From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 27 Nov 2019 12:34:45 +0100 Subject: [PATCH 1/2] tools: add show-computer command The show-computer command prints the LDAP attributes of the related computer object from AD. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342 --- doc/adcli.xml | 28 ++++++++++++++ library/adenroll.c | 78 +++++++++++++++++++++++++++++--------- library/adenroll.h | 5 +++ tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ tools/tools.c | 1 + tools/tools.h | 4 ++ 6 files changed, 191 insertions(+), 18 deletions(-) diff --git a/doc/adcli.xml b/doc/adcli.xml index 9faf96a..1f93186 100644 --- a/doc/adcli.xml +++ b/doc/adcli.xml @@ -93,6 +93,11 @@ --domain=domain.example.com computer + + adcli show-computer + --domain=domain.example.com + computer + @@ -811,6 +816,29 @@ Password for Administrator: + + Show Computer Account Attributes + + adcli show-computer show the computer account + attributes stored in AD. The account must already exist. + + +$ adcli show-computer --domain=domain.example.com host2 +Password for Administrator: + + + If the computer name contains a dot, then it is + treated as fully qualified host name, otherwise it is treated + as short computer name. + + If no computer name is specified, then the host name of the + computer adcli is running on is used, as returned by + gethostname(). + + The various global options can be used. + + + Bugs diff --git a/library/adenroll.c b/library/adenroll.c index 524663a..8d2adeb 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = { 0 }; +static char *default_ad_ldap_attrs[] = { + "sAMAccountName", + "userPrincipalName", + "msDS-KeyVersionNumber", + "msDS-supportedEncryptionTypes", + "dNSHostName", + "servicePrincipalName", + "operatingSystem", + "operatingSystemVersion", + "operatingSystemServicePack", + "pwdLastSet", + "userAccountControl", + NULL, +}; + /* Some constants for the userAccountControl AD LDAP attribute, see e.g. * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro * for details. */ @@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll) char *end; int ret; - char *attrs[] = { - "msDS-KeyVersionNumber", - "msDS-supportedEncryptionTypes", - "dNSHostName", - "servicePrincipalName", - "operatingSystem", - "operatingSystemVersion", - "operatingSystemServicePack", - "pwdLastSet", - "userAccountControl", - NULL, - }; - assert (enroll->computer_dn != NULL); assert (enroll->computer_attributes == NULL); @@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll) assert (ldap != NULL); ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE, - "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1, + "(objectClass=*)", default_ad_ldap_attrs, + 0, NULL, NULL, NULL, -1, &enroll->computer_attributes); if (ret != LDAP_SUCCESS) { @@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll) } adcli_result -adcli_enroll_update (adcli_enroll *enroll, - adcli_enroll_flags flags) +adcli_enroll_read_computer_account (adcli_enroll *enroll, + adcli_enroll_flags flags) { adcli_result res = ADCLI_SUCCESS; LDAP *ldap; - char *value; return_unexpected_if_fail (enroll != NULL); @@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll, } /* Get information about the computer account */ - res = retrieve_computer_account (enroll); + return retrieve_computer_account (enroll); +} + +adcli_result +adcli_enroll_update (adcli_enroll *enroll, + adcli_enroll_flags flags) +{ + adcli_result res = ADCLI_SUCCESS; + LDAP *ldap; + char *value; + + res = adcli_enroll_read_computer_account (enroll, flags); if (res != ADCLI_SUCCESS) return res; @@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll, return enroll_join_or_update_tasks (enroll, flags); } +adcli_result +adcli_enroll_show_computer_attribute (adcli_enroll *enroll) +{ + LDAP *ldap; + size_t c; + char **vals; + size_t v; + + ldap = adcli_conn_get_ldap_connection (enroll->conn); + assert (ldap != NULL); + + for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) { + vals = _adcli_ldap_parse_values (ldap, + enroll->computer_attributes, + default_ad_ldap_attrs[c]); + printf ("%s:\n", default_ad_ldap_attrs[c]); + if (vals == NULL) { + printf (" - not set -\n"); + } else { + for (v = 0; vals[v] != NULL; v++) { + printf (" %s\n", vals[v]); + } + } + _adcli_strv_free (vals); + } + + return ADCLI_SUCCESS; +} + adcli_result adcli_enroll_delete (adcli_enroll *enroll, adcli_enroll_flags delete_flags) diff --git a/library/adenroll.h b/library/adenroll.h index 1d5d00d..11eb517 100644 --- a/library/adenroll.h +++ b/library/adenroll.h @@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll, adcli_result adcli_enroll_update (adcli_enroll *enroll, adcli_enroll_flags flags); +adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll, + adcli_enroll_flags flags); + +adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll); + adcli_result adcli_enroll_delete (adcli_enroll *enroll, adcli_enroll_flags delete_flags); diff --git a/tools/computer.c b/tools/computer.c index ac8a203..c8b96a4 100644 --- a/tools/computer.c +++ b/tools/computer.c @@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn, adcli_enroll_unref (enroll); return 0; } + +int +adcli_tool_computer_show (adcli_conn *conn, + int argc, + char *argv[]) +{ + adcli_enroll *enroll; + adcli_result res; + int opt; + + struct option options[] = { + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "login-type", required_argument, NULL, opt_login_type }, + { "no-password", no_argument, 0, opt_no_password }, + { "stdin-password", no_argument, 0, opt_stdin_password }, + { "prompt-password", no_argument, 0, opt_prompt_password }, + { "verbose", no_argument, NULL, opt_verbose }, + { "help", no_argument, NULL, 'h' }, + { 0 }, + }; + + static adcli_tool_desc usages[] = { + { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" }, + { 0 }, + }; + + enroll = adcli_enroll_new (conn); + if (enroll == NULL) { + warnx ("unexpected memory problems"); + return -1; + } + + while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { + switch (opt) { + case 'h': + case '?': + case ':': + adcli_tool_usage (options, usages); + adcli_tool_usage (options, common_usages); + adcli_enroll_unref (enroll); + return opt == 'h' ? 0 : 2; + default: + res = parse_option ((Option)opt, optarg, conn, enroll); + if (res != ADCLI_SUCCESS) { + adcli_enroll_unref (enroll); + return res; + } + break; + } + } + + argc -= optind; + argv += optind; + + res = adcli_conn_connect (conn); + if (res != ADCLI_SUCCESS) { + warnx ("couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); + adcli_enroll_unref (enroll); + return -res; + } + + if (argc == 1) { + parse_fqdn_or_name (enroll, argv[0]); + } + + res = adcli_enroll_read_computer_account (enroll, 0); + if (res != ADCLI_SUCCESS) { + warnx ("couldn't read data for %s: %s", + adcli_enroll_get_host_fqdn (enroll) != NULL + ? adcli_enroll_get_host_fqdn (enroll) + : adcli_enroll_get_computer_name (enroll), + adcli_get_last_error ()); + adcli_enroll_unref (enroll); + return -res; + } + + res = adcli_enroll_show_computer_attribute (enroll); + if (res != ADCLI_SUCCESS) { + warnx ("couldn't print data for %s: %s", + argv[0], adcli_get_last_error ()); + adcli_enroll_unref (enroll); + return -res; + } + + adcli_enroll_unref (enroll); + return 0; +} diff --git a/tools/tools.c b/tools/tools.c index fc9fa9a..9d422f2 100644 --- a/tools/tools.c +++ b/tools/tools.c @@ -59,6 +59,7 @@ struct { { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", }, { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", }, { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", }, + { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", }, { "create-user", adcli_tool_user_create, "Create a user account", }, { "delete-user", adcli_tool_user_delete, "Delete a user account", }, { "create-group", adcli_tool_group_create, "Create a group", }, diff --git a/tools/tools.h b/tools/tools.h index 8cebbf9..3702875 100644 --- a/tools/tools.h +++ b/tools/tools.h @@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn, int argc, char *argv[]); +int adcli_tool_computer_show (adcli_conn *conn, + int argc, + char *argv[]); + int adcli_tool_user_create (adcli_conn *conn, int argc, char *argv[]); -- 2.21.0