From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 27 Oct 2020 15:23:04 +0100 Subject: [PATCH 7/7] service-account: add random suffix to account name Add a random component to the default managed service account name to avoid name collisions. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112 --- library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/library/adenroll.c b/library/adenroll.c index 98cd5fa..f693e58 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll, return ADCLI_SUCCESS; } +static adcli_result +refresh_service_account_name_sam_and_princ (adcli_enroll *enroll, + const char *name) +{ + adcli_result res; + + adcli_enroll_set_computer_name (enroll, name); + res = ensure_computer_sam (ADCLI_SUCCESS, enroll); + res = ensure_keytab_principals (res, enroll); + + return res; +} + +static adcli_result +calculate_random_service_account_name (adcli_enroll *enroll) +{ + char *suffix; + char *new_name; + int ret; + adcli_result res; + + suffix = generate_host_password (enroll, 3, filter_sam_chars); + return_unexpected_if_fail (suffix != NULL); + + ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix); + free (suffix); + return_unexpected_if_fail (ret > 0); + + res = refresh_service_account_name_sam_and_princ (enroll, new_name); + free (new_name); + + return res; +} + +static adcli_result +get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results) +{ + LDAP *ldap; + char *cn; + adcli_result res; + + ldap = adcli_conn_get_ldap_connection (enroll->conn); + assert (ldap != NULL); + + cn = _adcli_ldap_parse_value (ldap, results, "CN"); + return_unexpected_if_fail (cn != NULL); + + res = refresh_service_account_name_sam_and_princ (enroll, cn); + free (cn); + + return res; +} + static adcli_result locate_or_create_computer_account (adcli_enroll *enroll, int allow_overwrite) @@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll, searched = 1; } + /* Try with fqdn for service accounts */ + if (!enroll->computer_dn && enroll->is_service + && enroll->host_fqdn != NULL) { + res = locate_computer_account (enroll, ldap, true, + &results, &entry); + if (res != ADCLI_SUCCESS) + return res; + searched = 1; + + if (results != NULL) { + res = get_service_account_name_from_ldap (enroll, + results); + if (res != ADCLI_SUCCESS) { + return res; + } + } + } + /* Next try and come up with where we think it should be */ if (enroll->computer_dn == NULL) { + if (enroll->is_service && !enroll->computer_name_explicit) { + res = calculate_random_service_account_name (enroll); + if (res != ADCLI_SUCCESS) { + return res; + } + } res = calculate_computer_account (enroll, ldap); if (res != ADCLI_SUCCESS) return res; @@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll, if (enroll->is_service) { /* Ensure basic params for service accounts */ + res = ensure_host_fqdn (res, enroll); + res = ensure_computer_name (res, enroll); res = ensure_computer_sam (res, enroll); res = ensure_computer_password (res, enroll); res = ensure_host_keytab (res, enroll); -- 2.28.0