various fixes and improvements

Resolves: rhbz#1683745, rhbz#1738573
2019-08-26 16:13:55 +02:00 · 2019-08-26 16:13:55 +02:00 · aeef2617bc
commit aeef2617bc
parent 007aeec33f
4 changed files with 127 additions and 1 deletions
--- a/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
+++ b/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
@ -0,0 +1,60 @@
+From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Apr 2019 10:55:39 +0200
+Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
+
+Since the arcfour-hmac-md5 encryption types does not use salts it cannot
+be used to discover the right salt.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
+
+diff --git a/library/adkrb5.c b/library/adkrb5.c
+index da835d7..be3ede5 100644
+--- a/library/adkrb5.c
+++ b/library/adkrb5.c
+@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ 	krb5_keytab scratch;
+ 	krb5_error_code code;
+ 	int i;
+	krb5_enctype *salt_enctypes = NULL;
+	size_t c;
+	size_t s;
+ 
+ 	/* TODO: This should be a unique name */
+ 
+ 	code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
+ 	return_val_if_fail (code == 0, code);
+ 
+	for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
+	salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+	return_val_if_fail (salt_enctypes != NULL, ENOMEM);
+
+	/* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
+	 * discover the right salt. */
+	s = 0;
+	for (c = 0; enctypes[c] != 0; c++) {
+		if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
+			continue;
+		}
+
+		salt_enctypes[s++] = enctypes[c];
+	}
+
+ 	for (i = 0; salts[i].data != NULL; i++) {
+ 		code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
+-		                                     password, enctypes, &salts[i]);
+		                                     password, salt_enctypes, &salts[i]);
+ 		if (code == 0) {
+ 			*discovered = i;
+ 			break;
+@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ 		}
+ 	}
+ 
+	free (salt_enctypes);
+ 	krb5_kt_close (k5, scratch);
+ 	return code;
+ }
+-- 
+2.21.0
+
--- a/0001-Fix-for-issue-found-by-Coverity.patch
+++ b/0001-Fix-for-issue-found-by-Coverity.patch
@ -0,0 +1,26 @@
+From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 12 Aug 2019 17:28:20 +0200
+Subject: [PATCH] Fix for issue found by Coverity
+
+Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 53cd812..524663a 100644
+--- a/library/adenroll.c
+++ b/library/adenroll.c
+@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+ 	for (c = 0; cur_enctypes[c] != 0; c++);
+ 
+ 	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+-	return_val_if_fail (new_enctypes != NULL, NULL);
+	if (new_enctypes == NULL) {
+		krb5_free_enctypes (k5, permitted_enctypes);
+		return NULL;
+	}
+ 
+ 	n = 0;
+ 	for (c = 0; cur_enctypes[c] != 0; c++) {
+-- 
+2.21.0
+
--- a/0001-doc-explain-how-to-force-password-reset.patch
+++ b/0001-doc-explain-how-to-force-password-reset.patch
@ -0,0 +1,27 @@
+From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 26 Aug 2019 13:33:24 +0200
+Subject: [PATCH] doc: explain how to force password reset
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 094f577..4f201e0 100644
+--- a/doc/adcli.xml
+++ b/doc/adcli.xml
+@@ -330,7 +330,11 @@ Password for Administrator:
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para></listitem>
+			for details.</para>
+			<para>Note that if the machine account password is not
+			older than 30 days, you have to pass
+			<option>--computer-password-lifetime=0</option> to
+			force the update.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+-- 
+2.21.0
+
--- a/adcli.spec
+++ b/adcli.spec
@ -1,6 +1,6 @@
 Name:		adcli
 Version:	0.8.2
-Release:	7%{?dist}
+Release:	8%{?dist}
 Summary:	Active Directory enrollment
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/adcli
@ -92,6 +92,15 @@ Patch53:        0003-adconn-add-adcli_conn_set_krb5_context.patch
 Patch54:        0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
 Patch55:        0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch

+# Coverity fix related to fixes for rhbz#1727144
+Patch56:        0001-Fix-for-issue-found-by-Coverity.patch
+
+# rhbz#1683745 - Issue is that with arcfour-hmac as first encryption type
+Patch57:        0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
+
+# rhbz#1738573 - adcli update --add-samba-data does not work as expected
+Patch58:        0001-doc-explain-how-to-force-password-reset.patch
+
 BuildRequires:	gcc
 BuildRequires:	intltool pkgconfig
 BuildRequires:	libtool
@ -148,6 +157,10 @@ documentation.
 %doc %{_datadir}/doc/adcli/*

 %changelog
+* Mon Aug 26 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-8
+- various fixes and improvements
+  Resolves: rhbz#1683745, rhbz#1738573
+
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild