68 lines
2.4 KiB
Diff
68 lines
2.4 KiB
Diff
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 1 Nov 2017 17:14:05 +0100
|
|
Subject: [PATCH 06/23] Handle kvno increment for RODCs
|
|
|
|
Since the actual password change does not happen on the read-only domain
|
|
controller (RODC) the kvno change has to be replicated back which might
|
|
take some time. So we check the kvno before and after the change if we
|
|
are connected to a RODC and increment the kvno if needed.
|
|
---
|
|
library/adenroll.c | 31 +++++++++++++++++++++++++++++++
|
|
1 file changed, 31 insertions(+)
|
|
|
|
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
index 05885d0..bb970d1 100644
|
|
--- a/library/adenroll.c
|
|
+++ b/library/adenroll.c
|
|
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
adcli_enroll_flags flags)
|
|
{
|
|
adcli_result res;
|
|
+ krb5_kvno old_kvno = -1;
|
|
|
|
if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
|
|
+
|
|
+ /* Handle kvno changes for read-only domain controllers
|
|
+ * (RODC). Since the actual password change does not happen on
|
|
+ * the RODC the kvno change has to be replicated back which
|
|
+ * might take some time. So we check the kvno before and after
|
|
+ * the change if we are connected to a RODC and increment the
|
|
+ * kvno if needed. */
|
|
+ if (!adcli_conn_is_writeable (enroll->conn)) {
|
|
+ if (enroll->computer_attributes == NULL) {
|
|
+ res = retrieve_computer_account (enroll);
|
|
+ if (res != ADCLI_SUCCESS)
|
|
+ return res;
|
|
+ }
|
|
+ old_kvno = adcli_enroll_get_kvno (enroll);
|
|
+ _adcli_info ("Found old kvno '%d'", old_kvno);
|
|
+
|
|
+ ldap_msgfree (enroll->computer_attributes);
|
|
+ enroll->computer_attributes = NULL;
|
|
+ adcli_enroll_set_kvno (enroll, 0);
|
|
+ }
|
|
+
|
|
res = set_computer_password (enroll);
|
|
if (res != ADCLI_SUCCESS)
|
|
return res;
|
|
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
return res;
|
|
}
|
|
|
|
+ /* Handle kvno changes for read-only domain controllers (RODC) */
|
|
+ if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
|
|
+ adcli_enroll_get_kvno (enroll) != 0 &&
|
|
+ adcli_enroll_get_kvno (enroll) == old_kvno) {
|
|
+ enroll->kvno++;
|
|
+ _adcli_info ("No kvno change detected on read-only DC, kvno "
|
|
+ "will be incremented by 1 to '%d'", enroll->kvno);
|
|
+ }
|
|
+
|
|
/* We ignore failures of setting these fields */
|
|
update_and_calculate_enctypes (enroll);
|
|
update_computer_account (enroll);
|
|
--
|
|
2.14.4
|
|
|