| From 108d3fd58e16428316dae4a4c0601633d2903a4b Mon Sep 17 00:00:00 2001 |
| From: Sumit Bose <sbose@redhat.com> |
| Date: Wed, 1 Nov 2017 17:14:05 +0100 |
| Subject: [PATCH 4/4] Handle kvno increment for RODCs |
| |
| Since the actual password change does not happen on the read-only domain |
| controller (RODC) the kvno change has to be replicated back which might |
| take some time. So we check the kvno before and after the change if we |
| are connected to a RODC and increment the kvno if needed. |
| |
| library/adenroll.c | 31 +++++++++++++++++++++++++++++++ |
| 1 file changed, 31 insertions(+) |
| |
| diff --git a/library/adenroll.c b/library/adenroll.c |
| index a15e4be..40c3920 100644 |
| |
| |
| @@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, |
| adcli_enroll_flags flags) |
| { |
| adcli_result res; |
| + krb5_kvno old_kvno = -1; |
| |
| if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) { |
| + |
| + /* Handle kvno changes for read-only domain controllers |
| + * (RODC). Since the actual password change does not happen on |
| + * the RODC the kvno change has to be replicated back which |
| + * might take some time. So we check the kvno before and after |
| + * the change if we are connected to a RODC and increment the |
| + * kvno if needed. */ |
| + if (!adcli_conn_is_writeable (enroll->conn)) { |
| + if (enroll->computer_attributes == NULL) { |
| + res = retrieve_computer_account (enroll); |
| + if (res != ADCLI_SUCCESS) |
| + return res; |
| + } |
| + old_kvno = adcli_enroll_get_kvno (enroll); |
| + _adcli_info ("Found old kvno '%d'", old_kvno); |
| + |
| + ldap_msgfree (enroll->computer_attributes); |
| + enroll->computer_attributes = NULL; |
| + adcli_enroll_set_kvno (enroll, 0); |
| + } |
| + |
| res = set_computer_password (enroll); |
| if (res != ADCLI_SUCCESS) |
| return res; |
| @@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, |
| return res; |
| } |
| |
| + /* Handle kvno changes for read-only domain controllers (RODC) */ |
| + if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 && |
| + adcli_enroll_get_kvno (enroll) != 0 && |
| + adcli_enroll_get_kvno (enroll) == old_kvno) { |
| + enroll->kvno++; |
| + _adcli_info ("No kvno change detected on read-only DC, kvno " |
| + "will be incremented by 1 to '%d'", enroll->kvno); |
| + } |
| + |
| /* We ignore failures of setting these fields */ |
| update_and_calculate_enctypes (enroll); |
| update_computer_account (enroll); |
| -- |
| 2.13.6 |
| |