From cbe33b3e6d0d3415e4642d71942380d1793311f1 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Mon, 11 Jun 2018 09:44:49 +0200

Subject: [PATCH 20/23] join: add all attributes while creating computer object

It is possible to create special accounts which can only join a computer

to a domain but is not allowed to do any further operations which the

computer object. As a result if such an account is used during the join

only the ldapadd operation is permitted but not any later ldapmodify

operation. To create the computer object correctly in this case all

attributes must be added while the object is created and not later.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354

---

 library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----

 1 file changed, 47 insertions(+), 5 deletions(-)

diff --git a/library/adenroll.c b/library/adenroll.c

index 75ac1e4..b508caf 100644

--- a/library/adenroll.c

+++ b/library/adenroll.c

@@ -573,7 +573,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)

 	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);

 	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */

-	if (is_2008_or_later) {

+	if (is_2008_or_later && enroll->computer_attributes != NULL) {

 		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,

 		                                 "msDS-supportedEncryptionTypes");

@@ -618,7 +618,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)

 	return ADCLI_SUCCESS;

 }

-

 static adcli_result

 create_computer_account (adcli_enroll *enroll,

                          LDAP *ldap)

@@ -628,22 +627,65 @@ create_computer_account (adcli_enroll *enroll,

 	char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };

 	LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };

 	char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */

-	LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };

+	LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } };

+	char *vals_supportedEncryptionTypes[] = { NULL, NULL };

+	LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };

+	char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };

+	LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } };

+	char *vals_operatingSystem[] = { enroll->os_name, NULL };

+	LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } };

+	char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };

+	LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } };

+	char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };

+	LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };

+	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };

+	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };

+	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };

+

+	char *val = NULL;

 	int ret;

+	size_t c;

+	size_t m;

-	LDAPMod *mods[] = {

+	LDAPMod *all_mods[] = {

 		&objectClass,

 		&sAMAccountName,

 		&userAccountControl,

-		NULL,

+		&encTypes,

+		&dNSHostName,

+		&operatingSystem,

+		&operatingSystemVersion,

+		&operatingSystemServicePack,

+		&userPrincipalName,

+		&servicePrincipalName,

+		NULL

 	};

+	size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *);

+	LDAPMod *mods[mods_count];

+

 	if (adcli_enroll_get_trusted_for_delegation (enroll)) {

 		vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */

 	}

+	ret = calculate_enctypes (enroll, &val;;

+	if (ret != ADCLI_SUCCESS) {

+		return ret;

+	}

+	vals_supportedEncryptionTypes[0] = val;

+

+	m = 0;

+	for (c = 0; c < mods_count - 1; c++) {

+		/* Skip empty LDAP sttributes */

+		if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {

+			mods[m++] = all_mods[c];

+		}

+	}

+	mods[m] = NULL;

+

 	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);

+	free (val);

 	/*

 	 * Hand to head. This is really dumb... AD returns

-- 

2.14.4