From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Nov 2019 12:34:45 +0100
Subject: [PATCH 1/2] tools: add show-computer command
The show-computer command prints the LDAP attributes of the related
computer object from AD.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
---
doc/adcli.xml | 28 ++++++++++++++
library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
library/adenroll.h | 5 +++
tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++
tools/tools.c | 1 +
tools/tools.h | 4 ++
6 files changed, 191 insertions(+), 18 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 9faf96a..1f93186 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -93,6 +93,11 @@
<arg choice="opt">--domain=domain.example.com</arg>
<arg choice="plain">computer</arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>adcli show-computer</command>
+ <arg choice="opt">--domain=domain.example.com</arg>
+ <arg choice="plain">computer</arg>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='general_overview'>
@@ -811,6 +816,29 @@ Password for Administrator:
</refsect1>
+<refsect1 id='show_computer_account'>
+ <title>Show Computer Account Attributes</title>
+
+ <para><command>adcli show-computer</command> show the computer account
+ attributes stored in AD. The account must already exist.</para>
+
+<programlisting>
+$ adcli show-computer --domain=domain.example.com host2
+Password for Administrator:
+</programlisting>
+
+ <para>If the computer name contains a dot, then it is
+ treated as fully qualified host name, otherwise it is treated
+ as short computer name.</para>
+
+ <para>If no computer name is specified, then the host name of the
+ computer adcli is running on is used, as returned by
+ <literal>gethostname()</literal>.</para>
+
+ <para>The various global options can be used.</para>
+
+</refsect1>
+
<refsect1 id='bugs'>
<title>Bugs</title>
<para>
diff --git a/library/adenroll.c b/library/adenroll.c
index 524663a..8d2adeb 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
0
};
+static char *default_ad_ldap_attrs[] = {
+ "sAMAccountName",
+ "userPrincipalName",
+ "msDS-KeyVersionNumber",
+ "msDS-supportedEncryptionTypes",
+ "dNSHostName",
+ "servicePrincipalName",
+ "operatingSystem",
+ "operatingSystemVersion",
+ "operatingSystemServicePack",
+ "pwdLastSet",
+ "userAccountControl",
+ NULL,
+};
+
/* Some constants for the userAccountControl AD LDAP attribute, see e.g.
* https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
* for details. */
@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
char *end;
int ret;
- char *attrs[] = {
- "msDS-KeyVersionNumber",
- "msDS-supportedEncryptionTypes",
- "dNSHostName",
- "servicePrincipalName",
- "operatingSystem",
- "operatingSystemVersion",
- "operatingSystemServicePack",
- "pwdLastSet",
- "userAccountControl",
- NULL,
- };
-
assert (enroll->computer_dn != NULL);
assert (enroll->computer_attributes == NULL);
@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
assert (ldap != NULL);
ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
+ "(objectClass=*)", default_ad_ldap_attrs,
+ 0, NULL, NULL, NULL, -1,
&enroll->computer_attributes);
if (ret != LDAP_SUCCESS) {
@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
}
adcli_result
-adcli_enroll_update (adcli_enroll *enroll,
- adcli_enroll_flags flags)
+adcli_enroll_read_computer_account (adcli_enroll *enroll,
+ adcli_enroll_flags flags)
{
adcli_result res = ADCLI_SUCCESS;
LDAP *ldap;
- char *value;
return_unexpected_if_fail (enroll != NULL);
@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
}
/* Get information about the computer account */
- res = retrieve_computer_account (enroll);
+ return retrieve_computer_account (enroll);
+}
+
+adcli_result
+adcli_enroll_update (adcli_enroll *enroll,
+ adcli_enroll_flags flags)
+{
+ adcli_result res = ADCLI_SUCCESS;
+ LDAP *ldap;
+ char *value;
+
+ res = adcli_enroll_read_computer_account (enroll, flags);
if (res != ADCLI_SUCCESS)
return res;
@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
return enroll_join_or_update_tasks (enroll, flags);
}
+adcli_result
+adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
+{
+ LDAP *ldap;
+ size_t c;
+ char **vals;
+ size_t v;
+
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
+ assert (ldap != NULL);
+
+ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
+ vals = _adcli_ldap_parse_values (ldap,
+ enroll->computer_attributes,
+ default_ad_ldap_attrs[c]);
+ printf ("%s:\n", default_ad_ldap_attrs[c]);
+ if (vals == NULL) {
+ printf (" - not set -\n");
+ } else {
+ for (v = 0; vals[v] != NULL; v++) {
+ printf (" %s\n", vals[v]);
+ }
+ }
+ _adcli_strv_free (vals);
+ }
+
+ return ADCLI_SUCCESS;
+}
+
adcli_result
adcli_enroll_delete (adcli_enroll *enroll,
adcli_enroll_flags delete_flags)
diff --git a/library/adenroll.h b/library/adenroll.h
index 1d5d00d..11eb517 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll,
adcli_result adcli_enroll_update (adcli_enroll *enroll,
adcli_enroll_flags flags);
+adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll,
+ adcli_enroll_flags flags);
+
+adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
+
adcli_result adcli_enroll_delete (adcli_enroll *enroll,
adcli_enroll_flags delete_flags);
diff --git a/tools/computer.c b/tools/computer.c
index ac8a203..c8b96a4 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
adcli_enroll_unref (enroll);
return 0;
}
+
+int
+adcli_tool_computer_show (adcli_conn *conn,
+ int argc,
+ char *argv[])
+{
+ adcli_enroll *enroll;
+ adcli_result res;
+ int opt;
+
+ struct option options[] = {
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "login-type", required_argument, NULL, opt_login_type },
+ { "no-password", no_argument, 0, opt_no_password },
+ { "stdin-password", no_argument, 0, opt_stdin_password },
+ { "prompt-password", no_argument, 0, opt_prompt_password },
+ { "verbose", no_argument, NULL, opt_verbose },
+ { "help", no_argument, NULL, 'h' },
+ { 0 },
+ };
+
+ static adcli_tool_desc usages[] = {
+ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
+ { 0 },
+ };
+
+ enroll = adcli_enroll_new (conn);
+ if (enroll == NULL) {
+ warnx ("unexpected memory problems");
+ return -1;
+ }
+
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+ switch (opt) {
+ case 'h':
+ case '?':
+ case ':':
+ adcli_tool_usage (options, usages);
+ adcli_tool_usage (options, common_usages);
+ adcli_enroll_unref (enroll);
+ return opt == 'h' ? 0 : 2;
+ default:
+ res = parse_option ((Option)opt, optarg, conn, enroll);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ return res;
+ }
+ break;
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ res = adcli_conn_connect (conn);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't connect to %s domain: %s",
+ adcli_conn_get_domain_name (conn),
+ adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ if (argc == 1) {
+ parse_fqdn_or_name (enroll, argv[0]);
+ }
+
+ res = adcli_enroll_read_computer_account (enroll, 0);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't read data for %s: %s",
+ adcli_enroll_get_host_fqdn (enroll) != NULL
+ ? adcli_enroll_get_host_fqdn (enroll)
+ : adcli_enroll_get_computer_name (enroll),
+ adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ res = adcli_enroll_show_computer_attribute (enroll);
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't print data for %s: %s",
+ argv[0], adcli_get_last_error ());
+ adcli_enroll_unref (enroll);
+ return -res;
+ }
+
+ adcli_enroll_unref (enroll);
+ return 0;
+}
diff --git a/tools/tools.c b/tools/tools.c
index fc9fa9a..9d422f2 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -59,6 +59,7 @@ struct {
{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
+ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
{ "create-user", adcli_tool_user_create, "Create a user account", },
{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
{ "create-group", adcli_tool_group_create, "Create a group", },
diff --git a/tools/tools.h b/tools/tools.h
index 8cebbf9..3702875 100644
--- a/tools/tools.h
+++ b/tools/tools.h
@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn,
int argc,
char *argv[]);
+int adcli_tool_computer_show (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+
int adcli_tool_user_create (adcli_conn *conn,
int argc,
char *argv[]);
--
2.21.0