adcli/0001-Implement-adcli-testjoin.patch

182 lines
5.8 KiB
Diff

From 6fd99ff6c5dd6ef0be8d942989b1c6dcee3102d9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 22 Mar 2019 12:37:39 +0100
Subject: [PATCH] Implement 'adcli testjoin'
By calling adcli testjoin it will be checked if the host credentials
stored in the keytab are still valid.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1622583
---
doc/adcli.xml | 34 +++++++++++++++++++++++
tools/computer.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
tools/tools.c | 1 +
tools/tools.h | 4 +++
4 files changed, 111 insertions(+)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index af73433..9605b4a 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -43,6 +43,9 @@
<cmdsynopsis>
<command>adcli update</command>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>adcli testjoin</command>
+ </cmdsynopsis>
<cmdsynopsis>
<command>adcli create-user</command>
<arg choice="opt">--domain=domain.example.com</arg>
@@ -474,6 +477,37 @@ $ adcli update --login-ccache=/tmp/krbcc_123
</refsect1>
+<refsect1 id='testjoin'>
+ <title>Testing if the machine account password is valid</title>
+
+ <para><command>adcli testjoin</command> uses the current credentials in
+ the keytab and tries to authenticate with the machine account to the AD
+ domain. If this works the machine account password and the join are
+ still valid. If it fails the machine account password or the whole
+ machine account have to be refreshed with
+ <command>adcli join</command> or <command>adcli update</command>.
+ </para>
+
+<programlisting>
+$ adcli testjoin
+</programlisting>
+
+ <para>Only the global options not related to authentication are
+ available, additionally you can specify the following options to
+ control how this operation is done.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
+ <listitem><para>Specify the path to the host keytab where
+ current host credentials are stored and the new ones
+ will be written to. If not specified, the default
+ location will be used, usually
+ <filename>/etc/krb5.keytab</filename>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id='create_user'>
<title>Creating a User</title>
diff --git a/tools/computer.c b/tools/computer.c
index 112340e..610ed2b 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -566,6 +566,78 @@ adcli_tool_computer_update (adcli_conn *conn,
return 0;
}
+int
+adcli_tool_computer_testjoin (adcli_conn *conn,
+ int argc,
+ char *argv[])
+{
+ adcli_enroll *enroll;
+ adcli_result res;
+ const char *ktname;
+ int opt;
+
+ struct option options[] = {
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "host-keytab", required_argument, 0, opt_host_keytab },
+ { "verbose", no_argument, NULL, opt_verbose },
+ { "help", no_argument, NULL, 'h' },
+ { 0 },
+ };
+
+ static adcli_tool_desc usages[] = {
+ { 0, "usage: adcli testjoin" },
+ { 0 },
+ };
+
+ enroll = adcli_enroll_new (conn);
+ if (enroll == NULL)
+ errx (-1, "unexpected memory problems");
+
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+ switch (opt) {
+ case 'h':
+ case '?':
+ case ':':
+ adcli_tool_usage (options, usages);
+ adcli_tool_usage (options, common_usages);
+ adcli_enroll_unref (enroll);
+ return opt == 'h' ? 0 : 2;
+ default:
+ parse_option ((Option)opt, optarg, conn, enroll);
+ break;
+ }
+ }
+
+ /* Force use of a keytab to test the join/machine account password */
+ adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT);
+ ktname = adcli_enroll_get_keytab_name (enroll);
+ adcli_conn_set_login_keytab_name (conn, ktname ? ktname : "");
+
+ res = adcli_enroll_load (enroll);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ adcli_conn_unref (conn);
+ errx (-res, "couldn't lookup domain info from keytab: %s",
+ adcli_get_last_error ());
+ }
+
+ res = adcli_conn_connect (conn);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ adcli_conn_unref (conn);
+ errx (-res, "couldn't connect to %s domain: %s",
+ adcli_conn_get_domain_name (conn),
+ adcli_get_last_error ());
+ }
+
+ printf ("Sucessfully validated join to domain %s\n",
+ adcli_conn_get_domain_name (conn));
+
+ adcli_enroll_unref (enroll);
+
+ return 0;
+}
int
adcli_tool_computer_preset (adcli_conn *conn,
diff --git a/tools/tools.c b/tools/tools.c
index 915130e..c4e2851 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -55,6 +55,7 @@ struct {
{ "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS },
{ "join", adcli_tool_computer_join, "Join this machine to a domain", },
{ "update", adcli_tool_computer_update, "Update machine membership in a domain", },
+ { "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", },
{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
diff --git a/tools/tools.h b/tools/tools.h
index 6c97ccf..8cebbf9 100644
--- a/tools/tools.h
+++ b/tools/tools.h
@@ -70,6 +70,10 @@ int adcli_tool_computer_update (adcli_conn *conn,
int argc,
char *argv[]);
+int adcli_tool_computer_testjoin (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+
int adcli_tool_computer_delete (adcli_conn *conn,
int argc,
char *argv[]);
--
2.20.1