diff --git a/SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch b/SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch new file mode 100644 index 0000000..4c2323c --- /dev/null +++ b/SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch @@ -0,0 +1,63 @@ +From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 8 Apr 2019 10:55:39 +0200 +Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt + +Since the arcfour-hmac-md5 encryption types does not use salts it cannot +be used to discover the right salt. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745 +--- + library/adkrb5.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/library/adkrb5.c b/library/adkrb5.c +index da835d7..be3ede5 100644 +--- a/library/adkrb5.c ++++ b/library/adkrb5.c +@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5, + krb5_keytab scratch; + krb5_error_code code; + int i; ++ krb5_enctype *salt_enctypes = NULL; ++ size_t c; ++ size_t s; + + /* TODO: This should be a unique name */ + + code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch); + return_val_if_fail (code == 0, code); + ++ for (c = 0; enctypes[c] != 0; c++); /* count enctypes */ ++ salt_enctypes = calloc (c + 1, sizeof (krb5_enctype)); ++ return_val_if_fail (salt_enctypes != NULL, ENOMEM); ++ ++ /* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to ++ * discover the right salt. */ ++ s = 0; ++ for (c = 0; enctypes[c] != 0; c++) { ++ if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) { ++ continue; ++ } ++ ++ salt_enctypes[s++] = enctypes[c]; ++ } ++ + for (i = 0; salts[i].data != NULL; i++) { + code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno, +- password, enctypes, &salts[i]); ++ password, salt_enctypes, &salts[i]); + if (code == 0) { + *discovered = i; + break; +@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5, + } + } + ++ free (salt_enctypes); + krb5_kt_close (k5, scratch); + return code; + } +-- +2.21.0 + diff --git a/SOURCES/0001-Fix-for-issue-found-by-Coverity.patch b/SOURCES/0001-Fix-for-issue-found-by-Coverity.patch new file mode 100644 index 0000000..b5159c8 --- /dev/null +++ b/SOURCES/0001-Fix-for-issue-found-by-Coverity.patch @@ -0,0 +1,29 @@ +From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 12 Aug 2019 17:28:20 +0200 +Subject: [PATCH] Fix for issue found by Coverity + +Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3 +--- + library/adenroll.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/library/adenroll.c b/library/adenroll.c +index 53cd812..524663a 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll) + for (c = 0; cur_enctypes[c] != 0; c++); + + new_enctypes = calloc (c + 1, sizeof (krb5_enctype)); +- return_val_if_fail (new_enctypes != NULL, NULL); ++ if (new_enctypes == NULL) { ++ krb5_free_enctypes (k5, permitted_enctypes); ++ return NULL; ++ } + + n = 0; + for (c = 0; cur_enctypes[c] != 0; c++) { +-- +2.21.0 + diff --git a/SOURCES/0001-Use-GSS-SPNEGO-if-available.patch b/SOURCES/0001-Use-GSS-SPNEGO-if-available.patch new file mode 100644 index 0000000..bae8b22 --- /dev/null +++ b/SOURCES/0001-Use-GSS-SPNEGO-if-available.patch @@ -0,0 +1,124 @@ +From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 11 Oct 2019 16:39:25 +0200 +Subject: [PATCH 1/2] Use GSS-SPNEGO if available + +Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication +and to establish encryption. While this works in general it does not +handle some of the more advanced features which can be required by AD +DCs. + +The GSS-SPNEGO mechanism can handle them and is used with this patch by +adcli if the AD DC indicates that it supports it. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 +--- + library/adconn.c | 35 ++++++++++++++++++++++++++++++++++- + library/adconn.h | 3 +++ + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/library/adconn.c b/library/adconn.c +index bcaced8..ffb54f9 100644 +--- a/library/adconn.c ++++ b/library/adconn.c +@@ -77,6 +77,7 @@ struct _adcli_conn_ctx { + char *default_naming_context; + char *configuration_naming_context; + char **supported_capabilities; ++ char **supported_sasl_mechs; + + /* Connect state */ + LDAP *ldap; +@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn, + "defaultNamingContext", + "configurationNamingContext", + "supportedCapabilities", ++ "supportedSASLMechanisms", + NULL + }; + +@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn, + "supportedCapabilities"); + } + ++ if (conn->supported_sasl_mechs == NULL) { ++ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results, ++ "supportedSASLMechanisms"); ++ } ++ + ldap_msgfree (results); + + if (conn->default_naming_context == NULL) { +@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn) + OM_uint32 minor; + ber_len_t ssf; + int ret; ++ const char *mech = "GSSAPI"; + + if (conn->ldap_authenticated) + return ADCLI_SUCCESS; +@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn) + ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); + return_unexpected_if_fail (ret == 0); + +- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL, ++ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) { ++ mech = "GSS-SPNEGO"; ++ } ++ ++ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL, + LDAP_SASL_QUIET, sasl_interact, NULL); + + /* Clear the credential cache GSSAPI to use (for this thread) */ +@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn) + free (conn->default_naming_context); + free (conn->configuration_naming_context); + _adcli_strv_free (conn->supported_capabilities); ++ _adcli_strv_free (conn->supported_sasl_mechs); + + free (conn->computer_name); + free (conn->host_fqdn); +@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn, + return 0; + } + ++bool ++adcli_conn_server_has_sasl_mech (adcli_conn *conn, ++ const char *mech) ++{ ++ int i; ++ ++ return_val_if_fail (conn != NULL, false); ++ return_val_if_fail (mech != NULL, false); ++ ++ if (!conn->supported_sasl_mechs) ++ return false; ++ ++ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) { ++ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0) ++ return true; ++ } ++ ++ return false; ++} ++ + bool adcli_conn_is_writeable (adcli_conn *conn) + { + disco_dance_if_necessary (conn); +diff --git a/library/adconn.h b/library/adconn.h +index 1ad5715..37ebdd9 100644 +--- a/library/adconn.h ++++ b/library/adconn.h +@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn, + int adcli_conn_server_has_capability (adcli_conn *conn, + const char *capability); + ++bool adcli_conn_server_has_sasl_mech (adcli_conn *conn, ++ const char *mech); ++ + bool adcli_conn_is_writeable (adcli_conn *conn); + + #endif /* ADCONN_H_ */ +-- +2.21.0 + diff --git a/SOURCES/0001-doc-explain-how-to-force-password-reset.patch b/SOURCES/0001-doc-explain-how-to-force-password-reset.patch new file mode 100644 index 0000000..f3d25f4 --- /dev/null +++ b/SOURCES/0001-doc-explain-how-to-force-password-reset.patch @@ -0,0 +1,30 @@ +From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 26 Aug 2019 13:33:24 +0200 +Subject: [PATCH] doc: explain how to force password reset + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573 +--- + doc/adcli.xml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 094f577..4f201e0 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -330,7 +330,11 @@ Password for Administrator: + important here is currently the + option, see + smb.conf5 +- for details. ++ for details. ++ Note that if the machine account password is not ++ older than 30 days, you have to pass ++ to ++ force the update. + + + +-- +2.21.0 + diff --git a/SOURCES/0001-man-move-note-to-the-right-section.patch b/SOURCES/0001-man-move-note-to-the-right-section.patch new file mode 100644 index 0000000..307dfc9 --- /dev/null +++ b/SOURCES/0001-man-move-note-to-the-right-section.patch @@ -0,0 +1,48 @@ +From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 18:26:44 +0100 +Subject: [PATCH] man: move note to the right section + +Unfortunately the note about the password lifetime was added to the join +section. This patch move it to the update section where it belongs to. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573 + https://bugzilla.redhat.com/show_bug.cgi?id=1745931 + https://bugzilla.redhat.com/show_bug.cgi?id=1774622 +--- + doc/adcli.xml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 4f201e0..9faf96a 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -330,11 +330,7 @@ Password for Administrator: + important here is currently the + option, see + smb.conf5 +- for details. +- Note that if the machine account password is not +- older than 30 days, you have to pass +- to +- force the update. ++ for details. + + + +@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123 + important here is currently the + option, see + smb.conf5 +- for details. ++ for details. ++ Note that if the machine account password is not ++ older than 30 days, you have to pass ++ to ++ force the update. + + + +-- +2.21.0 + diff --git a/SOURCES/0001-tools-add-show-computer-command.patch b/SOURCES/0001-tools-add-show-computer-command.patch new file mode 100644 index 0000000..1decaf6 --- /dev/null +++ b/SOURCES/0001-tools-add-show-computer-command.patch @@ -0,0 +1,338 @@ +From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 12:34:45 +0100 +Subject: [PATCH 1/2] tools: add show-computer command + +The show-computer command prints the LDAP attributes of the related +computer object from AD. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342 +--- + doc/adcli.xml | 28 ++++++++++++++ + library/adenroll.c | 78 +++++++++++++++++++++++++++++--------- + library/adenroll.h | 5 +++ + tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++ + tools/tools.c | 1 + + tools/tools.h | 4 ++ + 6 files changed, 191 insertions(+), 18 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 9faf96a..1f93186 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -93,6 +93,11 @@ + --domain=domain.example.com + computer + ++ ++ adcli show-computer ++ --domain=domain.example.com ++ computer ++ + + + +@@ -811,6 +816,29 @@ Password for Administrator: + + + ++ ++ Show Computer Account Attributes ++ ++ adcli show-computer show the computer account ++ attributes stored in AD. The account must already exist. ++ ++ ++$ adcli show-computer --domain=domain.example.com host2 ++Password for Administrator: ++ ++ ++ If the computer name contains a dot, then it is ++ treated as fully qualified host name, otherwise it is treated ++ as short computer name. ++ ++ If no computer name is specified, then the host name of the ++ computer adcli is running on is used, as returned by ++ gethostname(). ++ ++ The various global options can be used. ++ ++ ++ + + Bugs + +diff --git a/library/adenroll.c b/library/adenroll.c +index 524663a..8d2adeb 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = { + 0 + }; + ++static char *default_ad_ldap_attrs[] = { ++ "sAMAccountName", ++ "userPrincipalName", ++ "msDS-KeyVersionNumber", ++ "msDS-supportedEncryptionTypes", ++ "dNSHostName", ++ "servicePrincipalName", ++ "operatingSystem", ++ "operatingSystemVersion", ++ "operatingSystemServicePack", ++ "pwdLastSet", ++ "userAccountControl", ++ NULL, ++}; ++ + /* Some constants for the userAccountControl AD LDAP attribute, see e.g. + * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro + * for details. */ +@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll) + char *end; + int ret; + +- char *attrs[] = { +- "msDS-KeyVersionNumber", +- "msDS-supportedEncryptionTypes", +- "dNSHostName", +- "servicePrincipalName", +- "operatingSystem", +- "operatingSystemVersion", +- "operatingSystemServicePack", +- "pwdLastSet", +- "userAccountControl", +- NULL, +- }; +- + assert (enroll->computer_dn != NULL); + assert (enroll->computer_attributes == NULL); + +@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll) + assert (ldap != NULL); + + ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE, +- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1, ++ "(objectClass=*)", default_ad_ldap_attrs, ++ 0, NULL, NULL, NULL, -1, + &enroll->computer_attributes); + + if (ret != LDAP_SUCCESS) { +@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll) + } + + adcli_result +-adcli_enroll_update (adcli_enroll *enroll, +- adcli_enroll_flags flags) ++adcli_enroll_read_computer_account (adcli_enroll *enroll, ++ adcli_enroll_flags flags) + { + adcli_result res = ADCLI_SUCCESS; + LDAP *ldap; +- char *value; + + return_unexpected_if_fail (enroll != NULL); + +@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll, + } + + /* Get information about the computer account */ +- res = retrieve_computer_account (enroll); ++ return retrieve_computer_account (enroll); ++} ++ ++adcli_result ++adcli_enroll_update (adcli_enroll *enroll, ++ adcli_enroll_flags flags) ++{ ++ adcli_result res = ADCLI_SUCCESS; ++ LDAP *ldap; ++ char *value; ++ ++ res = adcli_enroll_read_computer_account (enroll, flags); + if (res != ADCLI_SUCCESS) + return res; + +@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll, + return enroll_join_or_update_tasks (enroll, flags); + } + ++adcli_result ++adcli_enroll_show_computer_attribute (adcli_enroll *enroll) ++{ ++ LDAP *ldap; ++ size_t c; ++ char **vals; ++ size_t v; ++ ++ ldap = adcli_conn_get_ldap_connection (enroll->conn); ++ assert (ldap != NULL); ++ ++ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) { ++ vals = _adcli_ldap_parse_values (ldap, ++ enroll->computer_attributes, ++ default_ad_ldap_attrs[c]); ++ printf ("%s:\n", default_ad_ldap_attrs[c]); ++ if (vals == NULL) { ++ printf (" - not set -\n"); ++ } else { ++ for (v = 0; vals[v] != NULL; v++) { ++ printf (" %s\n", vals[v]); ++ } ++ } ++ _adcli_strv_free (vals); ++ } ++ ++ return ADCLI_SUCCESS; ++} ++ + adcli_result + adcli_enroll_delete (adcli_enroll *enroll, + adcli_enroll_flags delete_flags) +diff --git a/library/adenroll.h b/library/adenroll.h +index 1d5d00d..11eb517 100644 +--- a/library/adenroll.h ++++ b/library/adenroll.h +@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll, + adcli_result adcli_enroll_update (adcli_enroll *enroll, + adcli_enroll_flags flags); + ++adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll, ++ adcli_enroll_flags flags); ++ ++adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll); ++ + adcli_result adcli_enroll_delete (adcli_enroll *enroll, + adcli_enroll_flags delete_flags); + +diff --git a/tools/computer.c b/tools/computer.c +index ac8a203..c8b96a4 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn, + adcli_enroll_unref (enroll); + return 0; + } ++ ++int ++adcli_tool_computer_show (adcli_conn *conn, ++ int argc, ++ char *argv[]) ++{ ++ adcli_enroll *enroll; ++ adcli_result res; ++ int opt; ++ ++ struct option options[] = { ++ { "domain", required_argument, NULL, opt_domain }, ++ { "domain-realm", required_argument, NULL, opt_domain_realm }, ++ { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "login-user", required_argument, NULL, opt_login_user }, ++ { "login-ccache", optional_argument, NULL, opt_login_ccache }, ++ { "login-type", required_argument, NULL, opt_login_type }, ++ { "no-password", no_argument, 0, opt_no_password }, ++ { "stdin-password", no_argument, 0, opt_stdin_password }, ++ { "prompt-password", no_argument, 0, opt_prompt_password }, ++ { "verbose", no_argument, NULL, opt_verbose }, ++ { "help", no_argument, NULL, 'h' }, ++ { 0 }, ++ }; ++ ++ static adcli_tool_desc usages[] = { ++ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" }, ++ { 0 }, ++ }; ++ ++ enroll = adcli_enroll_new (conn); ++ if (enroll == NULL) { ++ warnx ("unexpected memory problems"); ++ return -1; ++ } ++ ++ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { ++ switch (opt) { ++ case 'h': ++ case '?': ++ case ':': ++ adcli_tool_usage (options, usages); ++ adcli_tool_usage (options, common_usages); ++ adcli_enroll_unref (enroll); ++ return opt == 'h' ? 0 : 2; ++ default: ++ res = parse_option ((Option)opt, optarg, conn, enroll); ++ if (res != ADCLI_SUCCESS) { ++ adcli_enroll_unref (enroll); ++ return res; ++ } ++ break; ++ } ++ } ++ ++ argc -= optind; ++ argv += optind; ++ ++ res = adcli_conn_connect (conn); ++ if (res != ADCLI_SUCCESS) { ++ warnx ("couldn't connect to %s domain: %s", ++ adcli_conn_get_domain_name (conn), ++ adcli_get_last_error ()); ++ adcli_enroll_unref (enroll); ++ return -res; ++ } ++ ++ if (argc == 1) { ++ parse_fqdn_or_name (enroll, argv[0]); ++ } ++ ++ res = adcli_enroll_read_computer_account (enroll, 0); ++ if (res != ADCLI_SUCCESS) { ++ warnx ("couldn't read data for %s: %s", ++ adcli_enroll_get_host_fqdn (enroll) != NULL ++ ? adcli_enroll_get_host_fqdn (enroll) ++ : adcli_enroll_get_computer_name (enroll), ++ adcli_get_last_error ()); ++ adcli_enroll_unref (enroll); ++ return -res; ++ } ++ ++ res = adcli_enroll_show_computer_attribute (enroll); ++ if (res != ADCLI_SUCCESS) { ++ warnx ("couldn't print data for %s: %s", ++ argv[0], adcli_get_last_error ()); ++ adcli_enroll_unref (enroll); ++ return -res; ++ } ++ ++ adcli_enroll_unref (enroll); ++ return 0; ++} +diff --git a/tools/tools.c b/tools/tools.c +index fc9fa9a..9d422f2 100644 +--- a/tools/tools.c ++++ b/tools/tools.c +@@ -59,6 +59,7 @@ struct { + { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", }, + { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", }, + { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", }, ++ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", }, + { "create-user", adcli_tool_user_create, "Create a user account", }, + { "delete-user", adcli_tool_user_delete, "Delete a user account", }, + { "create-group", adcli_tool_group_create, "Create a group", }, +diff --git a/tools/tools.h b/tools/tools.h +index 8cebbf9..3702875 100644 +--- a/tools/tools.h ++++ b/tools/tools.h +@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn, + int argc, + char *argv[]); + ++int adcli_tool_computer_show (adcli_conn *conn, ++ int argc, ++ char *argv[]); ++ + int adcli_tool_user_create (adcli_conn *conn, + int argc, + char *argv[]); +-- +2.21.0 + diff --git a/SOURCES/0002-add-description-option-to-join-and-update.patch b/SOURCES/0002-add-description-option-to-join-and-update.patch new file mode 100644 index 0000000..a36dfc9 --- /dev/null +++ b/SOURCES/0002-add-description-option-to-join-and-update.patch @@ -0,0 +1,183 @@ +From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 14:48:32 +0100 +Subject: [PATCH 2/2] add description option to join and update + +This new option allows to set the description LDAP attribute for the AD +computer object. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342 +--- + doc/adcli.xml | 10 ++++++++++ + library/adenroll.c | 29 +++++++++++++++++++++++++++++ + library/adenroll.h | 4 ++++ + tools/computer.c | 7 +++++++ + 4 files changed, 50 insertions(+) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 1f93186..dd30435 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -275,6 +275,11 @@ Password for Administrator: + Set the operating system version on the computer + account. Not set by default. + ++ ++ ++ Set the description attribute on the computer ++ account. Not set by default. ++ + + + Additional service name for a kerberos +@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123 + Set the operating system version on the computer + account. Not set by default. + ++ ++ ++ Set the description attribute on the computer ++ account. Not set by default. ++ + + + Additional service name for a Kerberos +diff --git a/library/adenroll.c b/library/adenroll.c +index 8d2adeb..246f658 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] = { + "operatingSystemServicePack", + "pwdLastSet", + "userAccountControl", ++ "description", + NULL, + }; + +@@ -143,6 +144,7 @@ struct _adcli_enroll { + char *samba_data_tool; + bool trusted_for_delegation; + int trusted_for_delegation_explicit; ++ char *description; + }; + + static adcli_result +@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll, + char *vals_userPrincipalName[] = { enroll->user_principal, NULL }; + LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, }; + LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } }; ++ char *vals_description[] = { enroll->description, NULL }; ++ LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, }; + + char *val = NULL; + +@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll, + &operatingSystemServicePack, + &userPrincipalName, + &servicePrincipalName, ++ &description, + NULL + }; + +@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll) + res |= update_computer_attribute (enroll, ldap, mods); + } + ++ if (res == ADCLI_SUCCESS && enroll->description != NULL) { ++ char *vals_description[] = { enroll->description, NULL }; ++ LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, }; ++ LDAPMod *mods[] = { &description, NULL, }; ++ ++ res |= update_computer_attribute (enroll, ldap, mods); ++ } ++ + if (res != 0) + _adcli_info ("Updated existing computer account: %s", enroll->computer_dn); + } +@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll, + enroll->trusted_for_delegation_explicit = 1; + } + ++void ++adcli_enroll_set_description (adcli_enroll *enroll, const char *value) ++{ ++ return_if_fail (enroll != NULL); ++ if (value != NULL && value[0] != '\0') { ++ _adcli_str_set (&enroll->description, value); ++ } ++} ++ ++const char * ++adcli_enroll_get_desciption (adcli_enroll *enroll) ++{ ++ return_val_if_fail (enroll != NULL, NULL); ++ return enroll->description; ++} ++ + const char ** + adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll) + { +diff --git a/library/adenroll.h b/library/adenroll.h +index 11eb517..0606169 100644 +--- a/library/adenroll.h ++++ b/library/adenroll.h +@@ -126,6 +126,10 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll + void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll, + bool value); + ++const char * adcli_enroll_get_desciption (adcli_enroll *enroll); ++void adcli_enroll_set_description (adcli_enroll *enroll, ++ const char *value); ++ + krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll); + + void adcli_enroll_set_kvno (adcli_enroll *enroll, +diff --git a/tools/computer.c b/tools/computer.c +index c8b96a4..840e334 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -112,6 +112,7 @@ typedef enum { + opt_trusted_for_delegation, + opt_add_service_principal, + opt_remove_service_principal, ++ opt_description, + } Option; + + static adcli_tool_desc common_usages[] = { +@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = { + "in the userAccountControl attribute", }, + { opt_add_service_principal, "add the given service principal to the account\n" }, + { opt_remove_service_principal, "remove the given service principal from the account\n" }, ++ { opt_description, "add a description to the account\n" }, + { opt_no_password, "don't prompt for or read a password" }, + { opt_prompt_password, "prompt for a password if necessary" }, + { opt_stdin_password, "read a password from stdin (until EOF) if\n" +@@ -306,6 +308,9 @@ parse_option (Option opt, + case opt_remove_service_principal: + adcli_enroll_add_service_principal_to_remove (enroll, optarg); + return ADCLI_SUCCESS; ++ case opt_description: ++ adcli_enroll_set_description (enroll, optarg); ++ return ADCLI_SUCCESS; + case opt_verbose: + return ADCLI_SUCCESS; + +@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn, + { "os-name", required_argument, NULL, opt_os_name }, + { "os-version", required_argument, NULL, opt_os_version }, + { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, ++ { "description", optional_argument, NULL, opt_description }, + { "user-principal", optional_argument, NULL, opt_user_principal }, + { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, + { "add-service-principal", required_argument, NULL, opt_add_service_principal }, +@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn, + { "os-name", required_argument, NULL, opt_os_name }, + { "os-version", required_argument, NULL, opt_os_version }, + { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, ++ { "description", optional_argument, NULL, opt_description }, + { "user-principal", optional_argument, NULL, opt_user_principal }, + { "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime }, + { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, +-- +2.21.0 + diff --git a/SOURCES/0002-add-option-use-ldaps.patch b/SOURCES/0002-add-option-use-ldaps.patch new file mode 100644 index 0000000..ab34272 --- /dev/null +++ b/SOURCES/0002-add-option-use-ldaps.patch @@ -0,0 +1,378 @@ +From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 19 Dec 2019 07:22:33 +0100 +Subject: [PATCH 2/2] add option use-ldaps + +In general using the LDAP port with GSS-SPNEGO should satifiy all +requirements an AD DC should have for authentication on an encrypted +LDAP connection. + +But if e.g. the LDAP port is blocked by a firewall using the LDAPS port +with TLS encryption might be an alternative. For this use case the +--use-ldaps option is added. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 +--- + doc/adcli.xml | 24 +++++++++++++++ + library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------ + library/adconn.h | 4 +++ + tools/computer.c | 10 ++++++ + tools/entry.c | 11 +++++++ + 5 files changed, 119 insertions(+), 9 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index dd30435..acced25 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -128,6 +128,30 @@ + If not specified, then an appropriate domain controller + is automatically discovered. + ++ ++ ++ Connect to the domain controller ++ with LDAPS. By default the LDAP port is used and SASL ++ GSS-SPNEGO or GSSAPI is used for authentication and to ++ establish encryption. This should satisfy all ++ requirements set on the server side and LDAPS should ++ only be used if the LDAP port is not accessible due to ++ firewalls or other reasons. ++ Please note that the place where CA certificates ++ can be found to validate the AD DC certificates ++ must be configured in the OpenLDAP configuration ++ file, e.g. /etc/openldap/ldap.conf. ++ As an alternative it can be specified with the help of ++ an environment variable, e.g. ++ ++$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com ++... ++ ++ Please see ++ ldap.conf ++ 5 for details. ++ ++ + + + Use the specified kerberos credential +diff --git a/library/adconn.c b/library/adconn.c +index ffb54f9..7bab852 100644 +--- a/library/adconn.c ++++ b/library/adconn.c +@@ -70,6 +70,7 @@ struct _adcli_conn_ctx { + char *domain_name; + char *domain_realm; + char *domain_controller; ++ bool use_ldaps; + char *canonical_host; + char *domain_short; + char *domain_sid; +@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap + + static LDAP * + connect_to_address (const char *host, +- const char *canonical_host) ++ const char *canonical_host, ++ bool use_ldaps) + { + struct addrinfo *res = NULL; + struct addrinfo *ai; +@@ -783,6 +785,16 @@ connect_to_address (const char *host, + char *url; + int sock; + int rc; ++ int opt_rc; ++ const char *port = "389"; ++ const char *proto = "ldap"; ++ const char *errmsg = NULL; ++ ++ if (use_ldaps) { ++ port = "636"; ++ proto = "ldaps"; ++ _adcli_info ("Using LDAPS to connect to %s", host); ++ } + + memset (&hints, '\0', sizeof(hints)); + #ifdef AI_ADDRCONFIG +@@ -794,7 +806,7 @@ connect_to_address (const char *host, + if (!canonical_host) + canonical_host = host; + +- rc = getaddrinfo (host, "389", &hints, &res); ++ rc = getaddrinfo (host, port, &hints, &res); + if (rc != 0) { + _adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc)); + return NULL; +@@ -810,7 +822,7 @@ connect_to_address (const char *host, + close (sock); + } else { + error = 0; +- if (asprintf (&url, "ldap://%s", canonical_host) < 0) ++ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0) + return_val_if_reached (NULL); + rc = ldap_init_fd (sock, 1, url, &ldap); + free (url); +@@ -820,6 +832,25 @@ connect_to_address (const char *host, + ldap_err2string (rc)); + break; + } ++ ++ if (use_ldaps) { ++ rc = ldap_install_tls (ldap); ++ if (rc != LDAP_SUCCESS) { ++ opt_rc = ldap_get_option (ldap, ++ LDAP_OPT_DIAGNOSTIC_MESSAGE, ++ (void *) &errmsg); ++ if (opt_rc != LDAP_SUCCESS) { ++ errmsg = NULL; ++ } ++ _adcli_err ("Couldn't initialize TLS [%s]: %s", ++ ldap_err2string (rc), ++ errmsg == NULL ? "- no details -" ++ : errmsg); ++ ldap_unbind_ext_s (ldap, NULL, NULL); ++ ldap = NULL; ++ break; ++ } ++ } + } + } + +@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn, + if (!canonical_host) + canonical_host = disco->host_addr; + +- ldap = connect_to_address (disco->host_addr, canonical_host); ++ ldap = connect_to_address (disco->host_addr, canonical_host, ++ adcli_conn_get_use_ldaps (conn)); + if (ldap == NULL) + return ADCLI_ERR_DIRECTORY; + +@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn) + status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL); + return_unexpected_if_fail (status == 0); + +- /* Clumsily tell ldap + cyrus-sasl that we want encryption */ +- ssf = 1; +- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); +- return_unexpected_if_fail (ret == 0); ++ if (adcli_conn_get_use_ldaps (conn)) { ++ /* do not use SASL encryption on LDAPS connection */ ++ ssf = 0; ++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); ++ return_unexpected_if_fail (ret == 0); ++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf); ++ return_unexpected_if_fail (ret == 0); ++ } else { ++ /* Clumsily tell ldap + cyrus-sasl that we want encryption */ ++ ssf = 1; ++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); ++ return_unexpected_if_fail (ret == 0); ++ } + +- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) { ++ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if ++ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used ++ * without LDAPS. */ ++ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO") ++ && !adcli_conn_get_use_ldaps (conn)) { + mech = "GSS-SPNEGO"; + } ++ _adcli_info ("Using %s for SASL bind", mech); + + ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL, + LDAP_SASL_QUIET, sasl_interact, NULL); +@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name) + conn->refs = 1; + conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT; + adcli_conn_set_domain_name (conn, domain_name); ++ adcli_conn_set_use_ldaps (conn, false); + return conn; + } + +@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn, + no_more_disco (conn); + } + ++bool ++adcli_conn_get_use_ldaps (adcli_conn *conn) ++{ ++ return_val_if_fail (conn != NULL, NULL); ++ return conn->use_ldaps; ++} ++ ++void ++adcli_conn_set_use_ldaps (adcli_conn *conn, bool value) ++{ ++ return_if_fail (conn != NULL); ++ conn->use_ldaps = value; ++} ++ + const char * + adcli_conn_get_domain_short (adcli_conn *conn) + { +diff --git a/library/adconn.h b/library/adconn.h +index 37ebdd9..1d5faa8 100644 +--- a/library/adconn.h ++++ b/library/adconn.h +@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn); + void adcli_conn_set_domain_controller (adcli_conn *conn, + const char *value); + ++bool adcli_conn_get_use_ldaps (adcli_conn *conn); ++void adcli_conn_set_use_ldaps (adcli_conn *conn, ++ bool value); ++ + const char * adcli_conn_get_domain_short (adcli_conn *conn); + + const char * adcli_conn_get_domain_sid (adcli_conn *conn); +diff --git a/tools/computer.c b/tools/computer.c +index 840e334..292c4d8 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -113,12 +113,14 @@ typedef enum { + opt_add_service_principal, + opt_remove_service_principal, + opt_description, ++ opt_use_ldaps, + } Option; + + static adcli_tool_desc common_usages[] = { + { opt_domain, "active directory domain name" }, + { opt_domain_realm, "kerberos realm for the domain" }, + { opt_domain_controller, "domain controller to connect to" }, ++ { opt_use_ldaps, "use LDAPS port for communication" }, + { opt_host_fqdn, "override the fully qualified domain name of the\n" + "local machine" }, + { opt_host_keytab, "filename for the host kerberos keytab" }, +@@ -311,6 +313,9 @@ parse_option (Option opt, + case opt_description: + adcli_enroll_set_description (enroll, optarg); + return ADCLI_SUCCESS; ++ case opt_use_ldaps: ++ adcli_conn_set_use_ldaps (conn, true); ++ return ADCLI_SUCCESS; + case opt_verbose: + return ADCLI_SUCCESS; + +@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, + { "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */ ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "user", required_argument, NULL, opt_login_user }, /* compat */ + { "login-ccache", optional_argument, NULL, opt_login_ccache }, +@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "domain-ou", required_argument, NULL, opt_domain_ou }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, +@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "login-type", required_argument, NULL, opt_login_type }, +@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "login-type", required_argument, NULL, opt_login_type }, +diff --git a/tools/entry.c b/tools/entry.c +index f361845..05e4313 100644 +--- a/tools/entry.c ++++ b/tools/entry.c +@@ -53,6 +53,7 @@ typedef enum { + opt_unix_gid, + opt_unix_shell, + opt_nis_domain, ++ opt_use_ldaps, + } Option; + + static adcli_tool_desc common_usages[] = { +@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = { + { opt_domain, "active directory domain name" }, + { opt_domain_realm, "kerberos realm for the domain" }, + { opt_domain_controller, "domain directory server to connect to" }, ++ { opt_use_ldaps, "use LDAPS port for communication" }, + { opt_login_ccache, "kerberos credential cache file which contains\n" + "ticket to used to connect to the domain" }, + { opt_login_user, "user (usually administrative) login name of\n" +@@ -136,6 +138,9 @@ parse_option (Option opt, + stdin_password = 1; + } + return ADCLI_SUCCESS; ++ case opt_use_ldaps: ++ adcli_conn_set_use_ldaps (conn, true); ++ return ADCLI_SUCCESS; + case opt_verbose: + return ADCLI_SUCCESS; + default: +@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "domain-ou", required_argument, NULL, opt_domain_ou }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, +@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn, + { "domain", required_argument, NULL, opt_domain }, + { "domain-realm", required_argument, NULL, opt_domain_realm }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, ++ { "use-ldaps", no_argument, 0, opt_use_ldaps }, + { "login-user", required_argument, NULL, opt_login_user }, + { "login-ccache", optional_argument, NULL, opt_login_ccache }, + { "no-password", no_argument, 0, opt_no_password }, +-- +2.21.0 + diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec index 371dfe4..022476f 100644 --- a/SPECS/adcli.spec +++ b/SPECS/adcli.spec @@ -1,6 +1,6 @@ Name: adcli Version: 0.8.2 -Release: 3%{?dist} +Release: 5%{?dist} Summary: Active Directory enrollment License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/adcli @@ -90,6 +90,23 @@ Patch52: 0002-adconn-add-adcli_conn_set_krb5_context.patch Patch53: 0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch Patch54: 0004-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch +# rhbz#1745931 - adcli update --add-samba-data does not work as expected +Patch55: 0001-doc-explain-how-to-force-password-reset.patch +Patch56: 0001-man-move-note-to-the-right-section.patch + +# rhbz#1745932 - Issue is that with arcfour-hmac as first encryption type +Patch57: 0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch + +Patch58: 0001-Fix-for-issue-found-by-Coverity.patch + +# rhbz#1737342 - [RFE] enhancement adcli to set description attribute and to +# show all AD attributes +Patch59: 0001-tools-add-show-computer-command.patch +Patch60: 0002-add-description-option-to-join-and-update.patch + +Patch61: 0001-Use-GSS-SPNEGO-if-available.patch +Patch62: 0002-add-option-use-ldaps.patch + BuildRequires: gcc BuildRequires: intltool pkgconfig BuildRequires: libtool @@ -150,6 +167,16 @@ documentation. %doc %{_datadir}/doc/adcli/* %changelog +* Wed Jan 29 2020 Sumit Bose - 0.8.2-5 +- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t + sssd [#1762420] + +* Thu Nov 28 2019 Sumit Bose - 0.8.2-4 +- adcli update --add-samba-data does not work as expected [#1745931] +- Issue is that with arcfour-hmac as first encryption type [#1745932] +- [RFE] enhancement adcli to set description attribute and to show all AD + attributes [#1737342] + * Fri Jun 14 2019 Sumit Bose - 0.8.2-3 - use autosetup macro to simplify patch handling - fixed rpmlint warnings in the spec file