|
|
48b328 |
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
|
|
|
48b328 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
48b328 |
Date: Wed, 1 Nov 2017 17:14:05 +0100
|
|
|
48b328 |
Subject: [PATCH 06/23] Handle kvno increment for RODCs
|
|
|
48b328 |
|
|
|
48b328 |
Since the actual password change does not happen on the read-only domain
|
|
|
48b328 |
controller (RODC) the kvno change has to be replicated back which might
|
|
|
48b328 |
take some time. So we check the kvno before and after the change if we
|
|
|
48b328 |
are connected to a RODC and increment the kvno if needed.
|
|
|
48b328 |
---
|
|
|
48b328 |
library/adenroll.c | 31 +++++++++++++++++++++++++++++++
|
|
|
48b328 |
1 file changed, 31 insertions(+)
|
|
|
48b328 |
|
|
|
48b328 |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
48b328 |
index 05885d0..bb970d1 100644
|
|
|
48b328 |
--- a/library/adenroll.c
|
|
|
48b328 |
+++ b/library/adenroll.c
|
|
|
48b328 |
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
|
48b328 |
adcli_enroll_flags flags)
|
|
|
48b328 |
{
|
|
|
48b328 |
adcli_result res;
|
|
|
48b328 |
+ krb5_kvno old_kvno = -1;
|
|
|
48b328 |
|
|
|
48b328 |
if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
|
|
|
48b328 |
+
|
|
|
48b328 |
+ /* Handle kvno changes for read-only domain controllers
|
|
|
48b328 |
+ * (RODC). Since the actual password change does not happen on
|
|
|
48b328 |
+ * the RODC the kvno change has to be replicated back which
|
|
|
48b328 |
+ * might take some time. So we check the kvno before and after
|
|
|
48b328 |
+ * the change if we are connected to a RODC and increment the
|
|
|
48b328 |
+ * kvno if needed. */
|
|
|
48b328 |
+ if (!adcli_conn_is_writeable (enroll->conn)) {
|
|
|
48b328 |
+ if (enroll->computer_attributes == NULL) {
|
|
|
48b328 |
+ res = retrieve_computer_account (enroll);
|
|
|
48b328 |
+ if (res != ADCLI_SUCCESS)
|
|
|
48b328 |
+ return res;
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+ old_kvno = adcli_enroll_get_kvno (enroll);
|
|
|
48b328 |
+ _adcli_info ("Found old kvno '%d'", old_kvno);
|
|
|
48b328 |
+
|
|
|
48b328 |
+ ldap_msgfree (enroll->computer_attributes);
|
|
|
48b328 |
+ enroll->computer_attributes = NULL;
|
|
|
48b328 |
+ adcli_enroll_set_kvno (enroll, 0);
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+
|
|
|
48b328 |
res = set_computer_password (enroll);
|
|
|
48b328 |
if (res != ADCLI_SUCCESS)
|
|
|
48b328 |
return res;
|
|
|
48b328 |
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
|
48b328 |
return res;
|
|
|
48b328 |
}
|
|
|
48b328 |
|
|
|
48b328 |
+ /* Handle kvno changes for read-only domain controllers (RODC) */
|
|
|
48b328 |
+ if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
|
|
|
48b328 |
+ adcli_enroll_get_kvno (enroll) != 0 &&
|
|
|
48b328 |
+ adcli_enroll_get_kvno (enroll) == old_kvno) {
|
|
|
48b328 |
+ enroll->kvno++;
|
|
|
48b328 |
+ _adcli_info ("No kvno change detected on read-only DC, kvno "
|
|
|
48b328 |
+ "will be incremented by 1 to '%d'", enroll->kvno);
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+
|
|
|
48b328 |
/* We ignore failures of setting these fields */
|
|
|
48b328 |
update_and_calculate_enctypes (enroll);
|
|
|
48b328 |
update_computer_account (enroll);
|
|
|
48b328 |
--
|
|
|
48b328 |
2.14.4
|
|
|
48b328 |
|