import adcli-0.8.2-7.el8

e7ce261f · Rocky Automation · 7d4105cb · e7ce261f · e7ce261f · e7ce261f
Commit e7ce261f authored 4 years ago by Rocky Automation
--- a/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
+++ b/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
+From 0a0d0f66409eb83e06b7dc50543c2f6c15a36bc4 Mon Sep 17 00:00:00 2001
+From: Alexey A Nikitin <nikitin@amazon.com>
+Date: Mon, 29 Oct 2018 20:40:36 -0700
+Subject: [PATCH] Make 'adcli info' DC location mechanism more compliant with
+ [MS-ADTS] and [MS-NRPC]
+
+AD specifications say that DC locator must attempt to find a suitable DC for the client. That means going through all of the DCs in SRV RRs one by one until one of them answers.
+
+The problem with adcli's original behavior is that it queries only five DCs from SRV, ever. This becomes a problem if for any reason there is a large number of DCs in the domain from which the client cannot get a CLDAP response.
+---
+ library/addisco.c | 146 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 94 insertions(+), 52 deletions(-)
+
+diff --git a/library/addisco.c b/library/addisco.c
+index 8cc5bf0..6e73ead 100644
+--- a/library/addisco.c
+++ b/library/addisco.c
+@@ -41,8 +41,10 @@
+ #include <string.h>
+ #include <time.h>
+ 
+-/* Number of servers to do discovery against */
+-#define DISCO_COUNT 5
+/* Number of servers to do discovery against.
+ * For AD DS maximum number of DCs is 1200.
+ */
+#define DISCO_COUNT 1200
+ 
+ /* The time period in which to do rapid requests */
+ #define DISCO_FEVER  1
+@@ -453,6 +455,51 @@ parse_disco (LDAP *ldap,
+ 	return usability;
+ }
+ 
+static int
+ldap_disco_poller (LDAP **ldap,
+                   LDAPMessage **message,
+                   adcli_disco **results,
+                   const char **addrs)
+{
+	int found = ADCLI_DISCO_UNUSABLE;
+	int close_ldap;
+	int parsed;
+	int ret = 0;
+	struct timeval tvpoll = { 0, 0 };
+
+	switch (ldap_result (*ldap, LDAP_RES_ANY, 1, &tvpoll, message)) {
+		case LDAP_RES_SEARCH_ENTRY:
+		case LDAP_RES_SEARCH_RESULT:
+			parsed = parse_disco (*ldap, *addrs, *message, results);
+			if (parsed > found)
+				found = parsed;
+			ldap_msgfree (*message);
+			close_ldap = 1;
+			break;
+		case -1:
+			ldap_get_option (*ldap, LDAP_OPT_RESULT_CODE, &ret);
+			close_ldap = 1;
+			break;
+		default:
+			ldap_msgfree (*message);
+			close_ldap = 0;
+			break;
+	}
+
+	if (ret != LDAP_SUCCESS) {
+		_adcli_ldap_handle_failure (*ldap, ADCLI_ERR_CONFIG,
+		                            "Couldn't perform discovery search");
+	}
+
+	/* Done with this connection */
+	if (close_ldap) {
+		ldap_unbind_ext_s (*ldap, NULL, NULL);
+		*ldap = NULL;
+	}
+
+	return found;
+}
+
+ static int
+ ldap_disco (const char *domain,
+             srvinfo *srv,
+@@ -477,6 +524,7 @@ ldap_disco (const char *domain,
+ 	int num, i;
+ 	int ret;
+ 	int have_any = 0;
+	struct timeval interval;
+ 
+ 	if (domain) {
+ 		value = _adcli_ldap_escape_filter (domain);
+@@ -540,7 +588,6 @@ ldap_disco (const char *domain,
+ 				version = LDAP_VERSION3;
+ 				ldap_set_option (ldap[num], LDAP_OPT_PROTOCOL_VERSION, &version);
+ 				ldap_set_option (ldap[num], LDAP_OPT_REFERRALS , 0);
+-				_adcli_info ("Sending netlogon pings to domain controller: %s", url);
+ 				addrs[num] = srv->hostname;
+ 				have_any = 1;
+ 				num++;
+@@ -555,70 +602,65 @@ ldap_disco (const char *domain,
+ 		freeaddrinfo (res);
+ 	}
+ 
+-	/* Wait for the first response. Poor mans fd watch */
+-	for (started = now = time (NULL);
+-	     have_any && found != ADCLI_DISCO_USABLE && now < started + DISCO_TIME;
+-	     now = time (NULL)) {
+	/* Initial send and short time wait */
+	interval.tv_sec = 0;
+	for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
+		int parsed;
+
+		if (NULL == ldap[i])
+			continue;
+ 
+-		struct timeval tvpoll = { 0, 0 };
+-		struct timeval interval;
+		have_any = 1;
+		_adcli_info ("Sending NetLogon ping to domain controller: %s", addrs[i]);
+ 
+-		/* If in the initial period, send feverishly */
+-		if (now < started + DISCO_FEVER) {
+-			interval.tv_sec = 0;
+-			interval.tv_usec = 100 * 1000;
+		ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
+		                       filter, attrs, 0, NULL, NULL, NULL,
+		                       -1, &msgidp);
+
+		if (ret != LDAP_SUCCESS) {
+			_adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
+			                            "Couldn't perform discovery search");
+			ldap_unbind_ext_s (ldap[i], NULL, NULL);
+			ldap[i] = NULL;
+		}
+
+		/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
+		 * five DCs are given 0.4 seconds timeout, next five are given 0.2
+		 * seconds, and the rest are given 0.1 seconds
+		 */
+		if (i < 5) {
+			interval.tv_usec = 400000;
+		} else if (i < 10) {
+			interval.tv_usec = 200000;
+ 		} else {
+-			interval.tv_sec = 1;
+-			interval.tv_usec = 0;
+			interval.tv_usec = 100000;
+ 		}
+		select (0, NULL, NULL, NULL, &interval);
+
+		parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
+		if (parsed > found)
+			found = parsed;
+	}
+
+	/* Wait some more until LDAP timeout (DISCO_TIME) */
+	for (started = now = time (NULL);
+	     have_any && ADCLI_DISCO_UNUSABLE == found && now < started + DISCO_TIME;
+	     now = time (NULL)) {
+ 
+ 		select (0, NULL, NULL, NULL, &interval);
+ 
+ 		have_any = 0;
+-		for (i = 0; found != ADCLI_DISCO_USABLE && i < num; i++) {
+-			int close_ldap;
+		for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
+ 			int parsed;
+ 
+ 			if (ldap[i] == NULL)
+ 				continue;
+ 
+-			ret = 0;
+ 			have_any = 1;
+-			switch (ldap_result (ldap[i], LDAP_RES_ANY, 1, &tvpoll, &message)) {
+-			case LDAP_RES_SEARCH_ENTRY:
+-			case LDAP_RES_SEARCH_RESULT:
+-				parsed = parse_disco (ldap[i], addrs[i], message, results);
+-				if (parsed > found)
+-					found = parsed;
+-				ldap_msgfree (message);
+-				close_ldap = 1;
+-				break;
+-			case 0:
+-				ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
+-				                       filter, attrs, 0, NULL, NULL, NULL,
+-				                       -1, &msgidp);
+-				close_ldap = (ret != 0);
+-				break;
+-			case -1:
+-				ldap_get_option (ldap[i], LDAP_OPT_RESULT_CODE, &ret);
+-				close_ldap = 1;
+-				break;
+-			default:
+-				ldap_msgfree (message);
+-				close_ldap = 0;
+-				break;
+-			}
+-
+-			if (ret != LDAP_SUCCESS) {
+-				_adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
+-				                            "Couldn't perform discovery search");
+-			}
+ 
+-			/* Done with this connection */
+-			if (close_ldap) {
+-				ldap_unbind_ext_s (ldap[i], NULL, NULL);
+-				ldap[i] = NULL;
+-			}
+			parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
+			if (parsed > found)
+				found = parsed;
+ 		}
+ 	}
+ 
+-- 
+2.26.2
+
--- a/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
+++ b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
+From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 5 Jun 2020 17:06:58 +0200
+Subject: [PATCH] delete: do not exit if keytab cannot be read
+
+Reading the keytab is not required when deleting a host object in AD. It
+is only needed in the case where the host was added with a manual set
+NetBIOS name (--computer-name option) which does not match the short
+hostname and no computer name was given at the delete-computer command
+line.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
+---
+ tools/computer.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index 292c4d8..a90c4b2 100644
+--- a/tools/computer.c
+++ b/tools/computer.c
+@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 	if (res != ADCLI_SUCCESS) {
+ 		warnx ("couldn't lookup domain info from keytab: %s",
+ 		       adcli_get_last_error ());
+-		adcli_enroll_unref (enroll);
+-		return -res;
+ 	}
+ 
+ 	res = adcli_conn_connect (conn);
+-- 
+2.26.2
+
--- a/SOURCES/0001-discovery-fix.patch
+++ b/SOURCES/0001-discovery-fix.patch
+From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 11 Feb 2020 17:42:03 +0100
+Subject: [PATCH] discovery fix
+
+Do not continue processing on closed connection.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
+---
+ library/addisco.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/library/addisco.c b/library/addisco.c
+index 6e73ead..f3b3546 100644
+--- a/library/addisco.c
+++ b/library/addisco.c
+@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
+ 			                            "Couldn't perform discovery search");
+ 			ldap_unbind_ext_s (ldap[i], NULL, NULL);
+ 			ldap[i] = NULL;
+			continue;
+ 		}
+ 
+ 		/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
+-- 
+2.26.2
+
--- a/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch
+++ b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch
+From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:57:47 +0200
+Subject: [PATCH] man: explain optional parameter of login-ccache better
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index acced25..ecf8726 100644
+--- a/doc/adcli.xml
+++ b/doc/adcli.xml
+@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ 		<varlistentry>
+ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ 			<listitem><para>Use the specified kerberos credential
+-                        cache to authenticate with the domain. If no credential
+-                        cache is specified, the default kerberos credential
+-                        cache will be used. Credential caches of type FILE can
+-                        be given with the path to the file. For other
+-                        credential cache types, e.g. DIR, KEYRING or KCM, the
+-                        type must be specified explicitly together with a
+-                        suitable identifier.</para></listitem>
+			cache to authenticate with the domain. If no credential
+			cache is specified, the default kerberos credential
+			cache will be used. Credential caches of type FILE can
+			be given with the path to the file. For other
+			credential cache types, e.g. DIR, KEYRING or KCM, the
+			type must be specified explicitly together with a
+			suitable identifier.</para>
+			<para>Please note that since the
+			<parameter>ccache_name</parameter> is optional the
+			=(equal) sign is mandatory. If = is missing the
+			parameter is treated as optionless extra argument. How
+			this is handled depends on the specific sub-command.
+			</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>-U, --login-user=<parameter>User</parameter></option></term>
+-- 
+2.26.2
+
--- a/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch
+++ b/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch
+From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Aug 2020 17:10:01 +0200
+Subject: [PATCH] man: make handling of optional credential cache more clear
+
+The optional Kerberos credential cache can only be used with the long
+option name --login-ccache and not with the short version -C. To make
+this more clear each option get its own entry.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index ecf8726..1437679 100644
+--- a/doc/adcli.xml
+++ b/doc/adcli.xml
+@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ 			</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+-			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+-			<listitem><para>Use the specified kerberos credential
+			<term><option>-C</option></term>
+			<listitem><para>Use the default Kerberos credential
+			cache to authenticate with the domain.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
+			<listitem><para>Use the specified Kerberos credential
+ 			cache to authenticate with the domain. If no credential
+-			cache is specified, the default kerberos credential
+			cache is specified, the default Kerberos credential
+ 			cache will be used. Credential caches of type FILE can
+ 			be given with the path to the file. For other
+ 			credential cache types, e.g. DIR, KEYRING or KCM, the
+-- 
+2.26.2
+
--- a/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch
+++ b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch
+From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 5 Jun 2020 17:28:28 +0200
+Subject: [PATCH] tools: disable SSSD's locator plugin
+
+MIT's libkrb5 checks available locator plugins first before checking the
+config file. This might cause issues when the locator plugin returns a
+different DC than the one used for the LDAP connection if some data must
+be replicated.
+
+This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
+'true' to disable SSSD's locator plugin for adcli.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
+---
+ tools/tools.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tools.c b/tools/tools.c
+index 9d422f2..1b6d879 100644
+--- a/tools/tools.c
+++ b/tools/tools.c
+@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
+ 	}
+ 
+ 	unsetenv ("KRB5_CONFIG");
+	unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
+ }
+ 
+ static void
+@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
+ 		adcli_krb5_conf_filename = filename;
+ 		adcli_krb5_d_directory = snippets;
+ 		setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
+		setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
+ 
+ 	} else {
+ 		free (filename);
+-- 
+2.26.2
+
--- a/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch
+++ b/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch
+From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:41:53 +0200
+Subject: [PATCH] tools: fix typo in show-password help output
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
+---
+ tools/computer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index a90c4b2..24ea258 100644
+--- a/tools/computer.c
+++ b/tools/computer.c
+@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
+ 	                         "accounts" },
+ 	{ opt_show_details, "show information about joining the domain after\n"
+ 	                     "a successful join" },
+-	{ opt_show_password, "show computer account password after after a\n"
+	{ opt_show_password, "show computer account password after a\n"
+ 	                     "successful join" },
+ 	{ opt_add_samba_data, "add domain SID and computer account password\n"
+ 	                      "to the Samba specific configuration database" },
+-- 
+2.26.2
+
--- a/SPECS/adcli.spec
+++ b/SPECS/adcli.spec
 Name:		adcli
 Version:	0.8.2
-Release:	5%{?dist}
+Release:	7%{?dist}
 Summary:	Active Directory enrollment
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/adcli
@@ -107,6 +107,24 @@ Patch60:	0002-add-description-option-to-join-and-update.patch
 Patch61:	0001-Use-GSS-SPNEGO-if-available.patch
 Patch62:	0002-add-option-use-ldaps.patch

+# rhbz#1806260 - [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6
+Patch63:	0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
+Patch64:	0001-discovery-fix.patch
+
+# rhbz#1846882 - No longer able to delete computer from AD using adcli
+Patch65:	0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
+
+# rhbz#1846878 - adcli: presetting $computer in $domain domain failed: Cannot
+#               set computer password: Authentication error
+Patch66:	0001-tools-disable-SSSD-s-locator-plugin.patch
+
+# rhbz#1791611 - Typo in adcli update --help option
+Patch67:	0001-tools-fix-typo-in-show-password-help-output.patch
+
+# rhbz#1791545 - Manpage and help does not explain the use of "-C" option
+Patch68:	0001-man-explain-optional-parameter-of-login-ccache-bette.patch
+Patch69:	0001-man-make-handling-of-optional-credential-cache-more-.patch
+
 BuildRequires:	gcc
 BuildRequires:	intltool pkgconfig
 BuildRequires:	libtool
@@ -167,6 +185,17 @@ documentation.
 %doc %{_datadir}/doc/adcli/*

 %changelog
+* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-7
+- Improve "-C" option description in man page even more [#1791545]
+
+* Mon Jun 15 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-6
+- [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 [#1806260]
+- No longer able to delete computer from AD using adcli [#1846882]
+- adcli: presetting $computer in $domain domain failed: Cannot set computer
+  password: Authentication error [#1846878]
+- Typo in adcli update --help option [#1791611]
+- Manpage and help does not explain the use of "-C" option [#1791545]
+
 * Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
 - adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
  sssd [#1762420]