rpms / adcli

Clone
Source Code
GIT

Blame SOURCES/0006-Handle-kvno-increment-for-RODCs.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   7ddab3d4d1ed2ed03d405c6eeb3ac9cadd141225
  2.   SOURCES
  3.   0006-Handle-kvno-increment-for-RODCs.patch
Blob History Raw
7ddab3 
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
7ddab3 
From: Sumit Bose <sbose@redhat.com>
7ddab3 
Date: Wed, 1 Nov 2017 17:14:05 +0100
7ddab3 
Subject: [PATCH 06/23] Handle kvno increment for RODCs
7ddab3
7ddab3 
Since the actual password change does not happen on the read-only domain
7ddab3 
controller (RODC) the kvno change has to be replicated back which might
7ddab3 
take some time. So we check the kvno before and after the change if we
7ddab3 
are connected to a RODC and increment the kvno if needed.
7ddab3 
---
7ddab3 
 library/adenroll.c | 31 +++++++++++++++++++++++++++++++
7ddab3 
 1 file changed, 31 insertions(+)
7ddab3
7ddab3 
diff --git a/library/adenroll.c b/library/adenroll.c
7ddab3 
index 05885d0..bb970d1 100644
7ddab3 
--- a/library/adenroll.c
7ddab3 
+++ b/library/adenroll.c
7ddab3 
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
7ddab3 
 		             adcli_enroll_flags flags)
7ddab3 
 {
7ddab3 
 	adcli_result res;
7ddab3 
+	krb5_kvno old_kvno = -1;
7ddab3
7ddab3 
 	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
7ddab3 
+
7ddab3 
+		/* Handle kvno changes for read-only domain controllers
7ddab3 
+		 * (RODC). Since the actual password change does not happen on
7ddab3 
+		 * the RODC the kvno change has to be replicated back which
7ddab3 
+		 * might take some time. So we check the kvno before and after
7ddab3 
+		 * the change if we are connected to a RODC and increment the
7ddab3 
+		 * kvno if needed. */
7ddab3 
+		if (!adcli_conn_is_writeable (enroll->conn)) {
7ddab3 
+			if (enroll->computer_attributes == NULL) {
7ddab3 
+				res = retrieve_computer_account (enroll);
7ddab3 
+				if (res != ADCLI_SUCCESS)
7ddab3 
+					return res;
7ddab3 
+			}
7ddab3 
+			old_kvno = adcli_enroll_get_kvno (enroll);
7ddab3 
+			_adcli_info ("Found old kvno '%d'", old_kvno);
7ddab3 
+
7ddab3 
+			ldap_msgfree (enroll->computer_attributes);
7ddab3 
+			enroll->computer_attributes = NULL;
7ddab3 
+			adcli_enroll_set_kvno (enroll, 0);
7ddab3 
+		}
7ddab3 
+
7ddab3 
 		res = set_computer_password (enroll);
7ddab3 
 		if (res != ADCLI_SUCCESS)
7ddab3 
 			return res;
7ddab3 
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
7ddab3 
 			return res;
7ddab3 
 	}
7ddab3
7ddab3 
+	/* Handle kvno changes for read-only domain controllers (RODC) */
7ddab3 
+	if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
7ddab3 
+	    adcli_enroll_get_kvno (enroll) != 0 &&
7ddab3 
+	    adcli_enroll_get_kvno (enroll) == old_kvno) {
7ddab3 
+		enroll->kvno++;
7ddab3 
+		_adcli_info ("No kvno change detected on read-only DC,  kvno "
7ddab3 
+		             "will be incremented by 1 to '%d'", enroll->kvno);
7ddab3 
+	}
7ddab3 
+
7ddab3 
 	/* We ignore failures of setting these fields */
7ddab3 
 	update_and_calculate_enctypes (enroll);
7ddab3 
 	update_computer_account (enroll);
7ddab3 
--
7ddab3 
2.14.4
7ddab3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation