rpms / adcli

Clone
Source Code
GIT

Blame SOURCES/0001-join-always-add-service-principals.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   3e55d6f3490349794b98f527ced80b94e0248ded
  2.   SOURCES
  3.   0001-join-always-add-service-principals.patch
Blob History Raw
48b328 
From cd296bf24e7cc56fb8d00bad7e9a56c539894309 Mon Sep 17 00:00:00 2001
48b328 
From: Sumit Bose <sbose@redhat.com>
48b328 
Date: Tue, 19 Mar 2019 20:44:36 +0100
48b328 
Subject: [PATCH 1/2] join: always add service principals
48b328
48b328 
If currently --service-name is given during the join only the service
48b328 
names given by this option are added as service principal names. As a
48b328 
result the default 'host' service principal name might be missing which
48b328 
might cause issues e.g. with SSSD and sshd.
48b328
48b328 
The patch makes sure the default service principals 'host' and
48b328 
'RestrictedKrbHost' are always added during join.
48b328
48b328 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1644311
48b328 
---
48b328 
 library/adenroll.c | 36 ++++++++++++++++++++++++++++++------
48b328 
 1 file changed, 30 insertions(+), 6 deletions(-)
48b328
48b328 
diff --git a/library/adenroll.c b/library/adenroll.c
48b328 
index 58362c2..d1f746c 100644
48b328 
--- a/library/adenroll.c
48b328 
+++ b/library/adenroll.c
48b328 
@@ -288,16 +288,23 @@ ensure_computer_password (adcli_result res,
48b328 
 }
48b328
48b328 
 static adcli_result
48b328 
-ensure_service_names (adcli_result res,
48b328 
-                      adcli_enroll *enroll)
48b328 
+ensure_default_service_names (adcli_enroll *enroll)
48b328 
 {
48b328 
 	int length = 0;
48b328
48b328 
-	if (res != ADCLI_SUCCESS)
48b328 
-		return res;
48b328 
+	if (enroll->service_names != NULL) {
48b328 
+		length = seq_count (enroll->service_names);
48b328
48b328 
-	if (enroll->service_names || enroll->service_principals)
48b328 
-		return ADCLI_SUCCESS;
48b328 
+		/* Make sure there is no entry with an unexpected case. AD
48b328 
+		 * would not care but since the client side is case-sensitive
48b328 
+		 * we should make sure we use the expected spelling. */
48b328 
+		seq_remove_unsorted (enroll->service_names,
48b328 
+		                     &length, "host",
48b328 
+		                     (seq_compar)strcasecmp, free);
48b328 
+		seq_remove_unsorted (enroll->service_names,
48b328 
+		                     &length, "RestrictedKrbHost",
48b328 
+		                     (seq_compar)strcasecmp, free);
48b328 
+	}
48b328
48b328 
 	/* The default ones specified by MS */
48b328 
 	enroll->service_names = _adcli_strv_add (enroll->service_names,
48b328 
@@ -307,6 +314,19 @@ ensure_service_names (adcli_result res,
48b328 
 	return ADCLI_SUCCESS;
48b328 
 }
48b328
48b328 
+static adcli_result
48b328 
+ensure_service_names (adcli_result res,
48b328 
+                      adcli_enroll *enroll)
48b328 
+{
48b328 
+	if (res != ADCLI_SUCCESS)
48b328 
+		return res;
48b328 
+
48b328 
+	if (enroll->service_names || enroll->service_principals)
48b328 
+		return ADCLI_SUCCESS;
48b328 
+
48b328 
+	return ensure_default_service_names (enroll);
48b328 
+}
48b328 
+
48b328 
 static adcli_result
48b328 
 add_service_names_to_service_principals (adcli_enroll *enroll)
48b328 
 {
48b328 
@@ -2039,6 +2059,10 @@ adcli_enroll_join (adcli_enroll *enroll,
48b328 
 	if (res != ADCLI_SUCCESS)
48b328 
 		return res;
48b328
48b328 
+	res = ensure_default_service_names (enroll);
48b328 
+	if (res != ADCLI_SUCCESS)
48b328 
+		return res;
48b328 
+
48b328 
 	res = adcli_enroll_prepare (enroll, flags);
48b328 
 	if (res != ADCLI_SUCCESS)
48b328 
 		return res;
48b328 
--
48b328 
2.20.1
48b328

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation