Commit 1b6b54a8 authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import adcli-0.8.2-3.el8

parent 8f3751fb
From 3c93c96eb6ea2abd3869921ee4c89e1a4d9e4c44 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 13:08:52 +0200
Subject: [PATCH] Fix for issues found by Coverity
---
library/adenroll.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 02bd9e3..de2242a 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1575,7 +1575,7 @@ load_host_keytab (adcli_enroll *enroll)
}
krb5_free_context (k5);
- return ADCLI_SUCCESS;
+ return res;
}
typedef struct {
@@ -1756,12 +1756,12 @@ add_principal_to_keytab (adcli_enroll *enroll,
enroll->kvno, &password, enctypes, &salts[*which_salt]);
free_principal_salts (k5, salts);
+ }
- if (code != 0) {
- _adcli_err ("Couldn't add keytab entries: %s: %s",
- enroll->keytab_name, krb5_get_error_message (k5, code));
- return ADCLI_ERR_FAIL;
- }
+ if (code != 0) {
+ _adcli_err ("Couldn't add keytab entries: %s: %s",
+ enroll->keytab_name, krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
}
--
2.21.0
From 6fd99ff6c5dd6ef0be8d942989b1c6dcee3102d9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 22 Mar 2019 12:37:39 +0100
Subject: [PATCH] Implement 'adcli testjoin'
By calling adcli testjoin it will be checked if the host credentials
stored in the keytab are still valid.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1622583
---
doc/adcli.xml | 34 +++++++++++++++++++++++
tools/computer.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
tools/tools.c | 1 +
tools/tools.h | 4 +++
4 files changed, 111 insertions(+)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index af73433..9605b4a 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -43,6 +43,9 @@
<cmdsynopsis>
<command>adcli update</command>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>adcli testjoin</command>
+ </cmdsynopsis>
<cmdsynopsis>
<command>adcli create-user</command>
<arg choice="opt">--domain=domain.example.com</arg>
@@ -474,6 +477,37 @@ $ adcli update --login-ccache=/tmp/krbcc_123
</refsect1>
+<refsect1 id='testjoin'>
+ <title>Testing if the machine account password is valid</title>
+
+ <para><command>adcli testjoin</command> uses the current credentials in
+ the keytab and tries to authenticate with the machine account to the AD
+ domain. If this works the machine account password and the join are
+ still valid. If it fails the machine account password or the whole
+ machine account have to be refreshed with
+ <command>adcli join</command> or <command>adcli update</command>.
+ </para>
+
+<programlisting>
+$ adcli testjoin
+</programlisting>
+
+ <para>Only the global options not related to authentication are
+ available, additionally you can specify the following options to
+ control how this operation is done.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
+ <listitem><para>Specify the path to the host keytab where
+ current host credentials are stored and the new ones
+ will be written to. If not specified, the default
+ location will be used, usually
+ <filename>/etc/krb5.keytab</filename>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id='create_user'>
<title>Creating a User</title>
diff --git a/tools/computer.c b/tools/computer.c
index 112340e..610ed2b 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -566,6 +566,78 @@ adcli_tool_computer_update (adcli_conn *conn,
return 0;
}
+int
+adcli_tool_computer_testjoin (adcli_conn *conn,
+ int argc,
+ char *argv[])
+{
+ adcli_enroll *enroll;
+ adcli_result res;
+ const char *ktname;
+ int opt;
+
+ struct option options[] = {
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "host-keytab", required_argument, 0, opt_host_keytab },
+ { "verbose", no_argument, NULL, opt_verbose },
+ { "help", no_argument, NULL, 'h' },
+ { 0 },
+ };
+
+ static adcli_tool_desc usages[] = {
+ { 0, "usage: adcli testjoin" },
+ { 0 },
+ };
+
+ enroll = adcli_enroll_new (conn);
+ if (enroll == NULL)
+ errx (-1, "unexpected memory problems");
+
+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+ switch (opt) {
+ case 'h':
+ case '?':
+ case ':':
+ adcli_tool_usage (options, usages);
+ adcli_tool_usage (options, common_usages);
+ adcli_enroll_unref (enroll);
+ return opt == 'h' ? 0 : 2;
+ default:
+ parse_option ((Option)opt, optarg, conn, enroll);
+ break;
+ }
+ }
+
+ /* Force use of a keytab to test the join/machine account password */
+ adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT);
+ ktname = adcli_enroll_get_keytab_name (enroll);
+ adcli_conn_set_login_keytab_name (conn, ktname ? ktname : "");
+
+ res = adcli_enroll_load (enroll);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ adcli_conn_unref (conn);
+ errx (-res, "couldn't lookup domain info from keytab: %s",
+ adcli_get_last_error ());
+ }
+
+ res = adcli_conn_connect (conn);
+ if (res != ADCLI_SUCCESS) {
+ adcli_enroll_unref (enroll);
+ adcli_conn_unref (conn);
+ errx (-res, "couldn't connect to %s domain: %s",
+ adcli_conn_get_domain_name (conn),
+ adcli_get_last_error ());
+ }
+
+ printf ("Sucessfully validated join to domain %s\n",
+ adcli_conn_get_domain_name (conn));
+
+ adcli_enroll_unref (enroll);
+
+ return 0;
+}
int
adcli_tool_computer_preset (adcli_conn *conn,
diff --git a/tools/tools.c b/tools/tools.c
index 915130e..c4e2851 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -55,6 +55,7 @@ struct {
{ "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS },
{ "join", adcli_tool_computer_join, "Join this machine to a domain", },
{ "update", adcli_tool_computer_update, "Update machine membership in a domain", },
+ { "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", },
{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
diff --git a/tools/tools.h b/tools/tools.h
index 6c97ccf..8cebbf9 100644
--- a/tools/tools.h
+++ b/tools/tools.h
@@ -70,6 +70,10 @@ int adcli_tool_computer_update (adcli_conn *conn,
int argc,
char *argv[]);
+int adcli_tool_computer_testjoin (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+
int adcli_tool_computer_delete (adcli_conn *conn,
int argc,
char *argv[]);
--
2.20.1
From 5cf1723c308e21cdbe9b98ed2aaa42cb997456fb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 15 Mar 2019 14:31:12 +0100
Subject: [PATCH] Increment kvno after password change with user creds
Originally only the host credential part was fixed in the context of
https://bugs.freedesktop.org/show_bug.cgi?id=91185. This patch adds the
fix to the case when user credentials are used.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1642546
---
library/adenroll.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/library/adenroll.c b/library/adenroll.c
index e02f403..58362c2 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1057,6 +1057,10 @@ set_password_with_user_creds (adcli_enroll *enroll)
#endif
} else {
_adcli_info ("Set computer password");
+ if (enroll->kvno > 0) {
+ enroll->kvno++;
+ _adcli_info ("kvno incremented to %d", enroll->kvno);
+ }
res = ADCLI_SUCCESS;
}
--
2.20.1
From 341974aae7d0755fc32a0b7e2b34d8e1ef60d195 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 20 Dec 2018 21:05:35 +0100
Subject: [PATCH 1/4] adenroll: make sure only allowed enctypes are used in
FIPS mode
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
---
library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 52aa8a8..f617f28 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -41,11 +41,19 @@
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
#ifndef SAMBA_DATA_TOOL
#define SAMBA_DATA_TOOL "/usr/bin/net"
#endif
+static krb5_enctype v60_later_enctypes_fips[] = {
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ 0
+};
+
static krb5_enctype v60_later_enctypes[] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -2594,6 +2602,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
enroll->keytab_name_is_krb5 = 0;
}
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+static bool adcli_fips_enabled (void)
+{
+ int fd;
+ ssize_t len;
+ char buf[8];
+
+ fd = open (PROC_SYS_FIPS, O_RDONLY);
+ if (fd != -1) {
+ len = read (fd, buf, sizeof (buf));
+ close (fd);
+ /* Assume FIPS in enabled if PROC_SYS_FIPS contains a
+ * non-0 value. */
+ if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
krb5_enctype *
adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
{
@@ -2602,7 +2632,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
return enroll->keytab_enctypes;
if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
- return v60_later_enctypes;
+ if (adcli_fips_enabled ()) {
+ return v60_later_enctypes_fips;
+ } else {
+ return v60_later_enctypes;
+ }
else
return v51_earlier_enctypes;
}
--
2.21.0
From 85d127fd52a8469f9f3ce0d1130fe17e756fdd75 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Nov 2018 13:32:33 +0100
Subject: [PATCH 1/2] adutil: add _adcli_strv_add_unique
_adcli_strv_add_unique checks is the new value already exists in the
strv before adding it. Check can be done case-sensitive or not.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/16
---
library/adprivate.h | 5 ++++
library/adutil.c | 65 ++++++++++++++++++++++++++++++++++++++-------
2 files changed, 61 insertions(+), 9 deletions(-)
diff --git a/library/adprivate.h b/library/adprivate.h
index bc9df6d..0806430 100644
--- a/library/adprivate.h
+++ b/library/adprivate.h
@@ -111,6 +111,11 @@ char ** _adcli_strv_add (char **strv,
char *string,
int *length) GNUC_WARN_UNUSED;
+char ** _adcli_strv_add_unique (char **strv,
+ char *string,
+ int *length,
+ bool case_sensitive) GNUC_WARN_UNUSED;
+
void _adcli_strv_remove_unsorted (char **strv,
const char *string,
int *length);
diff --git a/library/adutil.c b/library/adutil.c
index 17d2caa..76ea158 100644
--- a/library/adutil.c
+++ b/library/adutil.c
@@ -221,6 +221,34 @@ _adcli_strv_add (char **strv,
return seq_push (strv, length, string);
}
+static int
+_adcli_strv_has_ex (char **strv,
+ const char *str,
+ int (* compare) (const char *match, const char*value))
+{
+ int i;
+
+ for (i = 0; strv && strv[i] != NULL; i++) {
+ if (compare (strv[i], str) == 0)
+ return 1;
+ }
+
+ return 0;
+}
+
+char **
+_adcli_strv_add_unique (char **strv,
+ char *string,
+ int *length,
+ bool case_sensitive)
+{
+ if (_adcli_strv_has_ex (strv, string, case_sensitive ? strcmp : strcasecmp) == 1) {
+ return strv;
+ }
+
+ return _adcli_strv_add (strv, string, length);
+}
+
#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
void
@@ -241,19 +269,11 @@ _adcli_strv_remove_unsorted (char **strv,
(seq_compar)strcasecmp, free);
}
-
int
_adcli_strv_has (char **strv,
const char *str)
{
- int i;
-
- for (i = 0; strv && strv[i] != NULL; i++) {
- if (strcmp (strv[i], str) == 0)
- return 1;
- }
-
- return 0;
+ return _adcli_strv_has_ex (strv, str, strcmp);
}
void
@@ -704,6 +724,32 @@ test_strv_add_free (void)
_adcli_strv_free (strv);
}
+static void
+test_strv_add_unique_free (void)
+{
+ char **strv = NULL;
+
+ strv = _adcli_strv_add_unique (strv, strdup ("one"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("one"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("two"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("two"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("tWo"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("three"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("three"), NULL, false);
+ strv = _adcli_strv_add_unique (strv, strdup ("TWO"), NULL, true);
+
+ assert_num_eq (_adcli_strv_len (strv), 4);
+
+ assert_str_eq (strv[0], "one");
+ assert_str_eq (strv[1], "two");
+ assert_str_eq (strv[2], "three");
+ assert_str_eq (strv[3], "TWO");
+ assert (strv[4] == NULL);
+
+ _adcli_strv_free (strv);
+}
+
+
static void
test_strv_dup (void)
{
@@ -856,6 +902,7 @@ main (int argc,
char *argv[])
{
test_func (test_strv_add_free, "/util/strv_add_free");
+ test_func (test_strv_add_unique_free, "/util/strv_add_unique_free");
test_func (test_strv_dup, "/util/strv_dup");
test_func (test_strv_count, "/util/strv_count");
test_func (test_check_nt_time_string_lifetime, "/util/check_nt_time_string_lifetime");
--
2.20.1
From 1457b4a7623a8ae58fb8d6a652d1cc44904b8863 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 18 Mar 2019 11:02:57 +0100
Subject: [PATCH 1/2] create-user: add nis-domain option
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/2
---
doc/adcli.xml | 8 ++++++++
tools/entry.c | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 4722c3a..18620c0 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -531,6 +531,14 @@ $ adcli create-user Fry --domain=domain.example.com \
the new created user account, which should be the user's
numeric primary user id.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--nis-domain=<parameter>nis_domain</parameter></option></term>
+ <listitem><para>Set the <code>msSFU30NisDomain</code> attribute of
+ the new created user account, which should be the user's
+ NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
+ are used. This is needed to let the 'UNIX attributes' tab of older Active
+ Directoy versions show the set UNIX specific attributes.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/tools/entry.c b/tools/entry.c
index 7b6a200..69ce62c 100644
--- a/tools/entry.c
+++ b/tools/entry.c
@@ -52,6 +52,7 @@ typedef enum {
opt_unix_uid,
opt_unix_gid,
opt_unix_shell,
+ opt_nis_domain,
} Option;
static adcli_tool_desc common_usages[] = {
@@ -62,6 +63,7 @@ static adcli_tool_desc common_usages[] = {
{ opt_unix_uid, "unix uid number" },
{ opt_unix_gid, "unix gid number" },
{ opt_unix_shell, "unix shell" },
+ { opt_nis_domain, "NIS domain" },
{ opt_domain, "active directory domain name" },
{ opt_domain_realm, "kerberos realm for the domain" },
{ opt_domain_controller, "domain directory server to connect to" },
@@ -159,6 +161,7 @@ adcli_tool_user_create (adcli_conn *conn,
{ "unix-uid", required_argument, NULL, opt_unix_uid },
{ "unix-gid", required_argument, NULL, opt_unix_gid },
{ "unix-shell", required_argument, NULL, opt_unix_shell },
+ { "nis-domain", required_argument, NULL, opt_nis_domain },
{ "domain-ou", required_argument, NULL, opt_domain_ou },
{ "domain", required_argument, NULL, opt_domain },
{ "domain-realm", required_argument, NULL, opt_domain_realm },
@@ -200,6 +203,9 @@ adcli_tool_user_create (adcli_conn *conn,
case opt_unix_shell:
adcli_attrs_add (attrs, "loginShell", optarg, NULL);
break;
+ case opt_nis_domain:
+ adcli_attrs_add (attrs, "msSFU30NisDomain", optarg, NULL);
+ break;
case opt_domain_ou:
ou = optarg;
break;
--
2.20.1
From 3a84c2469c31967bc22c0490456f07723ef5fc86 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 20 Mar 2019 11:01:50 +0100
Subject: [PATCH 1/4] ensure_keytab_principals: do not leak memory when called
twice
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
---
library/adenroll.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index d1f746c..48cb4cf 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -413,6 +413,25 @@ ensure_service_principals (adcli_result res,
return res;
}
+static void enroll_clear_keytab_principals (adcli_enroll *enroll)
+{
+ krb5_context k5;
+ size_t c;
+
+ if (enroll->keytab_principals) {
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
+ return_if_fail (k5 != NULL);
+
+ for (c = 0; enroll->keytab_principals[c] != NULL; c++)
+ krb5_free_principal (k5, enroll->keytab_principals[c]);
+
+ free (enroll->keytab_principals);
+ enroll->keytab_principals = NULL;
+ }
+
+ return;
+}
+
static adcli_result
ensure_keytab_principals (adcli_result res,
adcli_enroll *enroll)
@@ -430,6 +449,7 @@ ensure_keytab_principals (adcli_result res,
k5 = adcli_conn_get_krb5_context (enroll->conn);
return_unexpected_if_fail (k5 != NULL);
+ enroll_clear_keytab_principals (enroll);
enroll->keytab_principals = calloc (count + 3, sizeof (krb5_principal));
return_unexpected_if_fail (enroll->keytab_principals != NULL);
at = 0;
@@ -1860,18 +1880,8 @@ static void
enroll_clear_state (adcli_enroll *enroll)
{
krb5_context k5;
- int i;
-
- if (enroll->keytab_principals) {
- k5 = adcli_conn_get_krb5_context (enroll->conn);
- return_if_fail (k5 != NULL);
-
- for (i = 0; enroll->keytab_principals[i] != NULL; i++)
- krb5_free_principal (k5, enroll->keytab_principals[i]);
- free (enroll->keytab_principals);
- enroll->keytab_principals = NULL;
- }
+ enroll_clear_keytab_principals (enroll);
if (enroll->keytab) {
k5 = adcli_conn_get_krb5_context (enroll->conn);