Blame SOURCES/0020-join-add-all-attributes-while-creating-computer-obje.patch

f441eb
From cbe33b3e6d0d3415e4642d71942380d1793311f1 Mon Sep 17 00:00:00 2001
f441eb
From: Sumit Bose <sbose@redhat.com>
f441eb
Date: Mon, 11 Jun 2018 09:44:49 +0200
f441eb
Subject: [PATCH 20/23] join: add all attributes while creating computer object
f441eb
f441eb
It is possible to create special accounts which can only join a computer
f441eb
to a domain but is not allowed to do any further operations which the
f441eb
computer object. As a result if such an account is used during the join
f441eb
only the ldapadd operation is permitted but not any later ldapmodify
f441eb
operation. To create the computer object correctly in this case all
f441eb
attributes must be added while the object is created and not later.
f441eb
f441eb
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
f441eb
---
f441eb
 library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----
f441eb
 1 file changed, 47 insertions(+), 5 deletions(-)
f441eb
f441eb
diff --git a/library/adenroll.c b/library/adenroll.c
f441eb
index 75ac1e4..b508caf 100644
f441eb
--- a/library/adenroll.c
f441eb
+++ b/library/adenroll.c
f441eb
@@ -573,7 +573,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
f441eb
 	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
f441eb
 
f441eb
 	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
f441eb
-	if (is_2008_or_later) {
f441eb
+	if (is_2008_or_later && enroll->computer_attributes != NULL) {
f441eb
 		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
f441eb
 		                                 "msDS-supportedEncryptionTypes");
f441eb
 
f441eb
@@ -618,7 +618,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
f441eb
 	return ADCLI_SUCCESS;
f441eb
 }
f441eb
 
f441eb
-
f441eb
 static adcli_result
f441eb
 create_computer_account (adcli_enroll *enroll,
f441eb
                          LDAP *ldap)
f441eb
@@ -628,22 +627,65 @@ create_computer_account (adcli_enroll *enroll,
f441eb
 	char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
f441eb
 	LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
f441eb
 	char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
f441eb
-	LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
f441eb
+	LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } };
f441eb
+	char *vals_supportedEncryptionTypes[] = { NULL, NULL };
f441eb
+	LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
f441eb
+	char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
f441eb
+	LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } };
f441eb
+	char *vals_operatingSystem[] = { enroll->os_name, NULL };
f441eb
+	LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } };
f441eb
+	char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };
f441eb
+	LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } };
f441eb
+	char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
f441eb
+	LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
f441eb
+	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
f441eb
+	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
f441eb
+	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
f441eb
+
f441eb
+	char *val = NULL;
f441eb
 
f441eb
 	int ret;
f441eb
+	size_t c;
f441eb
+	size_t m;
f441eb
 
f441eb
-	LDAPMod *mods[] = {
f441eb
+	LDAPMod *all_mods[] = {
f441eb
 		&objectClass,
f441eb
 		&sAMAccountName,
f441eb
 		&userAccountControl,
f441eb
-		NULL,
f441eb
+		&encTypes,
f441eb
+		&dNSHostName,
f441eb
+		&operatingSystem,
f441eb
+		&operatingSystemVersion,
f441eb
+		&operatingSystemServicePack,
f441eb
+		&userPrincipalName,
f441eb
+		&servicePrincipalName,
f441eb
+		NULL
f441eb
 	};
f441eb
 
f441eb
+	size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *);
f441eb
+	LDAPMod *mods[mods_count];
f441eb
+
f441eb
 	if (adcli_enroll_get_trusted_for_delegation (enroll)) {
f441eb
 		vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
f441eb
 	}
f441eb
 
f441eb
+	ret = calculate_enctypes (enroll, &val;;
f441eb
+	if (ret != ADCLI_SUCCESS) {
f441eb
+		return ret;
f441eb
+	}
f441eb
+	vals_supportedEncryptionTypes[0] = val;
f441eb
+
f441eb
+	m = 0;
f441eb
+	for (c = 0; c < mods_count - 1; c++) {
f441eb
+		/* Skip empty LDAP sttributes */
f441eb
+		if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
f441eb
+			mods[m++] = all_mods[c];
f441eb
+		}
f441eb
+	}
f441eb
+	mods[m] = NULL;
f441eb
+
f441eb
 	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
f441eb
+	free (val);
f441eb
 
f441eb
 	/*
f441eb
 	 * Hand to head. This is really dumb... AD returns
f441eb
-- 
f441eb
2.14.4
f441eb