Blame SOURCES/0006-Handle-kvno-increment-for-RODCs.patch

48b328
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
48b328
From: Sumit Bose <sbose@redhat.com>
48b328
Date: Wed, 1 Nov 2017 17:14:05 +0100
48b328
Subject: [PATCH 06/23] Handle kvno increment for RODCs
48b328
48b328
Since the actual password change does not happen on the read-only domain
48b328
controller (RODC) the kvno change has to be replicated back which might
48b328
take some time. So we check the kvno before and after the change if we
48b328
are connected to a RODC and increment the kvno if needed.
48b328
---
48b328
 library/adenroll.c | 31 +++++++++++++++++++++++++++++++
48b328
 1 file changed, 31 insertions(+)
48b328
48b328
diff --git a/library/adenroll.c b/library/adenroll.c
48b328
index 05885d0..bb970d1 100644
48b328
--- a/library/adenroll.c
48b328
+++ b/library/adenroll.c
48b328
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
48b328
 		             adcli_enroll_flags flags)
48b328
 {
48b328
 	adcli_result res;
48b328
+	krb5_kvno old_kvno = -1;
48b328
 
48b328
 	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
48b328
+
48b328
+		/* Handle kvno changes for read-only domain controllers
48b328
+		 * (RODC). Since the actual password change does not happen on
48b328
+		 * the RODC the kvno change has to be replicated back which
48b328
+		 * might take some time. So we check the kvno before and after
48b328
+		 * the change if we are connected to a RODC and increment the
48b328
+		 * kvno if needed. */
48b328
+		if (!adcli_conn_is_writeable (enroll->conn)) {
48b328
+			if (enroll->computer_attributes == NULL) {
48b328
+				res = retrieve_computer_account (enroll);
48b328
+				if (res != ADCLI_SUCCESS)
48b328
+					return res;
48b328
+			}
48b328
+			old_kvno = adcli_enroll_get_kvno (enroll);
48b328
+			_adcli_info ("Found old kvno '%d'", old_kvno);
48b328
+
48b328
+			ldap_msgfree (enroll->computer_attributes);
48b328
+			enroll->computer_attributes = NULL;
48b328
+			adcli_enroll_set_kvno (enroll, 0);
48b328
+		}
48b328
+
48b328
 		res = set_computer_password (enroll);
48b328
 		if (res != ADCLI_SUCCESS)
48b328
 			return res;
48b328
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
48b328
 			return res;
48b328
 	}
48b328
 
48b328
+	/* Handle kvno changes for read-only domain controllers (RODC) */
48b328
+	if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
48b328
+	    adcli_enroll_get_kvno (enroll) != 0 &&
48b328
+	    adcli_enroll_get_kvno (enroll) == old_kvno) {
48b328
+		enroll->kvno++;
48b328
+		_adcli_info ("No kvno change detected on read-only DC,  kvno "
48b328
+		             "will be incremented by 1 to '%d'", enroll->kvno);
48b328
+	}
48b328
+
48b328
 	/* We ignore failures of setting these fields */
48b328
 	update_and_calculate_enctypes (enroll);
48b328
 	update_computer_account (enroll);
48b328
-- 
48b328
2.14.4
48b328