Blame SOURCES/0005-join-add-all-attributes-while-creating-computer-obje.patch

a302cd
From e9198751411d11785ac6e7e533d63911b6e51326 Mon Sep 17 00:00:00 2001
a302cd
From: Sumit Bose <sbose@redhat.com>
a302cd
Date: Mon, 11 Jun 2018 09:44:49 +0200
a302cd
Subject: [PATCH 5/7] join: add all attributes while creating computer object
a302cd
a302cd
It is possible to create special accounts which can only join a computer
a302cd
to a domain but is not allowed to do any further operations which the
a302cd
computer object. As a result if such an account is used during the join
a302cd
only the ldapadd operation is permitted but not any later ldapmodify
a302cd
operation. To create the computer object correctly in this case all
a302cd
attributes must be added while the object is created and not later.
a302cd
a302cd
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
a302cd
---
a302cd
 library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----
a302cd
 1 file changed, 47 insertions(+), 5 deletions(-)
a302cd
a302cd
diff --git a/library/adenroll.c b/library/adenroll.c
a302cd
index 1ed94f2..3f8d017 100644
a302cd
--- a/library/adenroll.c
a302cd
+++ b/library/adenroll.c
a302cd
@@ -573,7 +573,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
a302cd
 	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
a302cd
 
a302cd
 	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
a302cd
-	if (is_2008_or_later) {
a302cd
+	if (is_2008_or_later && enroll->computer_attributes != NULL) {
a302cd
 		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
a302cd
 		                                 "msDS-supportedEncryptionTypes");
a302cd
 
a302cd
@@ -618,7 +618,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
a302cd
 	return ADCLI_SUCCESS;
a302cd
 }
a302cd
 
a302cd
-
a302cd
 static adcli_result
a302cd
 create_computer_account (adcli_enroll *enroll,
a302cd
                          LDAP *ldap)
a302cd
@@ -628,22 +627,65 @@ create_computer_account (adcli_enroll *enroll,
a302cd
 	char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
a302cd
 	LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
a302cd
 	char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
a302cd
-	LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
a302cd
+	LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } };
a302cd
+	char *vals_supportedEncryptionTypes[] = { NULL, NULL };
a302cd
+	LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
a302cd
+	char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
a302cd
+	LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } };
a302cd
+	char *vals_operatingSystem[] = { enroll->os_name, NULL };
a302cd
+	LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } };
a302cd
+	char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };
a302cd
+	LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } };
a302cd
+	char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
a302cd
+	LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
a302cd
+	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
a302cd
+	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
a302cd
+	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
a302cd
+
a302cd
+	char *val = NULL;
a302cd
 
a302cd
 	int ret;
a302cd
+	size_t c;
a302cd
+	size_t m;
a302cd
 
a302cd
-	LDAPMod *mods[] = {
a302cd
+	LDAPMod *all_mods[] = {
a302cd
 		&objectClass,
a302cd
 		&sAMAccountName,
a302cd
 		&userAccountControl,
a302cd
-		NULL,
a302cd
+		&encTypes,
a302cd
+		&dNSHostName,
a302cd
+		&operatingSystem,
a302cd
+		&operatingSystemVersion,
a302cd
+		&operatingSystemServicePack,
a302cd
+		&userPrincipalName,
a302cd
+		&servicePrincipalName,
a302cd
+		NULL
a302cd
 	};
a302cd
 
a302cd
+	size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *);
a302cd
+	LDAPMod *mods[mods_count];
a302cd
+
a302cd
 	if (adcli_enroll_get_trusted_for_delegation (enroll)) {
a302cd
 		vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
a302cd
 	}
a302cd
 
a302cd
+	ret = calculate_enctypes (enroll, &val);
a302cd
+	if (ret != ADCLI_SUCCESS) {
a302cd
+		return ret;
a302cd
+	}
a302cd
+	vals_supportedEncryptionTypes[0] = val;
a302cd
+
a302cd
+	m = 0;
a302cd
+	for (c = 0; c < mods_count - 1; c++) {
a302cd
+		/* Skip empty LDAP sttributes */
a302cd
+		if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
a302cd
+			mods[m++] = all_mods[c];
a302cd
+		}
a302cd
+	}
a302cd
+	mods[m] = NULL;
a302cd
+
a302cd
 	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
a302cd
+	free (val);
a302cd
 
a302cd
 	/*
a302cd
 	 * Hand to head. This is really dumb... AD returns
a302cd
-- 
a302cd
2.14.4
a302cd