Blame 0020-join-add-all-attributes-while-creating-computer-obje.patch

Sumit Bose 461678
From cbe33b3e6d0d3415e4642d71942380d1793311f1 Mon Sep 17 00:00:00 2001
Sumit Bose 461678
From: Sumit Bose <sbose@redhat.com>
Sumit Bose 461678
Date: Mon, 11 Jun 2018 09:44:49 +0200
Sumit Bose 461678
Subject: [PATCH 20/23] join: add all attributes while creating computer object
Sumit Bose 461678
Sumit Bose 461678
It is possible to create special accounts which can only join a computer
Sumit Bose 461678
to a domain but is not allowed to do any further operations which the
Sumit Bose 461678
computer object. As a result if such an account is used during the join
Sumit Bose 461678
only the ldapadd operation is permitted but not any later ldapmodify
Sumit Bose 461678
operation. To create the computer object correctly in this case all
Sumit Bose 461678
attributes must be added while the object is created and not later.
Sumit Bose 461678
Sumit Bose 461678
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
Sumit Bose 461678
---
Sumit Bose 461678
 library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----
Sumit Bose 461678
 1 file changed, 47 insertions(+), 5 deletions(-)
Sumit Bose 461678
Sumit Bose 461678
diff --git a/library/adenroll.c b/library/adenroll.c
Sumit Bose 461678
index 75ac1e4..b508caf 100644
Sumit Bose 461678
--- a/library/adenroll.c
Sumit Bose 461678
+++ b/library/adenroll.c
Sumit Bose 461678
@@ -573,7 +573,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
Sumit Bose 461678
 	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
Sumit Bose 461678
 
Sumit Bose 461678
 	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
Sumit Bose 461678
-	if (is_2008_or_later) {
Sumit Bose 461678
+	if (is_2008_or_later && enroll->computer_attributes != NULL) {
Sumit Bose 461678
 		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
Sumit Bose 461678
 		                                 "msDS-supportedEncryptionTypes");
Sumit Bose 461678
 
Sumit Bose 461678
@@ -618,7 +618,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
Sumit Bose 461678
 	return ADCLI_SUCCESS;
Sumit Bose 461678
 }
Sumit Bose 461678
 
Sumit Bose 461678
-
Sumit Bose 461678
 static adcli_result
Sumit Bose 461678
 create_computer_account (adcli_enroll *enroll,
Sumit Bose 461678
                          LDAP *ldap)
Sumit Bose 461678
@@ -628,22 +627,65 @@ create_computer_account (adcli_enroll *enroll,
Sumit Bose 461678
 	char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
Sumit Bose 461678
 	LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
Sumit Bose 461678
 	char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
Sumit Bose 461678
-	LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
Sumit Bose 461678
+	LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } };
Sumit Bose 461678
+	char *vals_supportedEncryptionTypes[] = { NULL, NULL };
Sumit Bose 461678
+	LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
Sumit Bose 461678
+	char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
Sumit Bose 461678
+	LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } };
Sumit Bose 461678
+	char *vals_operatingSystem[] = { enroll->os_name, NULL };
Sumit Bose 461678
+	LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } };
Sumit Bose 461678
+	char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };
Sumit Bose 461678
+	LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } };
Sumit Bose 461678
+	char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
Sumit Bose 461678
+	LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
Sumit Bose 461678
+	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
Sumit Bose 461678
+	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
Sumit Bose 461678
+	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
Sumit Bose 461678
+
Sumit Bose 461678
+	char *val = NULL;
Sumit Bose 461678
 
Sumit Bose 461678
 	int ret;
Sumit Bose 461678
+	size_t c;
Sumit Bose 461678
+	size_t m;
Sumit Bose 461678
 
Sumit Bose 461678
-	LDAPMod *mods[] = {
Sumit Bose 461678
+	LDAPMod *all_mods[] = {
Sumit Bose 461678
 		&objectClass,
Sumit Bose 461678
 		&sAMAccountName,
Sumit Bose 461678
 		&userAccountControl,
Sumit Bose 461678
-		NULL,
Sumit Bose 461678
+		&encTypes,
Sumit Bose 461678
+		&dNSHostName,
Sumit Bose 461678
+		&operatingSystem,
Sumit Bose 461678
+		&operatingSystemVersion,
Sumit Bose 461678
+		&operatingSystemServicePack,
Sumit Bose 461678
+		&userPrincipalName,
Sumit Bose 461678
+		&servicePrincipalName,
Sumit Bose 461678
+		NULL
Sumit Bose 461678
 	};
Sumit Bose 461678
 
Sumit Bose 461678
+	size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *);
Sumit Bose 461678
+	LDAPMod *mods[mods_count];
Sumit Bose 461678
+
Sumit Bose 461678
 	if (adcli_enroll_get_trusted_for_delegation (enroll)) {
Sumit Bose 461678
 		vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
Sumit Bose 461678
 	}
Sumit Bose 461678
 
Sumit Bose 461678
+	ret = calculate_enctypes (enroll, &val);
Sumit Bose 461678
+	if (ret != ADCLI_SUCCESS) {
Sumit Bose 461678
+		return ret;
Sumit Bose 461678
+	}
Sumit Bose 461678
+	vals_supportedEncryptionTypes[0] = val;
Sumit Bose 461678
+
Sumit Bose 461678
+	m = 0;
Sumit Bose 461678
+	for (c = 0; c < mods_count - 1; c++) {
Sumit Bose 461678
+		/* Skip empty LDAP sttributes */
Sumit Bose 461678
+		if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
Sumit Bose 461678
+			mods[m++] = all_mods[c];
Sumit Bose 461678
+		}
Sumit Bose 461678
+	}
Sumit Bose 461678
+	mods[m] = NULL;
Sumit Bose 461678
+
Sumit Bose 461678
 	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
Sumit Bose 461678
+	free (val);
Sumit Bose 461678
 
Sumit Bose 461678
 	/*
Sumit Bose 461678
 	 * Hand to head. This is really dumb... AD returns
Sumit Bose 461678
-- 
Sumit Bose 461678
2.14.4
Sumit Bose 461678