various fixes and improvements

Resolves: rhbz#1683745, rhbz#1738573
This commit is contained in:
Sumit Bose 2019-08-26 16:13:55 +02:00
parent 007aeec33f
commit aeef2617bc
4 changed files with 127 additions and 1 deletions

View File

@ -0,0 +1,60 @@
From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Apr 2019 10:55:39 +0200
Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
Since the arcfour-hmac-md5 encryption types does not use salts it cannot
be used to discover the right salt.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
diff --git a/library/adkrb5.c b/library/adkrb5.c
index da835d7..be3ede5 100644
--- a/library/adkrb5.c
+++ b/library/adkrb5.c
@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
krb5_keytab scratch;
krb5_error_code code;
int i;
+ krb5_enctype *salt_enctypes = NULL;
+ size_t c;
+ size_t s;
/* TODO: This should be a unique name */
code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
return_val_if_fail (code == 0, code);
+ for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
+ salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+ return_val_if_fail (salt_enctypes != NULL, ENOMEM);
+
+ /* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
+ * discover the right salt. */
+ s = 0;
+ for (c = 0; enctypes[c] != 0; c++) {
+ if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
+ continue;
+ }
+
+ salt_enctypes[s++] = enctypes[c];
+ }
+
for (i = 0; salts[i].data != NULL; i++) {
code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
- password, enctypes, &salts[i]);
+ password, salt_enctypes, &salts[i]);
if (code == 0) {
*discovered = i;
break;
@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
}
}
+ free (salt_enctypes);
krb5_kt_close (k5, scratch);
return code;
}
--
2.21.0

View File

@ -0,0 +1,26 @@
From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 12 Aug 2019 17:28:20 +0200
Subject: [PATCH] Fix for issue found by Coverity
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
diff --git a/library/adenroll.c b/library/adenroll.c
index 53cd812..524663a 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
for (c = 0; cur_enctypes[c] != 0; c++);
new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
- return_val_if_fail (new_enctypes != NULL, NULL);
+ if (new_enctypes == NULL) {
+ krb5_free_enctypes (k5, permitted_enctypes);
+ return NULL;
+ }
n = 0;
for (c = 0; cur_enctypes[c] != 0; c++) {
--
2.21.0

View File

@ -0,0 +1,27 @@
From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 26 Aug 2019 13:33:24 +0200
Subject: [PATCH] doc: explain how to force password reset
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 094f577..4f201e0 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -330,7 +330,11 @@ Password for Administrator:
important here is currently the
<option>workgroup</option> option, see
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details.</para>
+ <para>Note that if the machine account password is not
+ older than 30 days, you have to pass
+ <option>--computer-password-lifetime=0</option> to
+ force the update.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
--
2.21.0

View File

@ -1,6 +1,6 @@
Name: adcli
Version: 0.8.2
Release: 7%{?dist}
Release: 8%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli
@ -92,6 +92,15 @@ Patch53: 0003-adconn-add-adcli_conn_set_krb5_context.patch
Patch54: 0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
Patch55: 0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
# Coverity fix related to fixes for rhbz#1727144
Patch56: 0001-Fix-for-issue-found-by-Coverity.patch
# rhbz#1683745 - Issue is that with arcfour-hmac as first encryption type
Patch57: 0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
# rhbz#1738573 - adcli update --add-samba-data does not work as expected
Patch58: 0001-doc-explain-how-to-force-password-reset.patch
BuildRequires: gcc
BuildRequires: intltool pkgconfig
BuildRequires: libtool
@ -148,6 +157,10 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
* Mon Aug 26 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-8
- various fixes and improvements
Resolves: rhbz#1683745, rhbz#1738573
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild