Commit e7ce261f authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import adcli-0.8.2-7.el8

parent 7d4105cb
From 0a0d0f66409eb83e06b7dc50543c2f6c15a36bc4 Mon Sep 17 00:00:00 2001
From: Alexey A Nikitin <nikitin@amazon.com>
Date: Mon, 29 Oct 2018 20:40:36 -0700
Subject: [PATCH] Make 'adcli info' DC location mechanism more compliant with
[MS-ADTS] and [MS-NRPC]
AD specifications say that DC locator must attempt to find a suitable DC for the client. That means going through all of the DCs in SRV RRs one by one until one of them answers.
The problem with adcli's original behavior is that it queries only five DCs from SRV, ever. This becomes a problem if for any reason there is a large number of DCs in the domain from which the client cannot get a CLDAP response.
---
library/addisco.c | 146 +++++++++++++++++++++++++++++-----------------
1 file changed, 94 insertions(+), 52 deletions(-)
diff --git a/library/addisco.c b/library/addisco.c
index 8cc5bf0..6e73ead 100644
--- a/library/addisco.c
+++ b/library/addisco.c
@@ -41,8 +41,10 @@
#include <string.h>
#include <time.h>
-/* Number of servers to do discovery against */
-#define DISCO_COUNT 5
+/* Number of servers to do discovery against.
+ * For AD DS maximum number of DCs is 1200.
+ */
+#define DISCO_COUNT 1200
/* The time period in which to do rapid requests */
#define DISCO_FEVER 1
@@ -453,6 +455,51 @@ parse_disco (LDAP *ldap,
return usability;
}
+static int
+ldap_disco_poller (LDAP **ldap,
+ LDAPMessage **message,
+ adcli_disco **results,
+ const char **addrs)
+{
+ int found = ADCLI_DISCO_UNUSABLE;
+ int close_ldap;
+ int parsed;
+ int ret = 0;
+ struct timeval tvpoll = { 0, 0 };
+
+ switch (ldap_result (*ldap, LDAP_RES_ANY, 1, &tvpoll, message)) {
+ case LDAP_RES_SEARCH_ENTRY:
+ case LDAP_RES_SEARCH_RESULT:
+ parsed = parse_disco (*ldap, *addrs, *message, results);
+ if (parsed > found)
+ found = parsed;
+ ldap_msgfree (*message);
+ close_ldap = 1;
+ break;
+ case -1:
+ ldap_get_option (*ldap, LDAP_OPT_RESULT_CODE, &ret);
+ close_ldap = 1;
+ break;
+ default:
+ ldap_msgfree (*message);
+ close_ldap = 0;
+ break;
+ }
+
+ if (ret != LDAP_SUCCESS) {
+ _adcli_ldap_handle_failure (*ldap, ADCLI_ERR_CONFIG,
+ "Couldn't perform discovery search");
+ }
+
+ /* Done with this connection */
+ if (close_ldap) {
+ ldap_unbind_ext_s (*ldap, NULL, NULL);
+ *ldap = NULL;
+ }
+
+ return found;
+}
+
static int
ldap_disco (const char *domain,
srvinfo *srv,
@@ -477,6 +524,7 @@ ldap_disco (const char *domain,
int num, i;
int ret;
int have_any = 0;
+ struct timeval interval;
if (domain) {
value = _adcli_ldap_escape_filter (domain);
@@ -540,7 +588,6 @@ ldap_disco (const char *domain,
version = LDAP_VERSION3;
ldap_set_option (ldap[num], LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_set_option (ldap[num], LDAP_OPT_REFERRALS , 0);
- _adcli_info ("Sending netlogon pings to domain controller: %s", url);
addrs[num] = srv->hostname;
have_any = 1;
num++;
@@ -555,70 +602,65 @@ ldap_disco (const char *domain,
freeaddrinfo (res);
}
- /* Wait for the first response. Poor mans fd watch */
- for (started = now = time (NULL);
- have_any && found != ADCLI_DISCO_USABLE && now < started + DISCO_TIME;
- now = time (NULL)) {
+ /* Initial send and short time wait */
+ interval.tv_sec = 0;
+ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
+ int parsed;
+
+ if (NULL == ldap[i])
+ continue;
- struct timeval tvpoll = { 0, 0 };
- struct timeval interval;
+ have_any = 1;
+ _adcli_info ("Sending NetLogon ping to domain controller: %s", addrs[i]);
- /* If in the initial period, send feverishly */
- if (now < started + DISCO_FEVER) {
- interval.tv_sec = 0;
- interval.tv_usec = 100 * 1000;
+ ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
+ filter, attrs, 0, NULL, NULL, NULL,
+ -1, &msgidp);
+
+ if (ret != LDAP_SUCCESS) {
+ _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
+ "Couldn't perform discovery search");
+ ldap_unbind_ext_s (ldap[i], NULL, NULL);
+ ldap[i] = NULL;
+ }
+
+ /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
+ * five DCs are given 0.4 seconds timeout, next five are given 0.2
+ * seconds, and the rest are given 0.1 seconds
+ */
+ if (i < 5) {
+ interval.tv_usec = 400000;
+ } else if (i < 10) {
+ interval.tv_usec = 200000;
} else {
- interval.tv_sec = 1;
- interval.tv_usec = 0;
+ interval.tv_usec = 100000;
}
+ select (0, NULL, NULL, NULL, &interval);
+
+ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
+ if (parsed > found)
+ found = parsed;
+ }
+
+ /* Wait some more until LDAP timeout (DISCO_TIME) */
+ for (started = now = time (NULL);
+ have_any && ADCLI_DISCO_UNUSABLE == found && now < started + DISCO_TIME;
+ now = time (NULL)) {
select (0, NULL, NULL, NULL, &interval);
have_any = 0;
- for (i = 0; found != ADCLI_DISCO_USABLE && i < num; i++) {
- int close_ldap;
+ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
int parsed;
if (ldap[i] == NULL)
continue;
- ret = 0;
have_any = 1;
- switch (ldap_result (ldap[i], LDAP_RES_ANY, 1, &tvpoll, &message)) {
- case LDAP_RES_SEARCH_ENTRY:
- case LDAP_RES_SEARCH_RESULT:
- parsed = parse_disco (ldap[i], addrs[i], message, results);
- if (parsed > found)
- found = parsed;
- ldap_msgfree (message);
- close_ldap = 1;
- break;
- case 0:
- ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
- filter, attrs, 0, NULL, NULL, NULL,
- -1, &msgidp);
- close_ldap = (ret != 0);
- break;
- case -1:
- ldap_get_option (ldap[i], LDAP_OPT_RESULT_CODE, &ret);
- close_ldap = 1;
- break;
- default:
- ldap_msgfree (message);
- close_ldap = 0;
- break;
- }
-
- if (ret != LDAP_SUCCESS) {
- _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
- "Couldn't perform discovery search");
- }
- /* Done with this connection */
- if (close_ldap) {
- ldap_unbind_ext_s (ldap[i], NULL, NULL);
- ldap[i] = NULL;
- }
+ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
+ if (parsed > found)
+ found = parsed;
}
}
--
2.26.2
From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 5 Jun 2020 17:06:58 +0200
Subject: [PATCH] delete: do not exit if keytab cannot be read
Reading the keytab is not required when deleting a host object in AD. It
is only needed in the case where the host was added with a manual set
NetBIOS name (--computer-name option) which does not match the short
hostname and no computer name was given at the delete-computer command
line.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
---
tools/computer.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/computer.c b/tools/computer.c
index 292c4d8..a90c4b2 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
if (res != ADCLI_SUCCESS) {
warnx ("couldn't lookup domain info from keytab: %s",
adcli_get_last_error ());
- adcli_enroll_unref (enroll);
- return -res;
}
res = adcli_conn_connect (conn);
--
2.26.2
From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 Feb 2020 17:42:03 +0100
Subject: [PATCH] discovery fix
Do not continue processing on closed connection.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
---
library/addisco.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/library/addisco.c b/library/addisco.c
index 6e73ead..f3b3546 100644
--- a/library/addisco.c
+++ b/library/addisco.c
@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
"Couldn't perform discovery search");
ldap_unbind_ext_s (ldap[i], NULL, NULL);
ldap[i] = NULL;
+ continue;
}
/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
--
2.26.2
From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 15 Jun 2020 15:57:47 +0200
Subject: [PATCH] man: explain optional parameter of login-ccache better
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
---
doc/adcli.xml | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index acced25..ecf8726 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
<varlistentry>
<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
<listitem><para>Use the specified kerberos credential
- cache to authenticate with the domain. If no credential
- cache is specified, the default kerberos credential
- cache will be used. Credential caches of type FILE can
- be given with the path to the file. For other
- credential cache types, e.g. DIR, KEYRING or KCM, the
- type must be specified explicitly together with a
- suitable identifier.</para></listitem>
+ cache to authenticate with the domain. If no credential
+ cache is specified, the default kerberos credential
+ cache will be used. Credential caches of type FILE can
+ be given with the path to the file. For other
+ credential cache types, e.g. DIR, KEYRING or KCM, the
+ type must be specified explicitly together with a
+ suitable identifier.</para>
+ <para>Please note that since the
+ <parameter>ccache_name</parameter> is optional the
+ =(equal) sign is mandatory. If = is missing the
+ parameter is treated as optionless extra argument. How
+ this is handled depends on the specific sub-command.
+ </para></listitem>
</varlistentry>
<varlistentry>
<term><option>-U, --login-user=<parameter>User</parameter></option></term>
--
2.26.2
From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Aug 2020 17:10:01 +0200
Subject: [PATCH] man: make handling of optional credential cache more clear
The optional Kerberos credential cache can only be used with the long
option name --login-ccache and not with the short version -C. To make
this more clear each option get its own entry.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
---
doc/adcli.xml | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index ecf8726..1437679 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
- <listitem><para>Use the specified kerberos credential
+ <term><option>-C</option></term>
+ <listitem><para>Use the default Kerberos credential
+ cache to authenticate with the domain.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
+ <listitem><para>Use the specified Kerberos credential
cache to authenticate with the domain. If no credential
- cache is specified, the default kerberos credential
+ cache is specified, the default Kerberos credential
cache will be used. Credential caches of type FILE can
be given with the path to the file. For other
credential cache types, e.g. DIR, KEYRING or KCM, the
--
2.26.2
From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 5 Jun 2020 17:28:28 +0200
Subject: [PATCH] tools: disable SSSD's locator plugin
MIT's libkrb5 checks available locator plugins first before checking the
config file. This might cause issues when the locator plugin returns a
different DC than the one used for the LDAP connection if some data must
be replicated.
This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
'true' to disable SSSD's locator plugin for adcli.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
---
tools/tools.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tools.c b/tools/tools.c
index 9d422f2..1b6d879 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
}
unsetenv ("KRB5_CONFIG");
+ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
}
static void
@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
adcli_krb5_conf_filename = filename;
adcli_krb5_d_directory = snippets;
setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
+ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
} else {
free (filename);
--
2.26.2
From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 15 Jun 2020 15:41:53 +0200
Subject: [PATCH] tools: fix typo in show-password help output
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
---
tools/computer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/computer.c b/tools/computer.c
index a90c4b2..24ea258 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
"accounts" },
{ opt_show_details, "show information about joining the domain after\n"
"a successful join" },
- { opt_show_password, "show computer account password after after a\n"
+ { opt_show_password, "show computer account password after a\n"
"successful join" },
{ opt_add_samba_data, "add domain SID and computer account password\n"
"to the Samba specific configuration database" },
--
2.26.2
Name: adcli
Version: 0.8.2
Release: 5%{?dist}
Release: 7%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli
......@@ -107,6 +107,24 @@ Patch60: 0002-add-description-option-to-join-and-update.patch
Patch61: 0001-Use-GSS-SPNEGO-if-available.patch
Patch62: 0002-add-option-use-ldaps.patch
# rhbz#1806260 - [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6
Patch63: 0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
Patch64: 0001-discovery-fix.patch
# rhbz#1846882 - No longer able to delete computer from AD using adcli
Patch65: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
# rhbz#1846878 - adcli: presetting $computer in $domain domain failed: Cannot
# set computer password: Authentication error
Patch66: 0001-tools-disable-SSSD-s-locator-plugin.patch
# rhbz#1791611 - Typo in adcli update --help option
Patch67: 0001-tools-fix-typo-in-show-password-help-output.patch
# rhbz#1791545 - Manpage and help does not explain the use of "-C" option
Patch68: 0001-man-explain-optional-parameter-of-login-ccache-bette.patch
Patch69: 0001-man-make-handling-of-optional-credential-cache-more-.patch
BuildRequires: gcc
BuildRequires: intltool pkgconfig
BuildRequires: libtool
......@@ -167,6 +185,17 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-7
- Improve "-C" option description in man page even more [#1791545]
* Mon Jun 15 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-6
- [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 [#1806260]
- No longer able to delete computer from AD using adcli [#1846882]
- adcli: presetting $computer in $domain domain failed: Cannot set computer
password: Authentication error [#1846878]
- Typo in adcli update --help option [#1791611]
- Manpage and help does not explain the use of "-C" option [#1791545]
* Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
sssd [#1762420]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment