From 972f1a2f35829ed89f5353bd204683aa9ad6a2d2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 22 Mar 2019 10:37:57 +0100 Subject: [PATCH 4/4] library: make sure server side SPNs are preserved adcli should not delete service principal names (SPNs) unexpectedly. If a SPN was added on the server while presetting a host or updating an existing entry and upcoming adcli join or update should preserver this change. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187 --- library/adenroll.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/library/adenroll.c b/library/adenroll.c index 48cb4cf..1cce86a 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -1961,6 +1961,47 @@ adcli_enroll_prepare (adcli_enroll *enroll, return res; } +static adcli_result +add_server_side_service_principals (adcli_enroll *enroll) +{ + char **spn_list; + LDAP *ldap; + size_t c; + int length = 0; + adcli_result res; + + ldap = adcli_conn_get_ldap_connection (enroll->conn); + assert (ldap != NULL); + + spn_list = _adcli_ldap_parse_values (ldap, enroll->computer_attributes, + "servicePrincipalName"); + if (spn_list == NULL) { + return ADCLI_SUCCESS; + } + + if (enroll->service_principals != NULL) { + length = seq_count (enroll->service_principals); + } + + for (c = 0; spn_list[c] != NULL; c++) { + _adcli_info ("Checking %s", spn_list[c]); + if (!_adcli_strv_has_ex (enroll->service_principals_to_remove, spn_list[c], strcasecmp)) { + enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, + spn_list[c], &length, false); + assert (enroll->service_principals != NULL); + _adcli_info (" Added %s", spn_list[c]); + } + } + _adcli_strv_free (spn_list); + + res = ensure_keytab_principals (ADCLI_SUCCESS, enroll); + if (res != ADCLI_SUCCESS) { + return res; + } + + return ADCLI_SUCCESS; +} + static adcli_result enroll_join_or_update_tasks (adcli_enroll *enroll, adcli_enroll_flags flags) @@ -2019,6 +2060,11 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, update_and_calculate_enctypes (enroll); update_computer_account (enroll); + res = add_server_side_service_principals (enroll); + if (res != ADCLI_SUCCESS) { + return res; + } + /* service_names is only set from input on the command line, so no * additional check for explicit is needed here */ if (enroll->service_names != NULL) { -- 2.20.1