diff --git a/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch new file mode 100644 index 0000000..15aaf07 --- /dev/null +++ b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch @@ -0,0 +1,32 @@ +From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 5 Jun 2020 17:06:58 +0200 +Subject: [PATCH] delete: do not exit if keytab cannot be read + +Reading the keytab is not required when deleting a host object in AD. It +is only needed in the case where the host was added with a manual set +NetBIOS name (--computer-name option) which does not match the short +hostname and no computer name was given at the delete-computer command +line. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752 +--- + tools/computer.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/computer.c b/tools/computer.c +index 292c4d8..a90c4b2 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn, + if (res != ADCLI_SUCCESS) { + warnx ("couldn't lookup domain info from keytab: %s", + adcli_get_last_error ()); +- adcli_enroll_unref (enroll); +- return -res; + } + + res = adcli_conn_connect (conn); +-- +2.26.2 + diff --git a/SOURCES/0001-discovery-fix.patch b/SOURCES/0001-discovery-fix.patch new file mode 100644 index 0000000..a296f91 --- /dev/null +++ b/SOURCES/0001-discovery-fix.patch @@ -0,0 +1,27 @@ +From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 11 Feb 2020 17:42:03 +0100 +Subject: [PATCH] discovery fix + +Do not continue processing on closed connection. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258 +--- + library/addisco.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/library/addisco.c b/library/addisco.c +index 6e73ead..f3b3546 100644 +--- a/library/addisco.c ++++ b/library/addisco.c +@@ -622,6 +622,7 @@ ldap_disco (const char *domain, + "Couldn't perform discovery search"); + ldap_unbind_ext_s (ldap[i], NULL, NULL); + ldap[i] = NULL; ++ continue; + } + + /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first +-- +2.25.2 + diff --git a/SOURCES/0001-man-move-note-to-the-right-section.patch b/SOURCES/0001-man-move-note-to-the-right-section.patch new file mode 100644 index 0000000..2cbe93f --- /dev/null +++ b/SOURCES/0001-man-move-note-to-the-right-section.patch @@ -0,0 +1,48 @@ +From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Nov 2019 18:26:44 +0100 +Subject: [PATCH] man: move note to the right section + +Unfortunately the note about the password lifetime was added to the join +section. This patch move it to the update section where it belongs to. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573 + https://bugzilla.redhat.com/show_bug.cgi?id=1745931 + https://bugzilla.redhat.com/show_bug.cgi?id=1774622 +--- + doc/adcli.xml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index 4f201e0..9faf96a 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -330,11 +330,7 @@ Password for Administrator: + important here is currently the + option, see + smb.conf5 +- for details. +- Note that if the machine account password is not +- older than 30 days, you have to pass +- to +- force the update. ++ for details. + + + +@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123 + important here is currently the + option, see + smb.conf5 +- for details. ++ for details. ++ Note that if the machine account password is not ++ older than 30 days, you have to pass ++ to ++ force the update. + + + +-- +2.25.2 + diff --git a/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch new file mode 100644 index 0000000..07d791e --- /dev/null +++ b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch @@ -0,0 +1,41 @@ +From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 5 Jun 2020 17:28:28 +0200 +Subject: [PATCH] tools: disable SSSD's locator plugin + +MIT's libkrb5 checks available locator plugins first before checking the +config file. This might cause issues when the locator plugin returns a +different DC than the one used for the LDAP connection if some data must +be replicated. + +This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to +'true' to disable SSSD's locator plugin for adcli. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633 +--- + tools/tools.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tools.c b/tools/tools.c +index 9d422f2..1b6d879 100644 +--- a/tools/tools.c ++++ b/tools/tools.c +@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void) + } + + unsetenv ("KRB5_CONFIG"); ++ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE"); + } + + static void +@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn) + adcli_krb5_conf_filename = filename; + adcli_krb5_d_directory = snippets; + setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1); ++ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1); + + } else { + free (filename); +-- +2.26.2 + diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec index 0ebe6b9..d5eed34 100644 --- a/SPECS/adcli.spec +++ b/SPECS/adcli.spec @@ -1,6 +1,6 @@ Name: adcli Version: 0.8.1 -Release: 13%{?dist} +Release: 15%{?dist} Summary: Active Directory enrollment License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/adcli @@ -113,6 +113,18 @@ Patch64: 0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch Patch65: 0001-Use-GSS-SPNEGO-if-available.patch Patch66: 0002-add-option-use-ldaps.patch +#rhbz#1774622 - Update' adcli update --add-samba-data ' info under correct section in man adcli +Patch67: 0001-man-move-note-to-the-right-section.patch + +# rhbz#1802258 - [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 +Patch68: 0001-discovery-fix.patch + +# rhbz#1840752 - No longer able to delete computer from AD using adcli +Patch69: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch + +# rhbz#1762633 - adcli: presetting $computer in $domain domain failed: Cannot set computer password: Authentication error +Patch70: 0001-tools-disable-SSSD-s-locator-plugin.patch + BuildRequires: intltool pkgconfig BuildRequires: libtool BuildRequires: gettext-devel @@ -161,6 +173,17 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %doc %{_mandir}/*/* %changelog +* Mon Jun 08 2020 Sumit Bose - 0.8.1-15 +- More fixes for RHEL-7.9 +- No longer able to delete computer from AD using adcli [#1840752] +- adcli: presetting $computer in $domain domain failed: Cannot set computer + password: Authentication error [#1762633] + +* Sun Apr 19 2020 Sumit Bose - 0.8.1-14 +- Fixes for RHEL-7.9 +- Update' adcli update --add-samba-data ' info under correct section in man adcli [#1774622] +- [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 [#1802258] + * Tue Jan 14 2020 Sumit Bose - 0.8.1-13 - adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd [#1786776]