7f6164b3c3
- use-ldaps fixes - man page improvements - new sub-command to create managed service accounts
60 lines
2.3 KiB
Diff
60 lines
2.3 KiB
Diff
From beb7abfacc0010987d2cd8ab70f7c373d309eed9 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Thu, 15 Oct 2020 18:01:12 +0200
|
|
Subject: [PATCH 02/10] join/update: set dNSHostName if not set
|
|
|
|
If during a join or update an existing AD computer object does not have
|
|
the dNSHostName attribute set it will be set with the current hostname.
|
|
This is important for cases where the user doing the join or update only
|
|
has "Validated write to service principal name" for the computer object.
|
|
The validated write with fully-qualified names can only be successful if
|
|
dNSHostName is set, see [MS-ADTS] section 3.1.1.5.3.1.1.4 "Validated
|
|
Writes - servicePrincipalName" for details.
|
|
|
|
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1734764
|
|
---
|
|
library/adenroll.c | 16 ++++++++++++----
|
|
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
index 246f658..e745295 100644
|
|
--- a/library/adenroll.c
|
|
+++ b/library/adenroll.c
|
|
@@ -1403,21 +1403,29 @@ update_computer_account (adcli_enroll *enroll)
|
|
{
|
|
int res = 0;
|
|
LDAP *ldap;
|
|
+ char *value = NULL;
|
|
|
|
ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
|
return_if_fail (ldap != NULL);
|
|
|
|
/* Only update attributes which are explicitly given on the command
|
|
- * line. Otherwise 'adcli update' must be always called with the same
|
|
- * set of options to make sure existing attributes are not deleted or
|
|
- * overwritten with different values. */
|
|
- if (enroll->host_fqdn_explicit) {
|
|
+ * line or not set in the existing AD object. Otherwise 'adcli update'
|
|
+ * must be always called with the same set of options to make sure
|
|
+ * existing attributes are not deleted or overwritten with different
|
|
+ * values. */
|
|
+ if (enroll->computer_attributes != NULL) {
|
|
+ value = _adcli_ldap_parse_value (ldap,
|
|
+ enroll->computer_attributes,
|
|
+ "dNSHostName");
|
|
+ }
|
|
+ if (enroll->host_fqdn_explicit || value == NULL ) {
|
|
char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
|
|
LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
|
|
LDAPMod *mods[] = { &dNSHostName, NULL };
|
|
|
|
res |= update_computer_attribute (enroll, ldap, mods);
|
|
}
|
|
+ free (value);
|
|
|
|
if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
|
|
char *vals_userAccountControl[] = { NULL , NULL };
|
|
--
|
|
2.28.0
|
|
|