7f6164b3c3
- use-ldaps fixes - man page improvements - new sub-command to create managed service accounts
123 lines
3.4 KiB
Diff
123 lines
3.4 KiB
Diff
From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Tue, 27 Oct 2020 15:23:04 +0100
|
|
Subject: [PATCH 10/10] service-account: add random suffix to account name
|
|
|
|
Add a random component to the default managed service account name to
|
|
avoid name collisions.
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
---
|
|
library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 79 insertions(+)
|
|
|
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
index 98cd5fa..f693e58 100644
|
|
--- a/library/adenroll.c
|
|
+++ b/library/adenroll.c
|
|
@@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll,
|
|
return ADCLI_SUCCESS;
|
|
}
|
|
|
|
+static adcli_result
|
|
+refresh_service_account_name_sam_and_princ (adcli_enroll *enroll,
|
|
+ const char *name)
|
|
+{
|
|
+ adcli_result res;
|
|
+
|
|
+ adcli_enroll_set_computer_name (enroll, name);
|
|
+ res = ensure_computer_sam (ADCLI_SUCCESS, enroll);
|
|
+ res = ensure_keytab_principals (res, enroll);
|
|
+
|
|
+ return res;
|
|
+}
|
|
+
|
|
+static adcli_result
|
|
+calculate_random_service_account_name (adcli_enroll *enroll)
|
|
+{
|
|
+ char *suffix;
|
|
+ char *new_name;
|
|
+ int ret;
|
|
+ adcli_result res;
|
|
+
|
|
+ suffix = generate_host_password (enroll, 3, filter_sam_chars);
|
|
+ return_unexpected_if_fail (suffix != NULL);
|
|
+
|
|
+ ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix);
|
|
+ free (suffix);
|
|
+ return_unexpected_if_fail (ret > 0);
|
|
+
|
|
+ res = refresh_service_account_name_sam_and_princ (enroll, new_name);
|
|
+ free (new_name);
|
|
+
|
|
+ return res;
|
|
+}
|
|
+
|
|
+static adcli_result
|
|
+get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results)
|
|
+{
|
|
+ LDAP *ldap;
|
|
+ char *cn;
|
|
+ adcli_result res;
|
|
+
|
|
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
|
+ assert (ldap != NULL);
|
|
+
|
|
+ cn = _adcli_ldap_parse_value (ldap, results, "CN");
|
|
+ return_unexpected_if_fail (cn != NULL);
|
|
+
|
|
+ res = refresh_service_account_name_sam_and_princ (enroll, cn);
|
|
+ free (cn);
|
|
+
|
|
+ return res;
|
|
+}
|
|
+
|
|
static adcli_result
|
|
locate_or_create_computer_account (adcli_enroll *enroll,
|
|
int allow_overwrite)
|
|
@@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll,
|
|
searched = 1;
|
|
}
|
|
|
|
+ /* Try with fqdn for service accounts */
|
|
+ if (!enroll->computer_dn && enroll->is_service
|
|
+ && enroll->host_fqdn != NULL) {
|
|
+ res = locate_computer_account (enroll, ldap, true,
|
|
+ &results, &entry);
|
|
+ if (res != ADCLI_SUCCESS)
|
|
+ return res;
|
|
+ searched = 1;
|
|
+
|
|
+ if (results != NULL) {
|
|
+ res = get_service_account_name_from_ldap (enroll,
|
|
+ results);
|
|
+ if (res != ADCLI_SUCCESS) {
|
|
+ return res;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
/* Next try and come up with where we think it should be */
|
|
if (enroll->computer_dn == NULL) {
|
|
+ if (enroll->is_service && !enroll->computer_name_explicit) {
|
|
+ res = calculate_random_service_account_name (enroll);
|
|
+ if (res != ADCLI_SUCCESS) {
|
|
+ return res;
|
|
+ }
|
|
+ }
|
|
res = calculate_computer_account (enroll, ldap);
|
|
if (res != ADCLI_SUCCESS)
|
|
return res;
|
|
@@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll,
|
|
|
|
if (enroll->is_service) {
|
|
/* Ensure basic params for service accounts */
|
|
+ res = ensure_host_fqdn (res, enroll);
|
|
+ res = ensure_computer_name (res, enroll);
|
|
res = ensure_computer_sam (res, enroll);
|
|
res = ensure_computer_password (res, enroll);
|
|
res = ensure_host_keytab (res, enroll);
|
|
--
|
|
2.28.0
|
|
|