Blame SOURCES/0004-Handle-kvno-increment-for-RODCs.patch

ee944e
From 108d3fd58e16428316dae4a4c0601633d2903a4b Mon Sep 17 00:00:00 2001
ee944e
From: Sumit Bose <sbose@redhat.com>
ee944e
Date: Wed, 1 Nov 2017 17:14:05 +0100
ee944e
Subject: [PATCH 4/4] Handle kvno increment for RODCs
ee944e
ee944e
Since the actual password change does not happen on the read-only domain
ee944e
controller (RODC) the kvno change has to be replicated back which might
ee944e
take some time. So we check the kvno before and after the change if we
ee944e
are connected to a RODC and increment the kvno if needed.
ee944e
---
ee944e
 library/adenroll.c | 31 +++++++++++++++++++++++++++++++
ee944e
 1 file changed, 31 insertions(+)
ee944e
ee944e
diff --git a/library/adenroll.c b/library/adenroll.c
ee944e
index a15e4be..40c3920 100644
ee944e
--- a/library/adenroll.c
ee944e
+++ b/library/adenroll.c
ee944e
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
ee944e
 		             adcli_enroll_flags flags)
ee944e
 {
ee944e
 	adcli_result res;
ee944e
+	krb5_kvno old_kvno = -1;
ee944e
 
ee944e
 	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
ee944e
+
ee944e
+		/* Handle kvno changes for read-only domain controllers
ee944e
+		 * (RODC). Since the actual password change does not happen on
ee944e
+		 * the RODC the kvno change has to be replicated back which
ee944e
+		 * might take some time. So we check the kvno before and after
ee944e
+		 * the change if we are connected to a RODC and increment the
ee944e
+		 * kvno if needed. */
ee944e
+		if (!adcli_conn_is_writeable (enroll->conn)) {
ee944e
+			if (enroll->computer_attributes == NULL) {
ee944e
+				res = retrieve_computer_account (enroll);
ee944e
+				if (res != ADCLI_SUCCESS)
ee944e
+					return res;
ee944e
+			}
ee944e
+			old_kvno = adcli_enroll_get_kvno (enroll);
ee944e
+			_adcli_info ("Found old kvno '%d'", old_kvno);
ee944e
+
ee944e
+			ldap_msgfree (enroll->computer_attributes);
ee944e
+			enroll->computer_attributes = NULL;
ee944e
+			adcli_enroll_set_kvno (enroll, 0);
ee944e
+		}
ee944e
+
ee944e
 		res = set_computer_password (enroll);
ee944e
 		if (res != ADCLI_SUCCESS)
ee944e
 			return res;
ee944e
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
ee944e
 			return res;
ee944e
 	}
ee944e
 
ee944e
+	/* Handle kvno changes for read-only domain controllers (RODC) */
ee944e
+	if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
ee944e
+	    adcli_enroll_get_kvno (enroll) != 0 &&
ee944e
+	    adcli_enroll_get_kvno (enroll) == old_kvno) {
ee944e
+		enroll->kvno++;
ee944e
+		_adcli_info ("No kvno change detected on read-only DC,  kvno "
ee944e
+		             "will be incremented by 1 to '%d'", enroll->kvno);
ee944e
+	}
ee944e
+
ee944e
 	/* We ignore failures of setting these fields */
ee944e
 	update_and_calculate_enctypes (enroll);
ee944e
 	update_computer_account (enroll);
ee944e
-- 
ee944e
2.13.6
ee944e