Sumit Bose 461678
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
Sumit Bose 461678
From: Sumit Bose <sbose@redhat.com>
Sumit Bose 461678
Date: Wed, 1 Nov 2017 17:14:05 +0100
Sumit Bose 461678
Subject: [PATCH 06/23] Handle kvno increment for RODCs
Sumit Bose 461678
Sumit Bose 461678
Since the actual password change does not happen on the read-only domain
Sumit Bose 461678
controller (RODC) the kvno change has to be replicated back which might
Sumit Bose 461678
take some time. So we check the kvno before and after the change if we
Sumit Bose 461678
are connected to a RODC and increment the kvno if needed.
Sumit Bose 461678
---
Sumit Bose 461678
 library/adenroll.c | 31 +++++++++++++++++++++++++++++++
Sumit Bose 461678
 1 file changed, 31 insertions(+)
Sumit Bose 461678
Sumit Bose 461678
diff --git a/library/adenroll.c b/library/adenroll.c
Sumit Bose 461678
index 05885d0..bb970d1 100644
Sumit Bose 461678
--- a/library/adenroll.c
Sumit Bose 461678
+++ b/library/adenroll.c
Sumit Bose 461678
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
Sumit Bose 461678
 		             adcli_enroll_flags flags)
Sumit Bose 461678
 {
Sumit Bose 461678
 	adcli_result res;
Sumit Bose 461678
+	krb5_kvno old_kvno = -1;
Sumit Bose 461678
 
Sumit Bose 461678
 	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
Sumit Bose 461678
+
Sumit Bose 461678
+		/* Handle kvno changes for read-only domain controllers
Sumit Bose 461678
+		 * (RODC). Since the actual password change does not happen on
Sumit Bose 461678
+		 * the RODC the kvno change has to be replicated back which
Sumit Bose 461678
+		 * might take some time. So we check the kvno before and after
Sumit Bose 461678
+		 * the change if we are connected to a RODC and increment the
Sumit Bose 461678
+		 * kvno if needed. */
Sumit Bose 461678
+		if (!adcli_conn_is_writeable (enroll->conn)) {
Sumit Bose 461678
+			if (enroll->computer_attributes == NULL) {
Sumit Bose 461678
+				res = retrieve_computer_account (enroll);
Sumit Bose 461678
+				if (res != ADCLI_SUCCESS)
Sumit Bose 461678
+					return res;
Sumit Bose 461678
+			}
Sumit Bose 461678
+			old_kvno = adcli_enroll_get_kvno (enroll);
Sumit Bose 461678
+			_adcli_info ("Found old kvno '%d'", old_kvno);
Sumit Bose 461678
+
Sumit Bose 461678
+			ldap_msgfree (enroll->computer_attributes);
Sumit Bose 461678
+			enroll->computer_attributes = NULL;
Sumit Bose 461678
+			adcli_enroll_set_kvno (enroll, 0);
Sumit Bose 461678
+		}
Sumit Bose 461678
+
Sumit Bose 461678
 		res = set_computer_password (enroll);
Sumit Bose 461678
 		if (res != ADCLI_SUCCESS)
Sumit Bose 461678
 			return res;
Sumit Bose 461678
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
Sumit Bose 461678
 			return res;
Sumit Bose 461678
 	}
Sumit Bose 461678
 
Sumit Bose 461678
+	/* Handle kvno changes for read-only domain controllers (RODC) */
Sumit Bose 461678
+	if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
Sumit Bose 461678
+	    adcli_enroll_get_kvno (enroll) != 0 &&
Sumit Bose 461678
+	    adcli_enroll_get_kvno (enroll) == old_kvno) {
Sumit Bose 461678
+		enroll->kvno++;
Sumit Bose 461678
+		_adcli_info ("No kvno change detected on read-only DC,  kvno "
Sumit Bose 461678
+		             "will be incremented by 1 to '%d'", enroll->kvno);
Sumit Bose 461678
+	}
Sumit Bose 461678
+
Sumit Bose 461678
 	/* We ignore failures of setting these fields */
Sumit Bose 461678
 	update_and_calculate_enctypes (enroll);
Sumit Bose 461678
 	update_computer_account (enroll);
Sumit Bose 461678
-- 
Sumit Bose 461678
2.14.4
Sumit Bose 461678