|
 |
a302cd |
From e9198751411d11785ac6e7e533d63911b6e51326 Mon Sep 17 00:00:00 2001
|
|
|
a302cd |
From: Sumit Bose <sbose@redhat.com>
|
|
|
a302cd |
Date: Mon, 11 Jun 2018 09:44:49 +0200
|
|
|
a302cd |
Subject: [PATCH 5/7] join: add all attributes while creating computer object
|
|
|
a302cd |
|
|
|
a302cd |
It is possible to create special accounts which can only join a computer
|
|
|
a302cd |
to a domain but is not allowed to do any further operations which the
|
|
|
a302cd |
computer object. As a result if such an account is used during the join
|
|
|
a302cd |
only the ldapadd operation is permitted but not any later ldapmodify
|
|
|
a302cd |
operation. To create the computer object correctly in this case all
|
|
|
a302cd |
attributes must be added while the object is created and not later.
|
|
|
a302cd |
|
|
|
a302cd |
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
|
|
|
a302cd |
---
|
|
|
a302cd |
library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----
|
|
|
a302cd |
1 file changed, 47 insertions(+), 5 deletions(-)
|
|
|
a302cd |
|
|
|
a302cd |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
a302cd |
index 1ed94f2..3f8d017 100644
|
|
|
a302cd |
--- a/library/adenroll.c
|
|
|
a302cd |
+++ b/library/adenroll.c
|
|
|
a302cd |
@@ -573,7 +573,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
|
|
|
a302cd |
is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
|
|
|
a302cd |
|
|
|
a302cd |
/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
|
|
|
a302cd |
- if (is_2008_or_later) {
|
|
|
a302cd |
+ if (is_2008_or_later && enroll->computer_attributes != NULL) {
|
|
|
a302cd |
value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
|
|
|
a302cd |
"msDS-supportedEncryptionTypes");
|
|
|
a302cd |
|
|
|
a302cd |
@@ -618,7 +618,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
|
|
|
a302cd |
return ADCLI_SUCCESS;
|
|
|
a302cd |
}
|
|
|
a302cd |
|
|
|
a302cd |
-
|
|
|
a302cd |
static adcli_result
|
|
|
a302cd |
create_computer_account (adcli_enroll *enroll,
|
|
|
a302cd |
LDAP *ldap)
|
|
|
a302cd |
@@ -628,22 +627,65 @@ create_computer_account (adcli_enroll *enroll,
|
|
|
a302cd |
char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
|
|
|
a302cd |
LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
|
|
|
a302cd |
char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
|
|
|
a302cd |
- LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
|
|
|
a302cd |
+ LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } };
|
|
|
a302cd |
+ char *vals_supportedEncryptionTypes[] = { NULL, NULL };
|
|
|
a302cd |
+ LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
|
|
|
a302cd |
+ char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
|
|
|
a302cd |
+ LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } };
|
|
|
a302cd |
+ char *vals_operatingSystem[] = { enroll->os_name, NULL };
|
|
|
a302cd |
+ LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } };
|
|
|
a302cd |
+ char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };
|
|
|
a302cd |
+ LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } };
|
|
|
a302cd |
+ char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
|
|
|
a302cd |
+ LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
|
|
|
a302cd |
+ char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
|
|
|
a302cd |
+ LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
|
|
|
a302cd |
+ LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
|
|
|
a302cd |
+
|
|
|
a302cd |
+ char *val = NULL;
|
|
|
a302cd |
|
|
|
a302cd |
int ret;
|
|
|
a302cd |
+ size_t c;
|
|
|
a302cd |
+ size_t m;
|
|
|
a302cd |
|
|
|
a302cd |
- LDAPMod *mods[] = {
|
|
|
a302cd |
+ LDAPMod *all_mods[] = {
|
|
|
a302cd |
&objectClass,
|
|
|
a302cd |
&sAMAccountName,
|
|
|
a302cd |
&userAccountControl,
|
|
|
a302cd |
- NULL,
|
|
|
a302cd |
+ &encTypes,
|
|
|
a302cd |
+ &dNSHostName,
|
|
|
a302cd |
+ &operatingSystem,
|
|
|
a302cd |
+ &operatingSystemVersion,
|
|
|
a302cd |
+ &operatingSystemServicePack,
|
|
|
a302cd |
+ &userPrincipalName,
|
|
|
a302cd |
+ &servicePrincipalName,
|
|
|
a302cd |
+ NULL
|
|
|
a302cd |
};
|
|
|
a302cd |
|
|
|
a302cd |
+ size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *);
|
|
|
a302cd |
+ LDAPMod *mods[mods_count];
|
|
|
a302cd |
+
|
|
|
a302cd |
if (adcli_enroll_get_trusted_for_delegation (enroll)) {
|
|
|
a302cd |
vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
|
|
|
a302cd |
}
|
|
|
a302cd |
|
|
|
a302cd |
+ ret = calculate_enctypes (enroll, &val;;
|
|
|
a302cd |
+ if (ret != ADCLI_SUCCESS) {
|
|
|
a302cd |
+ return ret;
|
|
|
a302cd |
+ }
|
|
|
a302cd |
+ vals_supportedEncryptionTypes[0] = val;
|
|
|
a302cd |
+
|
|
|
a302cd |
+ m = 0;
|
|
|
a302cd |
+ for (c = 0; c < mods_count - 1; c++) {
|
|
|
a302cd |
+ /* Skip empty LDAP sttributes */
|
|
|
a302cd |
+ if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
|
|
|
a302cd |
+ mods[m++] = all_mods[c];
|
|
|
a302cd |
+ }
|
|
|
a302cd |
+ }
|
|
|
a302cd |
+ mods[m] = NULL;
|
|
|
a302cd |
+
|
|
|
a302cd |
ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
|
|
|
a302cd |
+ free (val);
|
|
|
a302cd |
|
|
|
a302cd |
/*
|
|
|
a302cd |
* Hand to head. This is really dumb... AD returns
|
|
|
a302cd |
--
|
|
|
a302cd |
2.14.4
|
|
|
a302cd |
|