From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Wed, 27 Nov 2019 12:34:45 +0100

Subject: [PATCH 1/2] tools: add show-computer command

The show-computer command prints the LDAP attributes of the related

computer object from AD.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342

---

 doc/adcli.xml      | 28 ++++++++++++++

 library/adenroll.c | 78 +++++++++++++++++++++++++++++---------

 library/adenroll.h |  5 +++

 tools/computer.c   | 93 ++++++++++++++++++++++++++++++++++++++++++++++

 tools/tools.c      |  1 +

 tools/tools.h      |  4 ++

 6 files changed, 191 insertions(+), 18 deletions(-)

diff --git a/doc/adcli.xml b/doc/adcli.xml

index 9faf96a..1f93186 100644

--- a/doc/adcli.xml

+++ b/doc/adcli.xml

@@ -93,6 +93,11 @@

 		<arg choice="opt">--domain=domain.example.com</arg>

 		<arg choice="plain">computer</arg>

 	</cmdsynopsis>

+	<cmdsynopsis>

+		<command>adcli show-computer</command>

+		<arg choice="opt">--domain=domain.example.com</arg>

+		<arg choice="plain">computer</arg>

+	</cmdsynopsis>

 </refsynopsisdiv>

 <refsect1 id='general_overview'>

@@ -811,6 +816,29 @@ Password for Administrator:

 </refsect1>

+<refsect1 id='show_computer_account'>

+	<title>Show Computer Account Attributes</title>

+

+	<para><command>adcli show-computer</command> show the computer account

+	attributes stored in AD. The account must already exist.</para>

+

+<programlisting>

+$ adcli show-computer --domain=domain.example.com host2

+Password for Administrator:

+</programlisting>

+

+	<para>If the computer name contains a dot, then it is

+	treated as fully qualified host name, otherwise it is treated

+	as short computer name.</para>

+

+	<para>If no computer name is specified, then the host name of the

+	computer adcli is running on is used, as returned by

+	<literal>gethostname()</literal>.</para>

+

+	<para>The various global options can be used.</para>

+

+</refsect1>

+

 <refsect1 id='bugs'>

 	<title>Bugs</title>

 	<para>

diff --git a/library/adenroll.c b/library/adenroll.c

index 524663a..8d2adeb 100644

--- a/library/adenroll.c

+++ b/library/adenroll.c

@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {

 	0

 };

+static char *default_ad_ldap_attrs[] =  {

+	"sAMAccountName",

+	"userPrincipalName",

+	"msDS-KeyVersionNumber",

+	"msDS-supportedEncryptionTypes",

+	"dNSHostName",

+	"servicePrincipalName",

+	"operatingSystem",

+	"operatingSystemVersion",

+	"operatingSystemServicePack",

+	"pwdLastSet",

+	"userAccountControl",

+	NULL,

+};

+

 /* Some constants for the userAccountControl AD LDAP attribute, see e.g.

  * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

  * for details. */

@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)

 	char *end;

 	int ret;

-	char *attrs[] =  {

-		"msDS-KeyVersionNumber",

-		"msDS-supportedEncryptionTypes",

-		"dNSHostName",

-		"servicePrincipalName",

-		"operatingSystem",

-		"operatingSystemVersion",

-		"operatingSystemServicePack",

-		"pwdLastSet",

-		"userAccountControl",

-		NULL,

-	};

-

 	assert (enroll->computer_dn != NULL);

 	assert (enroll->computer_attributes == NULL);

@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)

 	assert (ldap != NULL);

 	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,

-	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,

+	                         "(objectClass=*)", default_ad_ldap_attrs,

+	                         0, NULL, NULL, NULL, -1,

 	                         &enroll->computer_attributes);

 	if (ret != LDAP_SUCCESS) {

@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)

 }

 adcli_result

-adcli_enroll_update (adcli_enroll *enroll,

-		     adcli_enroll_flags flags)

+adcli_enroll_read_computer_account (adcli_enroll *enroll,

+		                    adcli_enroll_flags flags)

 {

 	adcli_result res = ADCLI_SUCCESS;

 	LDAP *ldap;

-	char *value;

 	return_unexpected_if_fail (enroll != NULL);

@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,

 	}

 	/* Get information about the computer account */

-	res = retrieve_computer_account (enroll);

+	return retrieve_computer_account (enroll);

+}

+

+adcli_result

+adcli_enroll_update (adcli_enroll *enroll,

+		     adcli_enroll_flags flags)

+{

+	adcli_result res = ADCLI_SUCCESS;

+	LDAP *ldap;

+	char *value;

+

+	res = adcli_enroll_read_computer_account (enroll, flags);

 	if (res != ADCLI_SUCCESS)

 		return res;

@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,

 	return enroll_join_or_update_tasks (enroll, flags);

 }

+adcli_result

+adcli_enroll_show_computer_attribute (adcli_enroll *enroll)

+{

+	LDAP *ldap;

+	size_t c;

+	char **vals;

+	size_t v;

+

+	ldap = adcli_conn_get_ldap_connection (enroll->conn);

+	assert (ldap != NULL);

+

+	for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {

+		vals = _adcli_ldap_parse_values (ldap,

+		                                 enroll->computer_attributes,

+		                                 default_ad_ldap_attrs[c]);

+		printf ("%s:\n", default_ad_ldap_attrs[c]);

+		if (vals == NULL) {

+			printf (" - not set -\n");

+		} else {

+			for (v = 0; vals[v] != NULL; v++) {

+				printf (" %s\n", vals[v]);

+			}

+		}

+		_adcli_strv_free (vals);

+	}

+

+	return ADCLI_SUCCESS;

+}

+

 adcli_result

 adcli_enroll_delete (adcli_enroll *enroll,

                      adcli_enroll_flags delete_flags)

diff --git a/library/adenroll.h b/library/adenroll.h

index 1d5d00d..11eb517 100644

--- a/library/adenroll.h

+++ b/library/adenroll.h

@@ -46,6 +46,11 @@ adcli_result       adcli_enroll_join                    (adcli_enroll *enroll,

 adcli_result       adcli_enroll_update                  (adcli_enroll *enroll,

 		                                         adcli_enroll_flags flags);

+adcli_result       adcli_enroll_read_computer_account   (adcli_enroll *enroll,

+                                                         adcli_enroll_flags flags);

+

+adcli_result       adcli_enroll_show_computer_attribute (adcli_enroll *enroll);

+

 adcli_result       adcli_enroll_delete                  (adcli_enroll *enroll,

                                                          adcli_enroll_flags delete_flags);

diff --git a/tools/computer.c b/tools/computer.c

index ac8a203..c8b96a4 100644

--- a/tools/computer.c

+++ b/tools/computer.c

@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,

 	adcli_enroll_unref (enroll);

 	return 0;

 }

+

+int

+adcli_tool_computer_show (adcli_conn *conn,

+                          int argc,

+                          char *argv[])

+{

+	adcli_enroll *enroll;

+	adcli_result res;

+	int opt;

+

+	struct option options[] = {

+		{ "domain", required_argument, NULL, opt_domain },

+		{ "domain-realm", required_argument, NULL, opt_domain_realm },

+		{ "domain-controller", required_argument, NULL, opt_domain_controller },

+		{ "login-user", required_argument, NULL, opt_login_user },

+		{ "login-ccache", optional_argument, NULL, opt_login_ccache },

+		{ "login-type", required_argument, NULL, opt_login_type },

+		{ "no-password", no_argument, 0, opt_no_password },

+		{ "stdin-password", no_argument, 0, opt_stdin_password },

+		{ "prompt-password", no_argument, 0, opt_prompt_password },

+		{ "verbose", no_argument, NULL, opt_verbose },

+		{ "help", no_argument, NULL, 'h' },

+		{ 0 },

+	};

+

+	static adcli_tool_desc usages[] = {

+		{ 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },

+		{ 0 },

+	};

+

+	enroll = adcli_enroll_new (conn);

+	if (enroll == NULL) {

+		warnx ("unexpected memory problems");

+		return -1;

+	}

+

+	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {

+		switch (opt) {

+		case 'h':

+		case '?':

+		case ':':

+			adcli_tool_usage (options, usages);

+			adcli_tool_usage (options, common_usages);

+			adcli_enroll_unref (enroll);

+			return opt == 'h' ? 0 : 2;

+		default:

+			res = parse_option ((Option)opt, optarg, conn, enroll);

+			if (res != ADCLI_SUCCESS) {

+				adcli_enroll_unref (enroll);

+				return res;

+			}

+			break;

+		}

+	}

+

+	argc -= optind;

+	argv += optind;

+

+	res = adcli_conn_connect (conn);

+	if (res != ADCLI_SUCCESS) {

+		warnx ("couldn't connect to %s domain: %s",

+		       adcli_conn_get_domain_name (conn),

+		       adcli_get_last_error ());

+		adcli_enroll_unref (enroll);

+		return -res;

+	}

+

+	if (argc == 1) {

+		parse_fqdn_or_name (enroll, argv[0]);

+	}

+

+	res = adcli_enroll_read_computer_account (enroll, 0);

+	if (res != ADCLI_SUCCESS) {

+		warnx ("couldn't read data for %s: %s",

+		       adcli_enroll_get_host_fqdn (enroll) != NULL

+		           ? adcli_enroll_get_host_fqdn (enroll)

+		           : adcli_enroll_get_computer_name (enroll),

+		       adcli_get_last_error ());

+		adcli_enroll_unref (enroll);

+		return -res;

+	}

+

+	res = adcli_enroll_show_computer_attribute (enroll);

+	if (res != ADCLI_SUCCESS) {

+		warnx ("couldn't print data for %s: %s",

+		       argv[0], adcli_get_last_error ());

+		adcli_enroll_unref (enroll);

+		return -res;

+	}

+

+	adcli_enroll_unref (enroll);

+	return 0;

+}

diff --git a/tools/tools.c b/tools/tools.c

index fc9fa9a..9d422f2 100644

--- a/tools/tools.c

+++ b/tools/tools.c

@@ -59,6 +59,7 @@ struct {

 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },

 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },

 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },

+	{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },

 	{ "create-user", adcli_tool_user_create, "Create a user account", },

 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },

 	{ "create-group", adcli_tool_group_create, "Create a group", },

diff --git a/tools/tools.h b/tools/tools.h

index 8cebbf9..3702875 100644

--- a/tools/tools.h

+++ b/tools/tools.h

@@ -78,6 +78,10 @@ int       adcli_tool_computer_delete   (adcli_conn *conn,

                                         int argc,

                                         char *argv[]);

+int       adcli_tool_computer_show     (adcli_conn *conn,

+                                        int argc,

+                                        char *argv[]);

+

 int       adcli_tool_user_create       (adcli_conn *conn,

                                         int argc,

                                         char *argv[]);

-- 

2.21.0