-not-leak-memory-when-cal.patch
|
||||||
|
Patch39: 0002-library-make-_adcli_strv_has_ex-public.patch
|
||||||
|
Patch40: 0003-library-_adcli_krb5_build_principal-allow-principals.patch
|
||||||
|
Patch41: 0004-library-make-sure-server-side-SPNs-are-preserved.patch
|
||||||
|
|
||||||
|
# rhbz#1622583 - [RFE] Need an option for adcli command which will show domain join status.
|
||||||
|
Patch42: 0001-Implement-adcli-testjoin.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: intltool pkgconfig
|
BuildRequires: intltool pkgconfig
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
@ -53,31 +95,7 @@ standard LDAP and Kerberos calls.
|
|||||||
%define _hardened_build 1
|
%define _hardened_build 1
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%autosetup -p1
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
%patch8 -p1
|
|
||||||
%patch9 -p1
|
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
|
||||||
%patch13 -p1
|
|
||||||
%patch14 -p1
|
|
||||||
%patch15 -p1
|
|
||||||
%patch16 -p1
|
|
||||||
%patch17 -p1
|
|
||||||
%patch18 -p1
|
|
||||||
%patch19 -p1
|
|
||||||
%patch20 -p1
|
|
||||||
%patch21 -p1
|
|
||||||
%patch22 -p1
|
|
||||||
%patch23 -p1
|
|
||||||
%patch24 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf --force --install --verbose
|
autoreconf --force --install --verbose
|
||||||
@ -111,6 +129,12 @@ documentation.
|
|||||||
%doc %{_datadir}/doc/adcli/*
|
%doc %{_datadir}/doc/adcli/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 22 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
|
||||||
|
- various fixes and improvements
|
||||||
|
Resolves: rhbz#1593240, rhbz#1608212, rhbz#1547014, rhbz#1547014,
|
||||||
|
rhbz#1649868, rhbz#1588596, rhbz#1642546, rhbz#1595911,
|
||||||
|
rhbz#1644311, rhbz#1337489, rhbz#1630187, rhbz#1622583
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-3
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user