rpms
/
adcli
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import adcli-0.8.2-9.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:38:06 -04:00 committed by Andrew Lukoshko
parent 8cb0a07f2f
commit b6ed9c2c22
13 changed files with 1925 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
SOURCES/0001-doc-add-missing-samba_data_tool_path.xml-.in-to-EXTR.patch Normal file
View File

@ -0,0 +1,25 @@
From 2edc26afda17db1a92703deb16658e9de9f79e14 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Sep 2019 14:39:37 +0200
Subject: [PATCH] doc: add missing samba_data_tool_path.xml(.in) to EXTRA_DIST
---
doc/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 3a53843..4490688 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -31,6 +31,8 @@ EXTRA_DIST = \
static \
version.xml.in \
version.xml \
+ samba_data_tool_path.xml.in \
+ samba_data_tool_path.xml \
$(NULL)
CLEANFILES = \
--
2.28.0

242
SOURCES/0001-doc-explain-required-AD-permissions.patch Normal file
View File

@ -0,0 +1,242 @@
From fa5c5fb4f8e7bcadf3e5a3798bd060720fd35eaa Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 20 Oct 2020 13:34:41 +0200
Subject: [PATCH] doc: explain required AD permissions
When using a restricted account with adcli some operations might fail
because the account might not have all required permissions. The man
page is extended and now explains which permissions are needed under
given circumstances.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1852080
Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/20
---
doc/Makefile.am | 10 ++++
doc/adcli.xml | 132 +++++++++++++++++++++++++++++++++++++++++++++
library/adenroll.c | 30 ++++++-----
3 files changed, 160 insertions(+), 12 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 4490688..50fb777 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -33,14 +33,17 @@ EXTRA_DIST = \
version.xml \
samba_data_tool_path.xml.in \
samba_data_tool_path.xml \
+ permissions.xml \
$(NULL)
CLEANFILES = \
$(man8_MANS) \
+ permissions.xml \
$(NULL)
XSLTPROC_FLAGS = \
--nonet \
+ --xinclude \
--stringparam man.output.quietly 1 \
--stringparam funcsynopsis.style ansi \
--stringparam man.th.extra1.suppress 1 \
@@ -50,6 +53,13 @@ XSLTPROC_FLAGS = \
XSLTPROC_MAN = \
$(XSLTPROC) $(XSLTPROC_FLAGS) http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
+permissions.xml: ../library/adenroll.c adcli.xml
+ echo "<itemizedlist>" > $@
+ grep '".*".*/\* :ADPermissions: ' $< | sed -e 's#.*"\(.*\)".*/\* :ADPermissions: \(.*\)\*/$$#<listitem><para>\1</para><itemizedlist><listitem><para>\2</para></listitem></itemizedlist></listitem>#' | sed -e 's#\*#</para></listitem><listitem><para>#g' >> $@
+ echo "</itemizedlist>" >> $@
+
+$(man8_MANS): permissions.xml
+
.xml.8:
$(AM_V_GEN) $(XSLTPROC_MAN) $<
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 1437679..cc44fd8 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -885,6 +885,138 @@ Password for Administrator:
</refsect1>
+<refsect1 id='delegation'>
+ <title>Delegated Permissions</title>
+ <para>It is common practice in AD to not use an account from the Domain
+ Administrators group to join a machine to a domain but use a dedicated
+ account which only has permissions to join a machine to one or more OUs
+ in the Active Directory tree. Giving the needed permissions to a single
+ account or a group in Active Directory is called Delegation. A typical
+ example on how to configured Delegation can be found in the Delegation
+ section of the blog post
+ <ulink url="https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain">Who can add workstation to the domain</ulink>.
+ </para>
+
+ <para>When using an account with delegated permissions with adcli
+ basically the same applies as well. However some aspects are explained
+ here in a bit more details to better illustrate different concepts of
+ Active Directory and to make it more easy to debug permissions issues
+ during the join. Please note that the following is not specific to
+ adcli but applies to all applications which would like to modify
+ certain properties or objects in Active Directory with an account with
+ limited permissions.</para>
+
+ <para>First, as said in the blog post it is sufficient to have
+ <literal>"Create computer object"</literal> permissions to join a
+ computer to a domain. But this would only work as expected if the
+ computer object does not exist in Active Directory before the join.
+ Because only when a new object is created Active Directory does not
+ apply additional permission checks on the attributes of the new
+ computer object. This means the delegated user can add any kind of
+ attribute with any value to a new computer object also long as they
+ meet general constraints like e.g. that the attribute must be defined
+ in the schema and is allowed in a objectclass of the object, the value
+ must match the syntax defined in the schema or that the
+ <option>sAMAccountName</option> must be unique in the domain.</para>
+
+ <para>If you want to use the account with delegated permission to
+ remove computer objects in Active Directory (adcli delete-computer) you
+ should of course make sure that the account has
+ <literal>"Delete computer object"</literal> permissions.</para>
+
+ <para>If the computer object already exists the
+ <literal>"Create computer object"</literal> permission does not apply
+ anymore since now an existing object must be modified. Now permissions
+ on the individual attributes are needed. e.g.
+ <literal>"Read and write Account Restrictions"</literal> or
+ <literal>"Reset Password"</literal>. For some attributes Active
+ Directory has two types of permissions the plain
+ <literal>"Read and Write"</literal> permissions and the
+ <literal>"Validated Write"</literal> permissions. For the latter case
+ there are two specific permissions relevant for adcli, namely
+ <itemizedlist>
+ <listitem><para>Validated write to DNS host name</para></listitem>
+ <listitem><para>Validated write to service principal name</para></listitem>
+ </itemizedlist>
+ Details about the validation of the values can be found in the
+ <literal>"Validated Writes"</literal> section of
+ <literal>[MS-ADTS]</literal>, especially
+ <ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1">dNSHostName</ulink>
+ and
+ <ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada">servicePrincipalName</ulink>.
+ To cut it short for <literal>"Validated write to DNS host name"</literal>
+ the domain part of the fully-qualified hostname must either match the
+ domain name of the domain you want to join to or must be listed in the
+ <option>msDS-AllowedDNSSuffixes</option> attribute. And for
+ <literal>"Validated write to service principal name"</literal> the
+ hostname part of the service principal name must match the name stored
+ in <option>dNSHostName</option> or some other attributes which are
+ not handled by adcli. This also means that
+ <option>dNSHostName</option> cannot be empty or only contain a short
+ name if the service principal name should contain a fully-qualified
+ name.</para>
+
+ <para>To summarize, if you only have validated write permissions you
+ should make sure the domain part of the hostname matches the domain you
+ want to join or use the <option>--host-fqdn</option> with a matching
+ name.</para>
+
+ <para>The plain read write permissions do not run additional
+ validations but the attribute values must still be in agreement with
+ the general constraints mentioned above. If the computer object already
+ exists adcli might need the following permissions which are also needed
+ by Windows clients to modify existing attributes:
+ <itemizedlist>
+ <listitem><para>Reset Password</para></listitem>
+ <listitem><para>Read and write Account Restrictions</para></listitem>
+ <listitem><para>Read and (validated) write to DNS host name</para></listitem>
+ <listitem><para>Read and (validated) write to service principal name</para></listitem>
+ </itemizedlist>
+ additionally adcli needs
+ <itemizedlist>
+ <listitem><para>Read and write msDS-supportedEncryptionTypes</para></listitem>
+ </itemizedlist>
+ This is added for security reasons to avoid that Active Directory
+ stores Kerberos keys with (potentially weaker) encryption types than
+ the client supports since Active Directory is often configured to still
+ support older (weaker) encryption types for compatibility reasons.
+ </para>
+
+ <para>All other attributes are only set or modified on demand, i.e.
+ adcli must be called with an option the would set or modify the given
+ attribute. In the following the attributes adcli can modify together
+ with the required permissions are listed:
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="permissions.xml" />
+ </para>
+
+ <para>For the management of users and groups (adcli create-user,
+ adcli delete-user, adcli create-group, adcli delete-group) the same
+ applies only for different types of objects, i.e. users and groups.
+ Since currently adcli only supports the creation and the removal of
+ user and group objects it is sufficient to have the
+ <literal>"Create/Delete User objects"</literal> and
+ <literal>"Create/Delete Group objects"</literal> permissions.</para>
+
+ <para>If you want to manage group members as well (adcli add-member,
+ adcli remove-member) <literal>"Read/Write Members"</literal> permissions
+ are needed as well.</para>
+
+ <para>Depending on the version of Active Directory the
+ <literal>"Delegation of Control Wizard"</literal> might offer some
+ shortcuts for common task like e.g.
+ <itemizedlist>
+ <listitem><para>Create, delete and manage user accounts</para></listitem>
+ <listitem><para>Create, delete and manage groups</para></listitem>
+ <listitem><para>Modify the membership of a group</para></listitem>
+ </itemizedlist>
+ The first 2 shortcuts will provided full access to user and group
+ objects which, as explained above, is more than currently is needed.
+ After using those shortcut it is a good idea to verify in the
+ <literal>"Security"</literal> tab in the <literal>"Properties"</literal>
+ of the related Active Directory container that the assigned permissions
+ meet the expectations.</para>
+</refsect1>
+
<refsect1 id='bugs'>
<title>Bugs</title>
<para>
diff --git a/library/adenroll.c b/library/adenroll.c
index e745295..98e9786 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -71,19 +71,25 @@ static krb5_enctype v51_earlier_enctypes[] = {
0
};
+/* The following list containst all attributes handled by adcli, some are
+ * read-only and the others can be written as well. To properly document the
+ * required permissions each attribute which adcli tries to modify should have
+ * a comment starting with ':ADPermissions:' and the related permissions in AD
+ * on the same line. Multiple permissions can be seperated with a '*'. For all
+ * other attribute a suitable comment is very welcome. */
static char *default_ad_ldap_attrs[] = {
- "sAMAccountName",
- "userPrincipalName",
- "msDS-KeyVersionNumber",
- "msDS-supportedEncryptionTypes",
- "dNSHostName",
- "servicePrincipalName",
- "operatingSystem",
- "operatingSystemVersion",
- "operatingSystemServicePack",
- "pwdLastSet",
- "userAccountControl",
- "description",
+ "sAMAccountName", /* Only set during creation */
+ "userPrincipalName", /* :ADPermissions: Read/Write userPrincipal Name */
+ "msDS-KeyVersionNumber", /* Manages by AD */
+ "msDS-supportedEncryptionTypes", /* :ADPermissions: Read/Write msDS-SupportedEncryptionTypes */
+ "dNSHostName", /* :ADPermissions: Read/Write dNSHostName * Read and write DNS host name attributes * Validated write to DNS host name */
+ "servicePrincipalName", /* :ADPermissions: Read/Write servicePrincipalName * Validated write to service principal name */
+ "operatingSystem", /* :ADPermissions: Read/Write Operating System */
+ "operatingSystemVersion", /* :ADPermissions: Read/Write Operating System Version */
+ "operatingSystemServicePack", /* :ADPermissions: Read/Write operatingSystemServicePack */
+ "pwdLastSet", /* Managed by AD */
+ "userAccountControl", /* :ADPermissions: Read/Write userAccountControl */
+ "description", /* :ADPermissions: Read/Write Description */
NULL,
};
--
2.28.0

66
SOURCES/0001-enroll-add-is_service-member.patch Normal file
View File

@ -0,0 +1,66 @@
From 4e4dbf8d2b437808863f8be85e7f30865d88c7fc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 23 Oct 2020 16:46:43 +0200
Subject: [PATCH 1/7] enroll: add is_service member
Add helpers to indicate a managed service account.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
library/adenroll.c | 17 +++++++++++++++++
library/adenroll.h | 4 ++++
2 files changed, 21 insertions(+)
diff --git a/library/adenroll.c b/library/adenroll.c
index 98e9786..5ae1f7b 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -103,6 +103,8 @@ static char *default_ad_ldap_attrs[] = {
struct _adcli_enroll {
int refs;
adcli_conn *conn;
+ bool is_service;
+ bool is_service_explicit;
char *host_fqdn;
int host_fqdn_explicit;
@@ -2942,6 +2944,21 @@ adcli_enroll_get_desciption (adcli_enroll *enroll)
return enroll->description;
}
+void
+adcli_enroll_set_is_service (adcli_enroll *enroll, bool value)
+{
+ return_if_fail (enroll != NULL);
+
+ enroll->is_service = value;
+ enroll->is_service_explicit = true;
+}
+
+bool
+adcli_enroll_get_is_service (adcli_enroll *enroll)
+{
+ return enroll->is_service;
+}
+
const char **
adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
{
diff --git a/library/adenroll.h b/library/adenroll.h
index 0606169..7765ed4 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -130,6 +130,10 @@ const char * adcli_enroll_get_desciption (adcli_enroll *enroll);
void adcli_enroll_set_description (adcli_enroll *enroll,
const char *value);
+bool adcli_enroll_get_is_service (adcli_enroll *enroll);
+void adcli_enroll_set_is_service (adcli_enroll *enroll,
+ bool value);
+
krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll);
void adcli_enroll_set_kvno (adcli_enroll *enroll,
--
2.28.0

59
SOURCES/0001-join-update-set-dNSHostName-if-not-set.patch Normal file
View File

@ -0,0 +1,59 @@
From beb7abfacc0010987d2cd8ab70f7c373d309eed9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 15 Oct 2020 18:01:12 +0200
Subject: [PATCH] join/update: set dNSHostName if not set
If during a join or update an existing AD computer object does not have
the dNSHostName attribute set it will be set with the current hostname.
This is important for cases where the user doing the join or update only
has "Validated write to service principal name" for the computer object.
The validated write with fully-qualified names can only be successful if
dNSHostName is set, see [MS-ADTS] section 3.1.1.5.3.1.1.4 "Validated
Writes - servicePrincipalName" for details.
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1734764
---
library/adenroll.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 246f658..e745295 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1403,21 +1403,29 @@ update_computer_account (adcli_enroll *enroll)
{
int res = 0;
LDAP *ldap;
+ char *value = NULL;
ldap = adcli_conn_get_ldap_connection (enroll->conn);
return_if_fail (ldap != NULL);
/* Only update attributes which are explicitly given on the command
- * line. Otherwise 'adcli update' must be always called with the same
- * set of options to make sure existing attributes are not deleted or
- * overwritten with different values. */
- if (enroll->host_fqdn_explicit) {
+ * line or not set in the existing AD object. Otherwise 'adcli update'
+ * must be always called with the same set of options to make sure
+ * existing attributes are not deleted or overwritten with different
+ * values. */
+ if (enroll->computer_attributes != NULL) {
+ value = _adcli_ldap_parse_value (ldap,
+ enroll->computer_attributes,
+ "dNSHostName");
+ }
+ if (enroll->host_fqdn_explicit || value == NULL ) {
char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
LDAPMod *mods[] = { &dNSHostName, NULL };
res |= update_computer_attribute (enroll, ldap, mods);
}
+ free (value);
if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
char *vals_userAccountControl[] = { NULL , NULL };
--
2.28.0

35
SOURCES/0001-service-account-fix-typo-in-the-man-page-entry.patch Normal file
View File

@ -0,0 +1,35 @@
From 637cc53953ef61c90530ae5eaf26eb4911336465 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 10 Dec 2020 18:29:18 +0100
Subject: [PATCH] service-account: fix typo in the man page entry
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1906303
---
doc/adcli.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 14921f9..a64687a 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -943,7 +943,7 @@ Password for Administrator:
of the managed service account as a suffix. On most systems it would be
<filename>/etc/krb5.keytab</filename> with a suffix of
'domain.example.com', e.g.
- <filename>/etc/krb5.keytad.domain.example.com</filename>.</para>
+ <filename>/etc/krb5.keytab.domain.example.com</filename>.</para>
<para><command>adcli create-msa</command> can be called multiple
times to reset the password of the managed service account. To identify
@@ -955,7 +955,7 @@ Password for Administrator:
<para>The managed service account password can be updated with
<programlisting>
-$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytad.domain.example.com
+$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
</programlisting>
and the managed service account can be deleted with
<programlisting>
--
2.29.2

36
SOURCES/0001-tools-add-missing-use-ldaps-option-to-update-and-tes.patch Normal file
View File

@ -0,0 +1,36 @@
From 76ca1e6737742208d83e016d43a3379e378f8d90 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 14 Oct 2020 17:44:10 +0200
Subject: [PATCH] tools: add missing use-ldaps option to update and testjoin
When adding the use-ldaps option the update and testjoin sub-commands
were forgotten.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1883467
---
tools/computer.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/computer.c b/tools/computer.c
index 24ea258..5a97d8b 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -491,6 +491,7 @@ adcli_tool_computer_update (adcli_conn *conn,
struct option options[] = {
{ "domain", required_argument, NULL, opt_domain },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "host-fqdn", required_argument, 0, opt_host_fqdn },
{ "computer-name", required_argument, 0, opt_computer_name },
{ "host-keytab", required_argument, 0, opt_host_keytab },
@@ -612,6 +613,7 @@ adcli_tool_computer_testjoin (adcli_conn *conn,
struct option options[] = {
{ "domain", required_argument, NULL, opt_domain },
{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
{ "host-keytab", required_argument, 0, opt_host_keytab },
{ "verbose", no_argument, NULL, opt_verbose },
{ "help", no_argument, NULL, 'h' },
--
2.28.0

646
SOURCES/0002-computer-add-create-msa-sub-command.patch Normal file
View File

@ -0,0 +1,646 @@
From 41379f7ad6a9442dd55cc43d832427911e86db31 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 23 Oct 2020 16:53:43 +0200
Subject: [PATCH 2/7] computer: add create-msa sub-command
Add new sub-command to create a managed service account in AD. This can
be used if LDAP access to AD is needed but the host is already joined to
a different domain.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
doc/adcli.xml | 140 ++++++++++++++++++++++++++++++++++++++
library/adenroll.c | 164 ++++++++++++++++++++++++++++++++++++++-------
tools/computer.c | 125 ++++++++++++++++++++++++++++++++++
tools/tools.c | 1 +
tools/tools.h | 4 ++
5 files changed, 409 insertions(+), 25 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index cc44fd8..14921f9 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -98,6 +98,10 @@
<arg choice="opt">--domain=domain.example.com</arg>
<arg choice="plain">computer</arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>adcli create-msa</command>
+ <arg choice="opt">--domain=domain.example.com</arg>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='general_overview'>
@@ -885,6 +889,142 @@ Password for Administrator:
</refsect1>
+<refsect1 id='managed_service_account'>
+ <title>Create a managed service account</title>
+
+ <para><command>adcli create-msa</command> creates a managed service
+ account (MSA) in the given Active Directory domain. This is useful if a
+ computer should not fully join the Active Directory domain but LDAP
+ access is needed. A typical use case is that the computer is already
+ joined an Active Directory domain and needs access to another Active
+ Directory domain in the same or a trusted forest where the host
+ credentials from the joined Active Directory domain are
+ not valid, e.g. there is only a one-way trust.</para>
+
+<programlisting>
+$ adcli create-msa --domain=domain.example.com
+Password for Administrator:
+</programlisting>
+
+ <para>The managed service account, as maintained by adcli, cannot have
+ additional service principals names (SPNs) associated with it. An SPN
+ is defined within the context of a Kerberos service which is tied to a
+ machine account in Active Directory. Since a machine can be joined to a
+ single Active Directory domain, managed service account in a different
+ Active Directory domain will not have the SPNs that otherwise are part
+ of another Active Directory domain's machine.</para>
+
+ <para>Since it is expected that a client will most probably join to the
+ Active Directory domain matching its DNS domain the managed service
+ account will be needed for a different Active directory domain and as a
+ result the Active Directory domain name is a mandatory option. If
+ called with no other options <command>adcli create-msa</command>
+ will use the short hostname with an additional random suffix as
+ computer name to avoid name collisions.</para>
+
+ <para>LDAP attribute sAMAccountName has a limit of 20 characters.
+ However, machine account's NetBIOS name must be at most 16 characters
+ long, including a trailing '$' sign. Since it is not expected that the
+ managed service accounts created by adcli will be used on the NetBIOS
+ level the remaining 4 characters can be used to add uniqueness. Managed
+ service account names will have a suffix of 3 random characters from
+ number and upper- and lowercase ASCII ranges appended to the chosen
+ short host name, using '!' as a separator. For a host with the
+ shortname 'myhost', a managed service account will have a common name
+ (CN attribute) 'myhost!A2c' and a NetBIOS name
+ (sAMAccountName attribute) will be 'myhost!A2c$'. A corresponding
+ Kerberos principal in the Active Directory domain where the managed
+ service account was created would be
+ 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.</para>
+
+ <para>A keytab for the managed service account is stored into a file
+ specified with -K option. If it is not specified, the file is named
+ after the default keytab file, with lowercase Active Directory domain
+ of the managed service account as a suffix. On most systems it would be
+ <filename>/etc/krb5.keytab</filename> with a suffix of
+ 'domain.example.com', e.g.
+ <filename>/etc/krb5.keytad.domain.example.com</filename>.</para>
+
+ <para><command>adcli create-msa</command> can be called multiple
+ times to reset the password of the managed service account. To identify
+ the right account with the random component in the name the
+ corresponding principal is read from the keytab. If the keytab got
+ deleted <command>adcli</command> will try to identify an existing
+ managed service account with the help of the fully-qualified name, if
+ this fails a new managed service account will be created.</para>
+
+ <para>The managed service account password can be updated with
+<programlisting>
+$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytad.domain.example.com
+</programlisting>
+ and the managed service account can be deleted with
+<programlisting>
+$ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
+</programlisting>
+ </para>
+
+ <para>In addition to the global options, you can specify the following
+ options to control how this operation is done.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
+ <listitem><para>The short non-dotted name of the managed
+ service account that will be created in the Active
+ Directory domain. The long option name
+ <option>--computer-name</option> is
+ kept to underline the similarity with the same option
+ of the other sub-commands. If not specified,
+ then the first portion of the <option>--host-fqdn</option>
+ or its default is used with a random suffix.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
+ <listitem><para>The full distinguished name of the OU in
+ which to create the managed service account. If not
+ specified, then the managed service account will be
+ created in a default location.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
+ <listitem><para>Override the local machine's fully
+ qualified DNS domain name. If not specified, the local
+ machine's hostname will be retrieved via
+ <function>gethostname()</function>.
+ If <function>gethostname()</function> only returns a short name
+ <function>getaddrinfo()</function> with the AI_CANONNAME hint
+ is called to expand the name to a fully qualified DNS
+ domain name.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
+ <listitem><para>Specify the path to the host keytab where
+ credentials of the managed service account will be
+ written after a successful creation. If not specified,
+ the default location will be used, usually
+ <filename>/etc/krb5.keytab</filename> with
+ the lower-cased Active Directory domain name added as a
+ suffix e.g.
+ <filename>/etc/krb5.keytab.domain.example.com</filename>.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--show-details</option></term>
+ <listitem><para>After a successful creation print out
+ information about the created object. This is output in
+ a format that should be both human and machine
+ readable.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--show-password</option></term>
+ <listitem><para>After a successful creation print out
+ the managed service account password. This is output in
+ a format that should be both human and machine
+ readable.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id='delegation'>
<title>Delegated Permissions</title>
<para>It is common practice in AD to not use an account from the Domain
diff --git a/library/adenroll.c b/library/adenroll.c
index 5ae1f7b..dbfda36 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -155,6 +155,20 @@ struct _adcli_enroll {
char *description;
};
+static void
+check_if_service (adcli_enroll *enroll,
+ LDAP *ldap,
+ LDAPMessage *results)
+{
+ char **objectclasses = NULL;
+
+ objectclasses = _adcli_ldap_parse_values (ldap, results, "objectClass");
+ enroll->is_service = _adcli_strv_has_ex (objectclasses,
+ "msDS-ManagedServiceAccount",
+ strcasecmp) == 1 ? true : false;
+ _adcli_strv_free (objectclasses);
+}
+
static adcli_result
ensure_host_fqdn (adcli_result res,
adcli_enroll *enroll)
@@ -471,13 +485,15 @@ ensure_keytab_principals (adcli_result res,
{
krb5_context k5;
krb5_error_code code;
- int count;
+ int count = 0;
int at, i;
/* Prepare the principals we're going to add to the keytab */
- return_unexpected_if_fail (enroll->service_principals);
- count = _adcli_strv_len (enroll->service_principals);
+ if (!enroll->is_service) {
+ return_unexpected_if_fail (enroll->service_principals);
+ count = _adcli_strv_len (enroll->service_principals);
+ }
k5 = adcli_conn_get_krb5_context (enroll->conn);
return_unexpected_if_fail (k5 != NULL);
@@ -556,8 +572,12 @@ static adcli_result
lookup_computer_container (adcli_enroll *enroll,
LDAP *ldap)
{
- char *attrs[] = { "wellKnownObjects", NULL };
- char *prefix = "B:32:AA312825768811D1ADED00C04FD8D5CD:";
+ char *attrs[] = { enroll->is_service ? "otherWellKnownObjects"
+ : "wellKnownObjects", NULL };
+ const char *prefix = enroll->is_service ? "B:32:1EB93889E40C45DF9F0C64D23BBB6237:"
+ : "B:32:AA312825768811D1ADED00C04FD8D5CD:";
+ const char *filter = enroll->is_service ? "(&(objectClass=container)(cn=Managed Service Accounts))"
+ : "(&(objectClass=container)(cn=Computers))";
int prefix_len;
LDAPMessage *results;
const char *base;
@@ -586,7 +606,7 @@ lookup_computer_container (adcli_enroll *enroll,
"Couldn't lookup computer container: %s", base);
}
- values = _adcli_ldap_parse_values (ldap, results, "wellKnownObjects");
+ values = _adcli_ldap_parse_values (ldap, results, attrs[0]);
ldap_msgfree (results);
prefix_len = strlen (prefix);
@@ -604,8 +624,7 @@ lookup_computer_container (adcli_enroll *enroll,
/* Try harder */
if (!enroll->computer_container) {
- ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_BASE,
- "(&(objectClass=container)(cn=Computers))",
+ ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_BASE, filter,
attrs, 0, NULL, NULL, NULL, -1, &results);
if (ret == LDAP_SUCCESS) {
enroll->computer_container = _adcli_ldap_parse_dn (ldap, results);
@@ -747,7 +766,7 @@ static adcli_result
create_computer_account (adcli_enroll *enroll,
LDAP *ldap)
{
- char *vals_objectClass[] = { "computer", NULL };
+ char *vals_objectClass[] = { enroll->is_service ? "msDS-ManagedServiceAccount" : "computer", NULL };
LDAPMod objectClass = { LDAP_MOD_ADD, "objectClass", { vals_objectClass, } };
char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
@@ -806,7 +825,7 @@ create_computer_account (adcli_enroll *enroll,
m = 0;
for (c = 0; c < mods_count - 1; c++) {
/* Skip empty LDAP sttributes */
- if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
+ if (all_mods[c]->mod_vals.modv_strvals != NULL && all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
mods[m++] = all_mods[c];
}
}
@@ -936,7 +955,7 @@ locate_computer_account (adcli_enroll *enroll,
LDAPMessage **rresults,
LDAPMessage **rentry)
{
- char *attrs[] = { "1.1", NULL };
+ char *attrs[] = { "objectClass", NULL };
LDAPMessage *results = NULL;
LDAPMessage *entry = NULL;
const char *base;
@@ -948,7 +967,9 @@ locate_computer_account (adcli_enroll *enroll,
/* If we don't yet know our computer dn, then try and find it */
value = _adcli_ldap_escape_filter (enroll->computer_sam);
return_unexpected_if_fail (value != NULL);
- if (asprintf (&filter, "(&(objectClass=computer)(sAMAccountName=%s))", value) < 0)
+ if (asprintf (&filter, "(&(objectClass=%s)(sAMAccountName=%s))",
+ enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
+ value) < 0)
return_unexpected_if_reached ();
free (value);
@@ -962,8 +983,11 @@ locate_computer_account (adcli_enroll *enroll,
if (ret == LDAP_SUCCESS) {
entry = ldap_first_entry (ldap, results);
- /* If we found a computer account, make note of dn */
+ /* If we found a computer/service account, make note of dn */
if (entry) {
+ if (!enroll->is_service_explicit) {
+ check_if_service ( enroll, ldap, results);
+ }
dn = ldap_get_dn (ldap, entry);
free (enroll->computer_dn);
enroll->computer_dn = strdup (dn);
@@ -1003,7 +1027,7 @@ load_computer_account (adcli_enroll *enroll,
LDAPMessage **rresults,
LDAPMessage **rentry)
{
- char *attrs[] = { "1.1", NULL };
+ char *attrs[] = { "objectClass", NULL };
LDAPMessage *results = NULL;
LDAPMessage *entry = NULL;
int ret;
@@ -1081,6 +1105,12 @@ locate_or_create_computer_account (adcli_enroll *enroll,
if (res == ADCLI_SUCCESS && entry == NULL)
res = create_computer_account (enroll, ldap);
+ /* Service account already exists, just continue and update the
+ * password */
+ if (enroll->is_service && entry != NULL) {
+ res = ADCLI_SUCCESS;
+ }
+
if (results)
ldap_msgfree (results);
@@ -1413,6 +1443,11 @@ update_computer_account (adcli_enroll *enroll)
LDAP *ldap;
char *value = NULL;
+ /* No updates for service accounts */
+ if (enroll->is_service) {
+ return;
+ }
+
ldap = adcli_conn_get_ldap_connection (enroll->conn);
return_if_fail (ldap != NULL);
@@ -1501,6 +1536,11 @@ update_service_principals (adcli_enroll *enroll)
LDAP *ldap;
int ret;
+ /* No updates for service accounts */
+ if (enroll->is_service) {
+ return ADCLI_SUCCESS;
+ }
+
ldap = adcli_conn_get_ldap_connection (enroll->conn);
return_unexpected_if_fail (ldap != NULL);
@@ -1614,6 +1654,8 @@ load_keytab_entry (krb5_context k5,
enroll->computer_name = name;
name[len - 1] = '\0';
_adcli_info ("Found computer name in keytab: %s", name);
+ adcli_conn_set_computer_name (enroll->conn,
+ enroll->computer_name);
name = NULL;
} else if (!enroll->host_fqdn && _adcli_str_has_prefix (name, "host/") && strchr (name, '.')) {
@@ -2002,17 +2044,25 @@ adcli_enroll_prepare (adcli_enroll *enroll,
adcli_clear_last_error ();
- /* Basic discovery and figuring out enroll params */
- res = ensure_host_fqdn (res, enroll);
- res = ensure_computer_name (res, enroll);
- res = ensure_computer_sam (res, enroll);
- res = ensure_user_principal (res, enroll);
- res = ensure_computer_password (res, enroll);
- if (!(flags & ADCLI_ENROLL_NO_KEYTAB))
+ if (enroll->is_service) {
+ /* Ensure basic params for service accounts */
+ res = ensure_computer_sam (res, enroll);
+ res = ensure_computer_password (res, enroll);
res = ensure_host_keytab (res, enroll);
- res = ensure_service_names (res, enroll);
- res = ensure_service_principals (res, enroll);
- res = ensure_keytab_principals (res, enroll);
+ res = ensure_keytab_principals (res, enroll);
+ } else {
+ /* Basic discovery and figuring out enroll params */
+ res = ensure_host_fqdn (res, enroll);
+ res = ensure_computer_name (res, enroll);
+ res = ensure_computer_sam (res, enroll);
+ res = ensure_user_principal (res, enroll);
+ res = ensure_computer_password (res, enroll);
+ if (!(flags & ADCLI_ENROLL_NO_KEYTAB))
+ res = ensure_host_keytab (res, enroll);
+ res = ensure_service_names (res, enroll);
+ res = ensure_service_principals (res, enroll);
+ res = ensure_keytab_principals (res, enroll);
+ }
return res;
}
@@ -2157,6 +2207,58 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
return update_keytab_for_principals (enroll, flags);
}
+static adcli_result
+adcli_enroll_add_description_for_service_account (adcli_enroll *enroll)
+{
+ const char *fqdn;
+ char *desc;
+
+ fqdn = adcli_conn_get_host_fqdn (enroll->conn);
+ return_unexpected_if_fail (fqdn != NULL);
+ if (asprintf (&desc, "Please do not edit, Service account for %s, "
+ "managed by adcli.", fqdn) < 0) {
+ return_unexpected_if_reached ();
+ }
+
+ adcli_enroll_set_description (enroll, desc);
+ free (desc);
+
+ return ADCLI_SUCCESS;
+}
+
+static adcli_result
+adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll)
+{
+ krb5_context k5;
+ krb5_error_code code;
+ char def_keytab_name[MAX_KEYTAB_NAME_LEN];
+ char *lc_dom_name;
+ int ret;
+
+ if (adcli_enroll_get_keytab_name (enroll) == NULL) {
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
+ return_unexpected_if_fail (k5 != NULL);
+
+ code = krb5_kt_default_name (k5, def_keytab_name,
+ sizeof (def_keytab_name));
+ return_unexpected_if_fail (code == 0);
+
+ lc_dom_name = strdup (adcli_conn_get_domain_name (enroll->conn));
+ return_unexpected_if_fail (lc_dom_name != NULL);
+ _adcli_str_down (lc_dom_name);
+
+
+ ret = asprintf (&enroll->keytab_name, "%s.%s", def_keytab_name,
+ lc_dom_name);
+ free (lc_dom_name);
+ return_unexpected_if_fail (ret > 0);
+ }
+
+ _adcli_info ("Using service account keytab: %s", enroll->keytab_name);
+
+ return ADCLI_SUCCESS;
+}
+
adcli_result
adcli_enroll_join (adcli_enroll *enroll,
adcli_enroll_flags flags)
@@ -2172,7 +2274,14 @@ adcli_enroll_join (adcli_enroll *enroll,
if (res != ADCLI_SUCCESS)
return res;
- res = ensure_default_service_names (enroll);
+ if (enroll->is_service) {
+ res = adcli_enroll_add_description_for_service_account (enroll);
+ if (res == ADCLI_SUCCESS) {
+ res = adcli_enroll_add_keytab_for_service_account (enroll);
+ }
+ } else {
+ res = ensure_default_service_names (enroll);
+ }
if (res != ADCLI_SUCCESS)
return res;
@@ -2281,6 +2390,11 @@ adcli_enroll_update (adcli_enroll *enroll,
}
free (value);
+ /* We only support password changes for service accounts */
+ if (enroll->is_service && (flags & ADCLI_ENROLL_PASSWORD_VALID)) {
+ return ADCLI_SUCCESS;
+ }
+
return enroll_join_or_update_tasks (enroll, flags);
}
diff --git a/tools/computer.c b/tools/computer.c
index 5a97d8b..63fd374 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -1074,3 +1074,128 @@ adcli_tool_computer_show (adcli_conn *conn,
adcli_enroll_unref (enroll);
return 0;
}
+
+int
+adcli_tool_computer_managed_service_account (adcli_conn *conn,
+ int argc,
+ char *argv[])
+{
+ adcli_enroll *enroll;
+ adcli_result res;
+ int show_password = 0;
+ int details = 0;
+ int opt;
+
+ struct option options[] = {
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "host-fqdn", required_argument, 0, opt_host_fqdn },
+ { "computer-name", required_argument, 0, opt_computer_name },
+ { "host-keytab", required_argument, 0, opt_host_keytab },
+ { "no-password", no_argument, 0, opt_no_password },
+ { "stdin-password", no_argument, 0, opt_stdin_password },
+ { "prompt-password", no_argument, 0, opt_prompt_password },
+ { "domain-ou", required_argument, NULL, opt_domain_ou },
+ { "show-details", no_argument, NULL, opt_show_details },
+ { "show-password", no_argument, NULL, opt_show_password },
+ { "verbose", no_argument, NULL, opt_verbose },
+ { "help", no_argument, NULL, 'h' },
+ { 0 },
+ };
+
+ static adcli_tool_desc usages[] = {
+ { 0, "usage: adcli create-msa --domain=xxxx" },
+ { 0 },
+ };
+
+ enroll = adcli_enroll_new (conn);
+ if (enroll == NULL) {
+ warnx ("unexpected memory problems");
+ return -1;
+ }
+
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+ switch (opt) {
+ case opt_one_time_password:
+ adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT);
+ adcli_conn_set_computer_password (conn, optarg);
+ break;
+ case opt_show_details:
+ details = 1;
+ break;
+ case opt_show_password:
+ show_password = 1;
+ break;
+ case 'h':
+ case '?':
+ case ':':
+ adcli_tool_usage (options, usages);
+ adcli_tool_usage (options, common_usages);
+ adcli_enroll_unref (enroll);
+ return opt == 'h' ? 0 : 2;
+ default:
+ res = parse_option ((Option)opt, optarg, conn, enroll);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ return res;
+ }
+ break;
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc == 1)
+ adcli_conn_set_domain_name (conn, argv[0]);
+ else if (argc > 1) {
+ warnx ("extra arguments specified");
+ adcli_enroll_unref (enroll);
+ return 2;
+ }
+
+ if (adcli_conn_get_domain_name (conn) == NULL) {
+ warnx ("domain name is required");
+ adcli_enroll_unref (enroll);
+ return 2;
+ }
+
+ adcli_enroll_set_is_service (enroll, true);
+ adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT);
+
+ res = adcli_enroll_load (enroll);
+ if (res != ADCLI_SUCCESS) {
+ /* ignored */
+ }
+
+ res = adcli_conn_connect (conn);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't connect to %s domain: %s",
+ adcli_conn_get_domain_name (conn),
+ adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ res = adcli_enroll_join (enroll, 0);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("Adding service account for %s failed: %s",
+ adcli_conn_get_domain_name (conn),
+ adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ if (details)
+ dump_details (conn, enroll, show_password);
+ else if (show_password)
+ dump_password (conn, enroll);
+
+ adcli_enroll_unref (enroll);
+
+ return 0;
+}
diff --git a/tools/tools.c b/tools/tools.c
index 1b6d879..d0dcf98 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -60,6 +60,7 @@ struct {
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
+ { "create-msa", adcli_tool_computer_managed_service_account, "Create a managed service account in the given AD domain", },
{ "create-user", adcli_tool_user_create, "Create a user account", },
{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
{ "create-group", adcli_tool_group_create, "Create a group", },
diff --git a/tools/tools.h b/tools/tools.h
index 3702875..82d5e4e 100644
--- a/tools/tools.h
+++ b/tools/tools.h
@@ -82,6 +82,10 @@ int adcli_tool_computer_show (adcli_conn *conn,
int argc,
char *argv[]);
+int adcli_tool_computer_managed_service_account (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+
int adcli_tool_user_create (adcli_conn *conn,
int argc,
char *argv[]);
--
2.28.0

358
SOURCES/0003-enroll-use-computer-or-service-in-debug-messages.patch Normal file
View File

@ -0,0 +1,358 @@
From eea6a8071b5e5df74808903bb15b30acf820ce3f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 23 Oct 2020 16:55:11 +0200
Subject: [PATCH 3/7] enroll: use 'computer' or 'service' in debug messages
Use proper account type in debug messages.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
library/adenroll.c | 115 ++++++++++++++++++++++++++++-----------------
1 file changed, 72 insertions(+), 43 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index dbfda36..9cdc79b 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -155,6 +155,12 @@ struct _adcli_enroll {
char *description;
};
+static const char *
+s_or_c (adcli_enroll *enroll)
+{
+ return enroll->is_service ? "service" : "computer";
+}
+
static void
check_if_service (adcli_enroll *enroll,
LDAP *ldap,
@@ -203,13 +209,15 @@ ensure_computer_name (adcli_result res,
return res;
if (enroll->computer_name) {
- _adcli_info ("Enrolling computer name: %s",
+ _adcli_info ("Enrolling %s name: %s",
+ s_or_c (enroll),
enroll->computer_name);
return ADCLI_SUCCESS;
}
if (!enroll->host_fqdn) {
- _adcli_err ("No host name from which to determine the computer name");
+ _adcli_err ("No host name from which to determine the %s name",
+ s_or_c (enroll));
return ADCLI_ERR_CONFIG;
}
@@ -603,7 +611,8 @@ lookup_computer_container (adcli_enroll *enroll,
} else if (ret != LDAP_SUCCESS) {
return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
- "Couldn't lookup computer container: %s", base);
+ "Couldn't lookup %s container: %s",
+ s_or_c (enroll), base);
}
values = _adcli_ldap_parse_values (ldap, results, attrs[0]);
@@ -614,8 +623,8 @@ lookup_computer_container (adcli_enroll *enroll,
if (strncmp (values[i], prefix, prefix_len) == 0) {
enroll->computer_container = strdup (values[i] + prefix_len);
return_unexpected_if_fail (enroll->computer_container != NULL);
- _adcli_info ("Found well known computer container at: %s",
- enroll->computer_container);
+ _adcli_info ("Found well known %s container at: %s",
+ s_or_c (enroll), enroll->computer_container);
break;
}
}
@@ -629,8 +638,9 @@ lookup_computer_container (adcli_enroll *enroll,
if (ret == LDAP_SUCCESS) {
enroll->computer_container = _adcli_ldap_parse_dn (ldap, results);
if (enroll->computer_container) {
- _adcli_info ("Well known computer container not "
+ _adcli_info ("Well known %s container not "
"found, but found suitable one at: %s",
+ s_or_c (enroll),
enroll->computer_container);
}
}
@@ -646,7 +656,8 @@ lookup_computer_container (adcli_enroll *enroll,
}
if (!enroll->computer_container) {
- _adcli_err ("Couldn't find location to create computer accounts");
+ _adcli_err ("Couldn't find location to create %s accounts",
+ s_or_c (enroll));
return ADCLI_ERR_DIRECTORY;
}
@@ -674,7 +685,8 @@ calculate_computer_account (adcli_enroll *enroll,
if (asprintf (&enroll->computer_dn, "CN=%s,%s", enroll->computer_name, enroll->computer_container) < 0)
return_unexpected_if_reached ();
- _adcli_info ("Calculated computer account: %s", enroll->computer_dn);
+ _adcli_info ("Calculated %s account: %s",
+ s_or_c (enroll), enroll->computer_dn);
return ADCLI_SUCCESS;
}
@@ -861,7 +873,8 @@ create_computer_account (adcli_enroll *enroll,
enroll->computer_dn);
}
- _adcli_info ("Created computer account: %s", enroll->computer_dn);
+ _adcli_info ("Created %s account: %s", s_or_c (enroll),
+ enroll->computer_dn);
return ADCLI_SUCCESS;
}
@@ -908,17 +921,17 @@ validate_computer_account (adcli_enroll *enroll,
assert (enroll->computer_dn != NULL);
if (already_exists && !allow_overwrite) {
- _adcli_err ("The computer account %s already exists",
- enroll->computer_name);
+ _adcli_err ("The %s account %s already exists",
+ s_or_c (enroll), enroll->computer_name);
return ADCLI_ERR_CONFIG;
}
/* Do we have an explicitly requested ou? */
if (enroll->domain_ou && enroll->domain_ou_explicit && already_exists) {
if (!_adcli_ldap_dn_has_ancestor (enroll->computer_dn, enroll->domain_ou)) {
- _adcli_err ("The computer account %s already exists, "
+ _adcli_err ("The %s account %s already exists, "
"but is not in the desired organizational unit.",
- enroll->computer_name);
+ s_or_c (enroll), enroll->computer_name);
return ADCLI_ERR_CONFIG;
}
}
@@ -943,7 +956,8 @@ delete_computer_account (adcli_enroll *enroll,
"Couldn't delete computer account: %s",
enroll->computer_dn);
} else {
- _adcli_info ("Deleted computer account at: %s", enroll->computer_dn);
+ _adcli_info ("Deleted %s account at: %s", s_or_c (enroll),
+ enroll->computer_dn);
}
return ADCLI_SUCCESS;
@@ -992,20 +1006,21 @@ locate_computer_account (adcli_enroll *enroll,
free (enroll->computer_dn);
enroll->computer_dn = strdup (dn);
return_unexpected_if_fail (enroll->computer_dn != NULL);
- _adcli_info ("Found computer account for %s at: %s",
- enroll->computer_sam, dn);
+ _adcli_info ("Found %s account for %s at: %s",
+ s_or_c (enroll), enroll->computer_sam, dn);
ldap_memfree (dn);
} else {
ldap_msgfree (results);
results = NULL;
- _adcli_info ("Computer account for %s does not exist",
- enroll->computer_sam);
+ _adcli_info ("A %s account for %s does not exist",
+ s_or_c (enroll), enroll->computer_sam);
}
} else {
return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
- "Couldn't lookup computer account: %s",
+ "Couldn't lookup %s account: %s",
+ s_or_c (enroll),
enroll->computer_sam);
}
@@ -1039,7 +1054,9 @@ load_computer_account (adcli_enroll *enroll,
if (ret == LDAP_SUCCESS) {
entry = ldap_first_entry (ldap, results);
if (entry) {
- _adcli_info ("Found computer account for %s at: %s",
+ check_if_service (enroll, ldap, results);
+ _adcli_info ("Found %s account for %s at: %s",
+ s_or_c (enroll),
enroll->computer_sam, enroll->computer_dn);
}
@@ -1146,7 +1163,8 @@ set_password_with_user_creds (adcli_enroll *enroll)
&result_code_string, &result_string);
if (code != 0) {
- _adcli_err ("Couldn't set password for computer account: %s: %s",
+ _adcli_err ("Couldn't set password for %s account: %s: %s",
+ s_or_c (enroll),
enroll->computer_sam, krb5_get_error_message (k5, code));
/* TODO: Parse out these values */
res = ADCLI_ERR_DIRECTORY;
@@ -1160,7 +1178,8 @@ set_password_with_user_creds (adcli_enroll *enroll)
if (result_string.length)
message = _adcli_str_dupn (result_string.data, result_string.length);
#endif
- _adcli_err ("Cannot set computer password: %.*s%s%s",
+ _adcli_err ("Cannot set %s password: %.*s%s%s",
+ s_or_c (enroll),
(int)result_code_string.length, result_code_string.data,
message ? ": " : "", message ? message : "");
res = ADCLI_ERR_CREDENTIALS;
@@ -1170,7 +1189,7 @@ set_password_with_user_creds (adcli_enroll *enroll)
free (message);
#endif
} else {
- _adcli_info ("Set computer password");
+ _adcli_info ("Set %s password", s_or_c (enroll));
if (enroll->kvno > 0) {
enroll->kvno++;
_adcli_info ("kvno incremented to %d", enroll->kvno);
@@ -1203,7 +1222,8 @@ set_password_with_computer_creds (adcli_enroll *enroll)
code = _adcli_kinit_computer_creds (enroll->conn, "kadmin/changepw", NULL, &creds);
if (code != 0) {
- _adcli_err ("Couldn't get change password ticket for computer account: %s: %s",
+ _adcli_err ("Couldn't get change password ticket for %s account: %s: %s",
+ s_or_c (enroll),
enroll->computer_sam, krb5_get_error_message (k5, code));
return ADCLI_ERR_DIRECTORY;
}
@@ -1214,7 +1234,8 @@ set_password_with_computer_creds (adcli_enroll *enroll)
krb5_free_cred_contents (k5, &creds);
if (code != 0) {
- _adcli_err ("Couldn't change password for computer account: %s: %s",
+ _adcli_err ("Couldn't change password for %s account: %s: %s",
+ s_or_c (enroll),
enroll->computer_sam, krb5_get_error_message (k5, code));
/* TODO: Parse out these values */
res = ADCLI_ERR_DIRECTORY;
@@ -1284,7 +1305,8 @@ retrieve_computer_account (adcli_enroll *enroll)
if (ret != LDAP_SUCCESS) {
return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
- "Couldn't retrieve computer account info: %s",
+ "Couldn't retrieve %s account info: %s",
+ s_or_c (enroll),
enroll->computer_dn);
}
@@ -1294,15 +1316,15 @@ retrieve_computer_account (adcli_enroll *enroll)
if (value != NULL) {
kvno = strtoul (value, &end, 10);
if (end == NULL || *end != '\0') {
- _adcli_err ("Invalid kvno '%s' for computer account in directory: %s",
- value, enroll->computer_dn);
+ _adcli_err ("Invalid kvno '%s' for %s account in directory: %s",
+ value, s_or_c (enroll), enroll->computer_dn);
res = ADCLI_ERR_DIRECTORY;
} else {
enroll->kvno = kvno;
- _adcli_info ("Retrieved kvno '%s' for computer account in directory: %s",
- value, enroll->computer_dn);
+ _adcli_info ("Retrieved kvno '%s' for %s account in directory: %s",
+ value, s_or_c (enroll), enroll->computer_dn);
}
free (value);
@@ -1311,8 +1333,8 @@ retrieve_computer_account (adcli_enroll *enroll)
/* Apparently old AD didn't have this attribute, use zero */
enroll->kvno = 0;
- _adcli_info ("No kvno found for computer account in directory: %s",
- enroll->computer_dn);
+ _adcli_info ("No kvno found for %s account in directory: %s",
+ s_or_c (enroll), enroll->computer_dn);
}
}
@@ -1353,12 +1375,14 @@ update_and_calculate_enctypes (adcli_enroll *enroll)
if (ret == LDAP_INSUFFICIENT_ACCESS) {
return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
- "Insufficient permissions to set encryption types on computer account: %s",
+ "Insufficient permissions to set encryption types on %s account: %s",
+ s_or_c (enroll),
enroll->computer_dn);
} else if (ret != LDAP_SUCCESS) {
return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
- "Couldn't set encryption types on computer account: %s",
+ "Couldn't set encryption types on %s account: %s",
+ s_or_c (enroll),
enroll->computer_dn);
}
@@ -1381,13 +1405,14 @@ update_computer_attribute (adcli_enroll *enroll,
string = _adcli_ldap_mods_to_string (mods);
return_unexpected_if_fail (string != NULL);
- _adcli_info ("Modifying computer account: %s", string);
+ _adcli_info ("Modifying %s account: %s", s_or_c (enroll), string);
ret = ldap_modify_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
if (ret != LDAP_SUCCESS) {
- _adcli_warn ("Couldn't set %s on computer account: %s: %s",
- string, enroll->computer_dn, ldap_err2string (ret));
+ _adcli_warn ("Couldn't set %s on %s account: %s: %s",
+ string, s_or_c (enroll), enroll->computer_dn,
+ ldap_err2string (ret));
res = ADCLI_ERR_DIRECTORY;
}
@@ -1411,8 +1436,8 @@ static char *get_user_account_control (adcli_enroll *enroll)
attr_val = strtoul (uac_str, &end, 10);
if (*end != '\0' || attr_val > UINT32_MAX) {
- _adcli_warn ("Invalid userAccountControl '%s' for computer account in directory: %s, assuming 0",
- uac_str, enroll->computer_dn);
+ _adcli_warn ("Invalid userAccountControl '%s' for %s account in directory: %s, assuming 0",
+ uac_str, s_or_c (enroll), enroll->computer_dn);
} else {
uac = attr_val;
}
@@ -1653,7 +1678,8 @@ load_keytab_entry (krb5_context k5,
_adcli_str_has_suffix (name, "$") && !strchr (name, '/')) {
enroll->computer_name = name;
name[len - 1] = '\0';
- _adcli_info ("Found computer name in keytab: %s", name);
+ _adcli_info ("Found %s name in keytab: %s",
+ s_or_c (enroll), name);
adcli_conn_set_computer_name (enroll->conn,
enroll->computer_name);
name = NULL;
@@ -2348,7 +2374,8 @@ adcli_enroll_read_computer_account (adcli_enroll *enroll,
if (res != ADCLI_SUCCESS)
return res;
if (!enroll->computer_dn) {
- _adcli_err ("No computer account for %s exists", enroll->computer_sam);
+ _adcli_err ("No %s account for %s exists",
+ s_or_c (enroll), enroll->computer_sam);
return ADCLI_ERR_CONFIG;
}
}
@@ -2460,7 +2487,8 @@ adcli_enroll_delete (adcli_enroll *enroll,
if (res != ADCLI_SUCCESS)
return res;
if (!enroll->computer_dn) {
- _adcli_err ("No computer account for %s exists",
+ _adcli_err ("No %s account for %s exists",
+ s_or_c (enroll),
enroll->computer_sam);
return ADCLI_ERR_CONFIG;
}
@@ -2503,7 +2531,8 @@ adcli_enroll_password (adcli_enroll *enroll,
if (res != ADCLI_SUCCESS)
return res;
if (!enroll->computer_dn) {
- _adcli_err ("No computer account for %s exists",
+ _adcli_err ("No %s account for %s exists",
+ s_or_c (enroll),
enroll->computer_sam);
return ADCLI_ERR_CONFIG;
}
--
2.28.0

77
SOURCES/0004-enroll-more-filters-for-random-characters.patch Normal file
View File

@ -0,0 +1,77 @@
From 2750f536ac6746756335eec8332060d2365a4126 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 27 Oct 2020 14:44:07 +0100
Subject: [PATCH 4/7] enroll: more filters for random characters
Make handling of random strings more flexible.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
library/adenroll.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 9cdc79b..44383cc 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -259,6 +259,29 @@ ensure_computer_sam (adcli_result res,
return ADCLI_SUCCESS;
}
+typedef int (rand_filter) (char *password, int length);
+
+static int
+filter_sam_chars (char *password,
+ int length)
+{
+ int i, j;
+
+ /*
+ * There are a couple of restrictions for characters in the
+ * sAMAccountName attribute value, for our purpose (random suffix)
+ * letters and numbers are sufficient.
+ */
+ for (i = 0, j = 0; i < length; i++) {
+ if (password[i] >= 48 && password[i] <= 122 &&
+ isalnum (password[i]))
+ password[j++] = password[i];
+ }
+
+ /* return the number of valid characters remaining */
+ return j;
+}
+
static int
filter_password_chars (char *password,
int length)
@@ -283,7 +306,8 @@ filter_password_chars (char *password,
static char *
generate_host_password (adcli_enroll *enroll,
- size_t length)
+ size_t length,
+ rand_filter *filter)
{
char *password;
krb5_context k5;
@@ -305,7 +329,7 @@ generate_host_password (adcli_enroll *enroll,
code = krb5_c_random_make_octets (k5, &buffer);
return_val_if_fail (code == 0, NULL);
- at += filter_password_chars (buffer.data, buffer.length);
+ at += filter (buffer.data, buffer.length);
assert (at <= length);
}
@@ -333,7 +357,7 @@ ensure_computer_password (adcli_result res,
_adcli_info ("Using default reset computer password");
} else {
- enroll->computer_password = generate_host_password (enroll, length);
+ enroll->computer_password = generate_host_password (enroll, length, filter_password_chars);
return_unexpected_if_fail (enroll->computer_password != NULL);
_adcli_info ("Generated %d character computer password", length);
}
--
2.28.0

91
SOURCES/0005-enroll-make-adcli_enroll_add_keytab_for_service_acco.patch Normal file
View File

@ -0,0 +1,91 @@
From 81c98e367ba4bc8d77668acd31e462ad31cf12be Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 27 Oct 2020 14:47:31 +0100
Subject: [PATCH 5/7] enroll: make adcli_enroll_add_keytab_for_service_account
public
Determine keytab name more early to catch errors more early.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
library/adenroll.c | 13 +++++++------
library/adenroll.h | 2 ++
tools/computer.c | 6 ++++++
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 44383cc..05bb085 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2276,9 +2276,10 @@ adcli_enroll_add_description_for_service_account (adcli_enroll *enroll)
return ADCLI_SUCCESS;
}
-static adcli_result
+adcli_result
adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll)
{
+ adcli_result res;
krb5_context k5;
krb5_error_code code;
char def_keytab_name[MAX_KEYTAB_NAME_LEN];
@@ -2286,11 +2287,14 @@ adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll)
int ret;
if (adcli_enroll_get_keytab_name (enroll) == NULL) {
- k5 = adcli_conn_get_krb5_context (enroll->conn);
- return_unexpected_if_fail (k5 != NULL);
+ res = _adcli_krb5_init_context (&k5);
+ if (res != ADCLI_SUCCESS) {
+ return res;
+ }
code = krb5_kt_default_name (k5, def_keytab_name,
sizeof (def_keytab_name));
+ krb5_free_context (k5);
return_unexpected_if_fail (code == 0);
lc_dom_name = strdup (adcli_conn_get_domain_name (enroll->conn));
@@ -2326,9 +2330,6 @@ adcli_enroll_join (adcli_enroll *enroll,
if (enroll->is_service) {
res = adcli_enroll_add_description_for_service_account (enroll);
- if (res == ADCLI_SUCCESS) {
- res = adcli_enroll_add_keytab_for_service_account (enroll);
- }
} else {
res = ensure_default_service_names (enroll);
}
diff --git a/library/adenroll.h b/library/adenroll.h
index 7765ed4..11a30c8 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -146,6 +146,8 @@ const char * adcli_enroll_get_keytab_name (adcli_enroll *enroll);
void adcli_enroll_set_keytab_name (adcli_enroll *enroll,
const char *value);
+adcli_result adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll);
+
krb5_enctype * adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll);
void adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
diff --git a/tools/computer.c b/tools/computer.c
index 63fd374..98a0472 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -1166,6 +1166,12 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn,
adcli_enroll_set_is_service (enroll, true);
adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT);
+ res = adcli_enroll_add_keytab_for_service_account (enroll);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("Failed to set domain specific keytab name");
+ adcli_enroll_unref (enroll);
+ return 2;
+ }
res = adcli_enroll_load (enroll);
if (res != ADCLI_SUCCESS) {
--
2.28.0

129
SOURCES/0006-enroll-allow-fqdn-for-locate_computer_account.patch Normal file
View File

@ -0,0 +1,129 @@
From 2a695dfe09cafeee3a648d3b969c364f8d3f494f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 27 Oct 2020 14:49:55 +0100
Subject: [PATCH 6/7] enroll: allow fqdn for locate_computer_account
Make it possible to find existing manages service account by the
fully-qualified name.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
library/adenroll.c | 45 +++++++++++++++++++++++++++++++--------------
1 file changed, 31 insertions(+), 14 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 05bb085..98cd5fa 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -990,10 +990,11 @@ delete_computer_account (adcli_enroll *enroll,
static adcli_result
locate_computer_account (adcli_enroll *enroll,
LDAP *ldap,
+ bool use_fqdn,
LDAPMessage **rresults,
LDAPMessage **rentry)
{
- char *attrs[] = { "objectClass", NULL };
+ char *attrs[] = { "objectClass", "CN", NULL };
LDAPMessage *results = NULL;
LDAPMessage *entry = NULL;
const char *base;
@@ -1003,12 +1004,22 @@ locate_computer_account (adcli_enroll *enroll,
int ret = 0;
/* If we don't yet know our computer dn, then try and find it */
- value = _adcli_ldap_escape_filter (enroll->computer_sam);
- return_unexpected_if_fail (value != NULL);
- if (asprintf (&filter, "(&(objectClass=%s)(sAMAccountName=%s))",
- enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
- value) < 0)
- return_unexpected_if_reached ();
+ if (use_fqdn) {
+ return_unexpected_if_fail (enroll->host_fqdn != NULL);
+ value = _adcli_ldap_escape_filter (enroll->host_fqdn);
+ return_unexpected_if_fail (value != NULL);
+ if (asprintf (&filter, "(&(objectClass=%s)(dNSHostName=%s))",
+ enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
+ value) < 0)
+ return_unexpected_if_reached ();
+ } else {
+ value = _adcli_ldap_escape_filter (enroll->computer_sam);
+ return_unexpected_if_fail (value != NULL);
+ if (asprintf (&filter, "(&(objectClass=%s)(sAMAccountName=%s))",
+ enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
+ value) < 0)
+ return_unexpected_if_reached ();
+ }
free (value);
base = adcli_conn_get_default_naming_context (enroll->conn);
@@ -1031,21 +1042,26 @@ locate_computer_account (adcli_enroll *enroll,
enroll->computer_dn = strdup (dn);
return_unexpected_if_fail (enroll->computer_dn != NULL);
_adcli_info ("Found %s account for %s at: %s",
- s_or_c (enroll), enroll->computer_sam, dn);
+ s_or_c (enroll),
+ use_fqdn ? enroll->host_fqdn
+ : enroll->computer_sam, dn);
ldap_memfree (dn);
} else {
ldap_msgfree (results);
results = NULL;
_adcli_info ("A %s account for %s does not exist",
- s_or_c (enroll), enroll->computer_sam);
+ s_or_c (enroll),
+ use_fqdn ? enroll->host_fqdn
+ : enroll->computer_sam);
}
} else {
return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
"Couldn't lookup %s account: %s",
s_or_c (enroll),
- enroll->computer_sam);
+ use_fqdn ? enroll->host_fqdn
+ :enroll->computer_sam);
}
if (rresults)
@@ -1120,7 +1136,8 @@ locate_or_create_computer_account (adcli_enroll *enroll,
/* Try to find the computer account */
if (!enroll->computer_dn) {
- res = locate_computer_account (enroll, ldap, &results, &entry);
+ res = locate_computer_account (enroll, ldap, false,
+ &results, &entry);
if (res != ADCLI_SUCCESS)
return res;
searched = 1;
@@ -2395,7 +2412,7 @@ adcli_enroll_read_computer_account (adcli_enroll *enroll,
/* Find the computer dn */
if (!enroll->computer_dn) {
- res = locate_computer_account (enroll, ldap, NULL, NULL);
+ res = locate_computer_account (enroll, ldap, false, NULL, NULL);
if (res != ADCLI_SUCCESS)
return res;
if (!enroll->computer_dn) {
@@ -2508,7 +2525,7 @@ adcli_enroll_delete (adcli_enroll *enroll,
/* Find the computer dn */
if (!enroll->computer_dn) {
- res = locate_computer_account (enroll, ldap, NULL, NULL);
+ res = locate_computer_account (enroll, ldap, false, NULL, NULL);
if (res != ADCLI_SUCCESS)
return res;
if (!enroll->computer_dn) {
@@ -2552,7 +2569,7 @@ adcli_enroll_password (adcli_enroll *enroll,
/* Find the computer dn */
if (!enroll->computer_dn) {
- res = locate_computer_account (enroll, ldap, NULL, NULL);
+ res = locate_computer_account (enroll, ldap, false, NULL, NULL);
if (res != ADCLI_SUCCESS)
return res;
if (!enroll->computer_dn) {
--
2.28.0

122
SOURCES/0007-service-account-add-random-suffix-to-account-name.patch Normal file
View File

@ -0,0 +1,122 @@
From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 27 Oct 2020 15:23:04 +0100
Subject: [PATCH 7/7] service-account: add random suffix to account name
Add a random component to the default managed service account name to
avoid name collisions.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
---
library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/library/adenroll.c b/library/adenroll.c
index 98cd5fa..f693e58 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll,
return ADCLI_SUCCESS;
}
+static adcli_result
+refresh_service_account_name_sam_and_princ (adcli_enroll *enroll,
+ const char *name)
+{
+ adcli_result res;
+
+ adcli_enroll_set_computer_name (enroll, name);
+ res = ensure_computer_sam (ADCLI_SUCCESS, enroll);
+ res = ensure_keytab_principals (res, enroll);
+
+ return res;
+}
+
+static adcli_result
+calculate_random_service_account_name (adcli_enroll *enroll)
+{
+ char *suffix;
+ char *new_name;
+ int ret;
+ adcli_result res;
+
+ suffix = generate_host_password (enroll, 3, filter_sam_chars);
+ return_unexpected_if_fail (suffix != NULL);
+
+ ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix);
+ free (suffix);
+ return_unexpected_if_fail (ret > 0);
+
+ res = refresh_service_account_name_sam_and_princ (enroll, new_name);
+ free (new_name);
+
+ return res;
+}
+
+static adcli_result
+get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results)
+{
+ LDAP *ldap;
+ char *cn;
+ adcli_result res;
+
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
+ assert (ldap != NULL);
+
+ cn = _adcli_ldap_parse_value (ldap, results, "CN");
+ return_unexpected_if_fail (cn != NULL);
+
+ res = refresh_service_account_name_sam_and_princ (enroll, cn);
+ free (cn);
+
+ return res;
+}
+
static adcli_result
locate_or_create_computer_account (adcli_enroll *enroll,
int allow_overwrite)
@@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll,
searched = 1;
}
+ /* Try with fqdn for service accounts */
+ if (!enroll->computer_dn && enroll->is_service
+ && enroll->host_fqdn != NULL) {
+ res = locate_computer_account (enroll, ldap, true,
+ &results, &entry);
+ if (res != ADCLI_SUCCESS)
+ return res;
+ searched = 1;
+
+ if (results != NULL) {
+ res = get_service_account_name_from_ldap (enroll,
+ results);
+ if (res != ADCLI_SUCCESS) {
+ return res;
+ }
+ }
+ }
+
/* Next try and come up with where we think it should be */
if (enroll->computer_dn == NULL) {
+ if (enroll->is_service && !enroll->computer_name_explicit) {
+ res = calculate_random_service_account_name (enroll);
+ if (res != ADCLI_SUCCESS) {
+ return res;
+ }
+ }
res = calculate_computer_account (enroll, ldap);
if (res != ADCLI_SUCCESS)
return res;
@@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll,
if (enroll->is_service) {
/* Ensure basic params for service accounts */
+ res = ensure_host_fqdn (res, enroll);
+ res = ensure_computer_name (res, enroll);
res = ensure_computer_sam (res, enroll);
res = ensure_computer_password (res, enroll);
res = ensure_host_keytab (res, enroll);
--
2.28.0

41
SPECS/adcli.spec
View File

@ -1,6 +1,6 @@
Name: adcli
Version: 0.8.2
Release: 7%{?dist}
Release: 9%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli
@ -115,7 +115,7 @@ Patch64: 0001-discovery-fix.patch
Patch65: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
# rhbz#1846878 - adcli: presetting $computer in $domain domain failed: Cannot
# set computer password: Authentication error
# set computer password: Authentication error
Patch66: 0001-tools-disable-SSSD-s-locator-plugin.patch
# rhbz#1791611 - Typo in adcli update --help option
@ -125,6 +125,31 @@ Patch67: 0001-tools-fix-typo-in-show-password-help-output.patch
Patch68: 0001-man-explain-optional-parameter-of-login-ccache-bette.patch
Patch69: 0001-man-make-handling-of-optional-credential-cache-more-.patch
# rhbz#1883467 - Add --use-ldaps option to adcli update as well
Patch70: 0001-tools-add-missing-use-ldaps-option-to-update-and-tes.patch
# rhbz#1734764 - Cannot join a pre-staged Computer Account on AD in Custom OU
# using Delegated user
Patch71: 0001-join-update-set-dNSHostName-if-not-set.patch
# rhbz#1852080 - missing documentation for required AD rights for adcli join
# and net join
Patch72: 0001-doc-add-missing-samba_data_tool_path.xml-.in-to-EXTR.patch
Patch73: 0001-doc-explain-required-AD-permissions.patch
# rhbz#1854112 - [RFE] Add new mode to just create an AD account to be able to
# connect to LDAP
Patch74: 0001-enroll-add-is_service-member.patch
Patch75: 0002-computer-add-create-msa-sub-command.patch
Patch76: 0003-enroll-use-computer-or-service-in-debug-messages.patch
Patch77: 0004-enroll-more-filters-for-random-characters.patch
Patch78: 0005-enroll-make-adcli_enroll_add_keytab_for_service_acco.patch
Patch79: 0006-enroll-allow-fqdn-for-locate_computer_account.patch
Patch80: 0007-service-account-add-random-suffix-to-account-name.patch
# rhbz#1906303 - Typo in CREATE A SERVICE ACCOUNT section of man page of adcli
Patch81: 0001-service-account-fix-typo-in-the-man-page-entry.patch
BuildRequires: gcc
BuildRequires: intltool pkgconfig
BuildRequires: libtool
@ -185,6 +210,18 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
* Fri Dec 11 2020 Sumit Bose <sbose@redhat,com> - 0.8.2-9
- Typo in CREATE A SERVICE ACCOUNT section of man page of adcli [#1906303]
* Wed Nov 11 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-8
- Add --use-ldaps option to adcli update as well [#1883467]
- Cannot join a pre-staged Computer Account on AD in Custom OU using Delegated
user [#1734764]
- missing documentation for required AD rights for adcli join and net
join [#1852080]
- [RFE] Add new mode to just create an AD account to be able to connect to
LDAP [#1854112]
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-7
- Improve "-C" option description in man page even more [#1791545]