rpms/adcli
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c9
rpms:c8-beta
rpms:c8s
rpms:imports/c9-beta/adcli-0.9.3.1-3.el9
rpms:imports/c10s/adcli-0.9.3.1-3.el10
rpms:imports/c10s/adcli-0.9.3.1-2.el10
rpms:imports/c10s/adcli-0.9.3.1-1.el10
rpms:imports/c10s/adcli-0.9.2-9.el10
rpms:imports/c10s/adcli-0.9.2-8.el10
rpms:imports/c10s/adcli-0.9.2-7.el10
rpms:imports/c8/adcli-0.9.2-1.el8
rpms:imports/c9/adcli-0.9.2-1.el9
rpms:imports/c9-beta/adcli-0.9.2-1.el9
rpms:imports/c8-beta/adcli-0.9.2-1.el8
rpms:imports/c8s/adcli-0.9.2-1.el8
rpms:imports/c9/adcli-0.9.1-7.el9
rpms:imports/c9-beta/adcli-0.9.1-7.el9
rpms:imports/c8/adcli-0.8.2-12.el8
rpms:imports/c8-beta/adcli-0.8.2-12.el8
rpms:imports/c8-beta/adcli-0.8.2-9.el8
rpms:imports/c8-beta/adcli-0.8.2-6.el8
rpms:imports/c8-beta/adcli-0.8.2-4.el8
rpms:imports/c8-beta/adcli-0.8.2-3.el8
rpms:imports/c8s/adcli-0.8.2-12.el8
rpms:imports/c8s/adcli-0.8.2-9.el8
rpms:imports/c8s/adcli-0.8.2-8.el8
rpms:imports/c8s/adcli-0.8.2-7.el8
rpms:imports/c8s/adcli-0.8.2-6.el8
rpms:imports/c8/adcli-0.8.2-9.el8
rpms:imports/c8/adcli-0.8.2-7.el8
rpms:imports/c8/adcli-0.8.2-5.el8
rpms:imports/c8/adcli-0.8.2-3.el8
rpms:imports/c8/adcli-0.8.2-2.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c8
rpms:c9
rpms:c8-beta
rpms:c8s
rpms:imports/c9-beta/adcli-0.9.3.1-3.el9
rpms:imports/c10s/adcli-0.9.3.1-3.el10
rpms:imports/c10s/adcli-0.9.3.1-2.el10
rpms:imports/c10s/adcli-0.9.3.1-1.el10
rpms:imports/c10s/adcli-0.9.2-9.el10
rpms:imports/c10s/adcli-0.9.2-8.el10
rpms:imports/c10s/adcli-0.9.2-7.el10
rpms:imports/c8/adcli-0.9.2-1.el8
rpms:imports/c9/adcli-0.9.2-1.el9
rpms:imports/c9-beta/adcli-0.9.2-1.el9
rpms:imports/c8-beta/adcli-0.9.2-1.el8
rpms:imports/c8s/adcli-0.9.2-1.el8
rpms:imports/c9/adcli-0.9.1-7.el9
rpms:imports/c9-beta/adcli-0.9.1-7.el9
rpms:imports/c8/adcli-0.8.2-12.el8
rpms:imports/c8-beta/adcli-0.8.2-12.el8
rpms:imports/c8-beta/adcli-0.8.2-9.el8
rpms:imports/c8-beta/adcli-0.8.2-6.el8
rpms:imports/c8-beta/adcli-0.8.2-4.el8
rpms:imports/c8-beta/adcli-0.8.2-3.el8
rpms:imports/c8s/adcli-0.8.2-12.el8
rpms:imports/c8s/adcli-0.8.2-9.el8
rpms:imports/c8s/adcli-0.8.2-8.el8
rpms:imports/c8s/adcli-0.8.2-7.el8
rpms:imports/c8s/adcli-0.8.2-6.el8
rpms:imports/c8/adcli-0.8.2-9.el8
rpms:imports/c8/adcli-0.8.2-7.el8
rpms:imports/c8/adcli-0.8.2-5.el8
rpms:imports/c8/adcli-0.8.2-3.el8
rpms:imports/c8/adcli-0.8.2-2.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

4 changed files with 289 additions and 58 deletions
Show Stats Expand all files Collapse all files

2
.adcli.metadata
View File

@ -1 +1 @@
5aba9ae88ad5a75f8ce143372cb8678b96ca5773 SOURCES/adcli-0.9.2.tar.gz
14e715b5ef1b98230a71ab824336185b0495d4e6 SOURCES/adcli-0.9.3.1.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/adcli-0.9.2.tar.gz
SOURCES/adcli-0.9.3.1.tar.gz

117
SOURCES/0001-enroll-fix-issues-if-default-keytab-is-used.patch Normal file
View File

@ -0,0 +1,117 @@
From 9c31bb06590f2d96a2d6d8ce87dc3273c283a671 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 19 Dec 2025 14:48:13 +0100
Subject: [PATCH] enroll: fix issues if default keytab is used
librkb5 returns the default keytab with a 'FILE:' prefix which must be
removed before calling libselinux functions to operate on the keytab
file.
Resolves: https://issues.redhat.com/browse/RHEL-78631
---
library/adenroll.c | 32 ++++++++++++++++++++------------
library/adenroll.h | 3 +--
tools/computer.c | 6 +++---
3 files changed, 24 insertions(+), 17 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 20ad198..9484cbf 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2116,30 +2116,38 @@ ensure_host_keytab (adcli_result res,
return ADCLI_SUCCESS;
}
-adcli_result
-ensure_host_keytab_selinux_context (adcli_result res,
- adcli_enroll *enroll)
+void
+restore_host_keytab_selinux_context (adcli_enroll *enroll)
{
#ifdef BUILD_SELINUX_POLICY
int ret;
-
- if (res != ADCLI_SUCCESS)
- return res;
+ krb5_context k5;
+ const char *name_start;
if (enroll->keytab_name == NULL) {
_adcli_info ("No keytab name available, skipping SELinux restorecon.");
- return ADCLI_SUCCESS;
+ return;
+ }
+
+ name_start = enroll->keytab_name;
+ if (strncmp (name_start, "FILE:", 5) == 0) {
+ name_start = enroll->keytab_name + 5;
}
- ret = selinux_restorecon (adcli_enroll_get_keytab_name (enroll), 0);
+ if (enroll->keytab != NULL) {
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
+ krb5_kt_close (k5, enroll->keytab);
+ enroll->keytab = NULL;
+ }
+
+ ret = selinux_restorecon (name_start, 0);
if (ret != 0) {
- _adcli_err ("Failed to set SELinux context for %s with error %d: %s",
- enroll->keytab_name, ret, strerror (ret));
- return ADCLI_ERR_FAIL;
+ _adcli_err ("Failed to set SELinux context for %s with error %d: %s, ignored",
+ name_start, ret, strerror (errno));
}
#endif
- return ADCLI_SUCCESS;
+ return;
}
diff --git a/library/adenroll.h b/library/adenroll.h
index 79eb7a8..5aba81b 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -192,6 +192,5 @@ void adcli_enroll_set_samba_data_tool (adcli_enroll *enroll,
const char * adcli_enroll_get_samba_data_tool (adcli_enroll *enroll);
-adcli_result ensure_host_keytab_selinux_context (adcli_result res,
- adcli_enroll *enroll);
+void restore_host_keytab_selinux_context (adcli_enroll *enroll);
#endif /* ADENROLL_H_ */
diff --git a/tools/computer.c b/tools/computer.c
index ee027dc..f056366 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -520,7 +520,7 @@ adcli_tool_computer_join (adcli_conn *conn,
else if (show_password)
dump_password (conn, enroll);
- ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
+ restore_host_keytab_selinux_context (enroll);
adcli_enroll_unref (enroll);
@@ -655,7 +655,7 @@ adcli_tool_computer_update (adcli_conn *conn,
else if (show_password)
dump_password (conn, enroll);
- ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
+ restore_host_keytab_selinux_context (enroll);
adcli_enroll_unref (enroll);
@@ -1275,7 +1275,7 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn,
else if (show_password)
dump_password (conn, enroll);
- ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
+ restore_host_keytab_selinux_context (enroll);
adcli_enroll_unref (enroll);
--
2.52.0

226
SPECS/adcli.spec
View File

@ -1,10 +1,16 @@
%global with_selinux 1
%global selinuxtype targeted
%global modulename adcli
Name: adcli
Version: 0.9.2
Release: 1%{?dist}
Version: 0.9.3.1
Release: 3%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/adcli
Source0: https://gitlab.freedesktop.org/realmd/adcli/uploads/ea560656ac921b3fe0d455976aaae9be/adcli-%{version}.tar.gz
Source0: https://gitlab.freedesktop.org/-/project/1196/uploads/5a1c55410c0965835b81fbd28d820d46/adcli-%{version}.tar.gz
Patch1: 0001-enroll-fix-issues-if-default-keytab-is-used.patch
BuildRequires: gcc
BuildRequires: intltool pkgconfig
@ -15,6 +21,13 @@ BuildRequires: openldap-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: make
BuildRequires: libnetapi-devel
# Build dependencies for SELinux policy
%if %{with selinux}
BuildRequires: libselinux-devel
BuildRequires: selinux-policy-devel
%endif
Requires: cyrus-sasl-gssapi
Conflicts: adcli-doc < %{version}-%{release}
@ -23,10 +36,37 @@ Conflicts: adcli-doc < %{version}-%{release}
# the adcli tool itself is to be used by callers
Obsoletes: adcli-devel < 0.5
%if %{with selinux}
# This ensures that the *-selinux package and all its dependencies are not
# pulled into containers and other systems that do not use SELinux. The
# policy defines types and file contexts for client and server.
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description
adcli is a tool for joining an Active Directory domain using
standard LDAP and Kerberos calls.
%if %{with selinux}
# SELinux subpackage
%package selinux
Summary: The adcli SELinux policy
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
Requires: selinux-policy >= %{_selinux_policy_version}
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
Requires(post): selinux-policy-base >= %{_selinux_policy_version}
Requires(post): libselinux-utils
Requires(post): policycoreutils
%description selinux
Custom SELinux policy module for adcli to make sure generated Kerberos keytab
files have the right SELinux context.
%endif
%define _hardened_build 1
%prep
@ -39,24 +79,43 @@ autoreconf --force --install --verbose
--with-vendor-error-message='Please check\n https://red.ht/support_rhel_ad \nto get help for common issues.' \
%endif
%{nil}
make %{?_smp_mflags}
%make_build
%check
make check
%install
make install DESTDIR=%{buildroot}
%make_install
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%ldconfig_scriptlets
%if %{with selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%endif
%files
%{_sbindir}/adcli
%doc AUTHORS COPYING ChangeLog NEWS README
%doc %{_mandir}/*/*
%package doc
Summary: adcli documentation
Summary: The adcli documentation package
BuildArch: noarch
Conflicts: adcli < %{version}-%{release}
@ -68,70 +127,125 @@ documentation.
%files doc
%doc %{_datadir}/doc/adcli/*
%if %{with selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%endif
%changelog
* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.9.2-1
* Tue Dec 23 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-3
- Fix issue with restoring SELinux file label
Resolves: RHEL-134944
* Tue Dec 23 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-2
- Add explicit selinux dependencies to avoid policycoreutils-python-utils dependency
Resolves: RHEL-134944
* Wed Dec 17 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-1
- Rebase to latest upstream version
Resolves: RHEL-134944
Resolves: RHEL-134945
Resolves: RHEL-134946
Resolves: RHEL-134947
Resolves: RHEL-134948
Resolves: RHEL-134950
Resolves: RHEL-134951
Resolves: RHEL-134952
* Wed Oct 12 2022 Sumit Bose <sbose@redhat.com> - 0.9.2-1
- Update to upstream release 0.9.2
Resolves: rhbz#1991619, rhbz#2111348, rhbz#2133838
Resolves: rhbz#2124030, rhbz#2133836
* Mon Jun 14 2021 Sumit Bose <sbose@redhat.com> - 0.8.2-12
- [RFE] Allow adcli to create AD user with password as well as set or reset
existing user password [#1952828]
- [RFE] add option to populate "managed by" computer attribute [#1690920]
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.1-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jun 03 2021 Sumit Bose <sbose@redhat.com> - 0.8.2-11
- Add missing patch for [#1769644]
* Wed Jul 28 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-6
- Add ns_get16() and ns_get32() to configure check
Resolves: rhbz#1984892
* Thu Jun 03 2021 Sumit Bose <sbose@redhat.com> - 0.8.2-10
- [RFE] Adcli and Realm Error Code Optimization Request [#1889386]
- [RFE] adcli should allow to modify DONT_EXPIRE_PASSWORD attribute [#1769644]
* Wed Jun 30 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-5
- Sync with upstream/Fedora/RHEL-8.5
Resolves: rhbz#1977168, rhbz#1977167, rhbz#1977165
* Fri Dec 11 2020 Sumit Bose <sbose@redhat,com> - 0.8.2-9
- Typo in CREATE A SERVICE ACCOUNT section of man page of adcli [#1906303]
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.1-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Nov 11 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-8
- Add --use-ldaps option to adcli update as well [#1883467]
- Cannot join a pre-staged Computer Account on AD in Custom OU using Delegated
user [#1734764]
- missing documentation for required AD rights for adcli join and net
join [#1852080]
- [RFE] Add new mode to just create an AD account to be able to connect to
LDAP [#1854112]
* Mon Mar 29 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-3
- Add vendor error message
Resolves: rhbz#1889386
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-7
- Improve "-C" option description in man page even more [#1791545]
* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-2
- Add Conflicts to avoid update/downgrade issues
* Mon Jun 15 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-6
- [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 [#1806260]
- No longer able to delete computer from AD using adcli [#1846882]
- adcli: presetting $computer in $domain domain failed: Cannot set computer
password: Authentication error [#1846878]
- Typo in adcli update --help option [#1791611]
- Manpage and help does not explain the use of "-C" option [#1791545]
* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-1
- Update to upstream release 0.9.1
* Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
sssd [#1762420]
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 28 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
- adcli update --add-samba-data does not work as expected [#1745931]
- Issue is that with arcfour-hmac as first encryption type [#1745932]
- [RFE] enhancement adcli to set description attribute and to show all AD
attributes [#1737342]
* Fri Nov 13 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-6
- Include the latest upstream patches with use-ldaps fixes, man page
improvements and a new sub-command to create managed service accounts
* Fri Jun 14 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-3
- use autosetup macro to simplify patch handling
- fixed rpmlint warnings in the spec file
- join failed if hostname is not FQDN [#1677194]
- adcli join fails in FIPS enabled environment [#1717355]
- forward port of RHEL-7.7 fixes and enhancements
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-5
- man page and help output fixes
* Tue Oct 09 2018 Sumit Bose <sbose@redhat.com> - 0.8.2-2
- Do not add service principals twice and related fixes
- Resolves: rhbz#1631734
* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jul 05 2018 Sumit Bose <sbose@redhat.com> - 0.8.2-1
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 08 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-2
- Include the latest upstream patches
* Wed Mar 18 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-1
- Update to upstream release 0.9.0 and latest patches
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Aug 26 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-8
- various fixes and improvements
Resolves: rhbz#1683745, rhbz#1738573
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jul 5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.8.2-6
- Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli
needs to backport patches to only use permitted
enctypes from upstream
* Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5
- addition patch for rhbz#1630187 and new ones for rhbz#1588596
Resolves: rhbz#1630187, rhbz#1588596
* Fri Mar 22 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
- various fixes and improvements
Resolves: rhbz#1593240, rhbz#1608212, rhbz#1547014, rhbz#1547014,
rhbz#1649868, rhbz#1588596, rhbz#1642546, rhbz#1595911,
rhbz#1644311, rhbz#1337489, rhbz#1630187, rhbz#1622583
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jul 05 2018 Sumit Bose <sbose@redhat.com> - 0.8.0-1
- Update to upstream release 0.8.2
- various other fixes and improvements from the latest Fedora update
- various other fixes and improvements
- add option to enable "Trust this computer for delegation"
Resolves: rhbz#988349
- fix typos in the adcli man page
Resolves: rhbz#1440533
* Wed Mar 07 2018 Sumit Bose <sbose@redhat.com> - 0.8.0-7
- Added BuildRequires gcc
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild