rpms / adcli

Clone
Source Code
GIT

Blame SOURCES/0022-Add-add-service-principal-and-remove-service-princip.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta el6 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 master
  1.   2e5ed6e680dda23bd2bd0e136bce117697b9bff9
  2.   SOURCES
  3.   0022-Add-add-service-principal-and-remove-service-princip.patch
Blob History Raw
2e5ed6 
From ee71c4c0614a504b4472bf64a24fc3c18c6b9987 Mon Sep 17 00:00:00 2001
2e5ed6 
From: Sumit Bose <sbose@redhat.com>
2e5ed6 
Date: Thu, 14 Jun 2018 16:49:26 +0200
2e5ed6 
Subject: [PATCH 22/23] Add add-service-principal and remove-service-principal
2e5ed6 
 options
2e5ed6
2e5ed6 
Currently it is only possible to specific a service name for service
2e5ed6 
principals but not to set the full service principal. This is e.g.
2e5ed6 
needed if there is a service running on a host which should be reachable
2e5ed6 
by a different DNS name as well.
2e5ed6
2e5ed6 
With this patch service principal can be added and removed by specifying
2e5ed6 
the full name.
2e5ed6
2e5ed6 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1547014
2e5ed6 
---
2e5ed6 
 doc/adcli.xml      |  21 ++++++++
2e5ed6 
 library/adenroll.c | 139 +++++++++++++++++++++++++++++++++++++++++++++++++++--
2e5ed6 
 library/adenroll.h |   8 +++
2e5ed6 
 library/adldap.c   |  16 ++++--
2e5ed6 
 tools/computer.c   |  13 +++++
2e5ed6 
 5 files changed, 189 insertions(+), 8 deletions(-)
2e5ed6
2e5ed6 
diff --git a/doc/adcli.xml b/doc/adcli.xml
2e5ed6 
index b246190..83b6981 100644
2e5ed6 
--- a/doc/adcli.xml
2e5ed6 
+++ b/doc/adcli.xml
2e5ed6 
@@ -290,6 +290,14 @@ Password for Administrator:
2e5ed6 
 			not allow that Kerberos tickets can be forwarded to the
2e5ed6 
 			host.</para></listitem>
2e5ed6 
 		</varlistentry>
2e5ed6 
+		<varlistentry>
2e5ed6 
+			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
2e5ed6 
+			<listitem><para>Add a service principal name. In
2e5ed6 
+			contrast to the <option>--service-name</option> the
2e5ed6 
+			hostname part can be specified as well in case the
2e5ed6 
+			service should be accessible with a different host
2e5ed6 
+			name as well.</para></listitem>
2e5ed6 
+		</varlistentry>
2e5ed6 
 		<varlistentry>
2e5ed6 
 			<term><option>--show-details</option></term>
2e5ed6 
 			<listitem><para>After a successful join print out information
2e5ed6 
@@ -416,6 +424,19 @@ $ adcli update --login-ccache=/tmp/krbcc_123
2e5ed6 
 			not allow that Kerberos tickets can be forwarded to the
2e5ed6 
 			host.</para></listitem>
2e5ed6 
 		</varlistentry>
2e5ed6 
+		<varlistentry>
2e5ed6 
+			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
2e5ed6 
+			<listitem><para>Add a service principal name. In
2e5ed6 
+			contrast to the <option>--service-name</option> the
2e5ed6 
+			hostname part can be specified as well in case the
2e5ed6 
+			service should be accessible with a different host
2e5ed6 
+			name as well.</para></listitem>
2e5ed6 
+		</varlistentry>
2e5ed6 
+		<varlistentry>
2e5ed6 
+			<term><option>--remove-service-principal=<parameter>service/hostname</parameter></option></term>
2e5ed6 
+			<listitem><para>Remove a service principal name from
2e5ed6 
+			the keytab and the AD host object.</para></listitem>
2e5ed6 
+		</varlistentry>
2e5ed6 
 		<varlistentry>
2e5ed6 
 			<term><option>--show-details</option></term>
2e5ed6 
 			<listitem><para>After a successful join print out information
2e5ed6 
diff --git a/library/adenroll.c b/library/adenroll.c
2e5ed6 
index b508caf..c4ba537 100644
2e5ed6 
--- a/library/adenroll.c
2e5ed6 
+++ b/library/adenroll.c
2e5ed6 
@@ -95,6 +95,9 @@ struct _adcli_enroll {
2e5ed6 
 	char **service_principals;
2e5ed6 
 	int service_principals_explicit;
2e5ed6
2e5ed6 
+	char **service_principals_to_add;
2e5ed6 
+	char **service_principals_to_remove;
2e5ed6 
+
2e5ed6 
 	char *user_principal;
2e5ed6 
 	int user_princpal_generate;
2e5ed6
2e5ed6 
@@ -332,6 +335,43 @@ add_service_names_to_service_principals (adcli_enroll *enroll)
2e5ed6 
 	return ADCLI_SUCCESS;
2e5ed6 
 }
2e5ed6
2e5ed6 
+static adcli_result
2e5ed6 
+add_and_remove_service_principals (adcli_enroll *enroll)
2e5ed6 
+{
2e5ed6 
+	int length = 0;
2e5ed6 
+	size_t c;
2e5ed6 
+	const char **list;
2e5ed6 
+
2e5ed6 
+	if (enroll->service_principals != NULL) {
2e5ed6 
+		length = seq_count (enroll->service_principals);
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	list = adcli_enroll_get_service_principals_to_add (enroll);
2e5ed6 
+	if (list != NULL) {
2e5ed6 
+		for (c = 0; list[c] != NULL; c++) {
2e5ed6 
+			enroll->service_principals = _adcli_strv_add (enroll->service_principals,
2e5ed6 
+			                                              strdup (list[c]),
2e5ed6 
+			                                              &length);
2e5ed6 
+			if (enroll->service_principals == NULL) {
2e5ed6 
+				return ADCLI_ERR_UNEXPECTED;
2e5ed6 
+			}
2e5ed6 
+		}
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	list = adcli_enroll_get_service_principals_to_remove (enroll);
2e5ed6 
+	if (list != NULL) {
2e5ed6 
+		for (c = 0; list[c] != NULL; c++) {
2e5ed6 
+			/* enroll->service_principals typically refects the
2e5ed6 
+			 * order of the principal in the keytabm so it is not
2e5ed6 
+			 * ordered. */
2e5ed6 
+			_adcli_strv_remove_unsorted (enroll->service_principals,
2e5ed6 
+			                             list[c], &length);
2e5ed6 
+		}
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	return ADCLI_SUCCESS;
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
 static adcli_result
2e5ed6 
 ensure_service_principals (adcli_result res,
2e5ed6 
                            adcli_enroll *enroll)
2e5ed6 
@@ -343,10 +383,14 @@ ensure_service_principals (adcli_result res,
2e5ed6
2e5ed6 
 	if (!enroll->service_principals) {
2e5ed6 
 		assert (enroll->service_names != NULL);
2e5ed6 
-		return add_service_names_to_service_principals (enroll);
2e5ed6 
+		res = add_service_names_to_service_principals (enroll);
2e5ed6 
 	}
2e5ed6
2e5ed6 
-	return ADCLI_SUCCESS;
2e5ed6 
+	if (res == ADCLI_SUCCESS) {
2e5ed6 
+		res = add_and_remove_service_principals (enroll);
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	return res;
2e5ed6 
 }
2e5ed6
2e5ed6 
 static adcli_result
2e5ed6 
@@ -1593,6 +1637,39 @@ free_principal_salts (krb5_context k5,
2e5ed6 
 	free (salts);
2e5ed6 
 }
2e5ed6
2e5ed6 
+static adcli_result
2e5ed6 
+remove_principal_from_keytab (adcli_enroll *enroll,
2e5ed6 
+                              krb5_context k5,
2e5ed6 
+                              const char *principal_name)
2e5ed6 
+{
2e5ed6 
+	krb5_error_code code;
2e5ed6 
+	krb5_principal principal;
2e5ed6 
+	match_principal_kvno closure;
2e5ed6 
+
2e5ed6 
+	code = krb5_parse_name (k5, principal_name, &principal);
2e5ed6 
+	if (code != 0) {
2e5ed6 
+		_adcli_err ("Couldn't parse principal: %s: %s",
2e5ed6 
+		            principal_name, krb5_get_error_message (k5, code));
2e5ed6 
+		return ADCLI_ERR_FAIL;
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	closure.kvno = enroll->kvno;
2e5ed6 
+	closure.principal = principal;
2e5ed6 
+	closure.matched = 0;
2e5ed6 
+
2e5ed6 
+	code = _adcli_krb5_keytab_clear (k5, enroll->keytab,
2e5ed6 
+	                                 match_principal_and_kvno, &closure);
2e5ed6 
+	krb5_free_principal (k5, principal);
2e5ed6 
+
2e5ed6 
+	if (code != 0) {
2e5ed6 
+		_adcli_err ("Couldn't update keytab: %s: %s",
2e5ed6 
+		            enroll->keytab_name, krb5_get_error_message (k5, code));
2e5ed6 
+		return ADCLI_ERR_FAIL;
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	return ADCLI_SUCCESS;
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
 static adcli_result
2e5ed6 
 add_principal_to_keytab (adcli_enroll *enroll,
2e5ed6 
                          krb5_context k5,
2e5ed6 
@@ -1702,6 +1779,17 @@ update_keytab_for_principals (adcli_enroll *enroll,
2e5ed6 
 			return res;
2e5ed6 
 	}
2e5ed6
2e5ed6 
+	if (enroll->service_principals_to_remove != NULL) {
2e5ed6 
+		for (i = 0; enroll->service_principals_to_remove[i] != NULL; i++) {
2e5ed6 
+			res = remove_principal_from_keytab (enroll, k5,
2e5ed6 
+			                                    enroll->service_principals_to_remove[i]);
2e5ed6 
+			if (res != ADCLI_SUCCESS) {
2e5ed6 
+				_adcli_warn ("Failed to remove %s from keytab.",
2e5ed6 
+				             enroll->service_principals_to_remove[i]);
2e5ed6 
+			}
2e5ed6 
+		}
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
 	return ADCLI_SUCCESS;
2e5ed6 
 }
2e5ed6
2e5ed6 
@@ -2029,8 +2117,11 @@ adcli_enroll_update (adcli_enroll *enroll,
2e5ed6 
 	if (_adcli_check_nt_time_string_lifetime (value,
2e5ed6 
 	                adcli_enroll_get_computer_password_lifetime (enroll))) {
2e5ed6 
 		/* Do not update keytab if neither new service principals have
2e5ed6 
-                 * to be added nor the user principal has to be changed. */
2e5ed6 
-		if (enroll->service_names == NULL && (enroll->user_principal == NULL || enroll->user_princpal_generate)) {
2e5ed6 
+                 * to be added or deleted nor the user principal has to be changed. */
2e5ed6 
+		if (enroll->service_names == NULL
2e5ed6 
+		              && (enroll->user_principal == NULL || enroll->user_princpal_generate)
2e5ed6 
+		              && enroll->service_principals_to_add == NULL
2e5ed6 
+		              && enroll->service_principals_to_remove == NULL) {
2e5ed6 
 			flags |= ADCLI_ENROLL_NO_KEYTAB;
2e5ed6 
 		}
2e5ed6 
 		flags |= ADCLI_ENROLL_PASSWORD_VALID;
2e5ed6 
@@ -2581,3 +2672,43 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
2e5ed6 
 	enroll->trusted_for_delegation = value;
2e5ed6 
 	enroll->trusted_for_delegation_explicit = 1;
2e5ed6 
 }
2e5ed6 
+
2e5ed6 
+const char **
2e5ed6 
+adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
2e5ed6 
+{
2e5ed6 
+	return_val_if_fail (enroll != NULL, NULL);
2e5ed6 
+
2e5ed6 
+	return (const char **)enroll->service_principals_to_add;
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
+void
2e5ed6 
+adcli_enroll_add_service_principal_to_add (adcli_enroll *enroll,
2e5ed6 
+                                           const char *value)
2e5ed6 
+{
2e5ed6 
+	return_if_fail (enroll != NULL);
2e5ed6 
+	return_if_fail (value != NULL);
2e5ed6 
+
2e5ed6 
+	enroll->service_principals_to_add = _adcli_strv_add (enroll->service_principals_to_add,
2e5ed6 
+							    strdup (value), NULL);
2e5ed6 
+	return_if_fail (enroll->service_principals_to_add != NULL);
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
+const char **
2e5ed6 
+adcli_enroll_get_service_principals_to_remove (adcli_enroll *enroll)
2e5ed6 
+{
2e5ed6 
+	return_val_if_fail (enroll != NULL, NULL);
2e5ed6 
+
2e5ed6 
+	return (const char **)enroll->service_principals_to_remove;
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
+void
2e5ed6 
+adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
2e5ed6 
+                                              const char *value)
2e5ed6 
+{
2e5ed6 
+	return_if_fail (enroll != NULL);
2e5ed6 
+	return_if_fail (value != NULL);
2e5ed6 
+
2e5ed6 
+	enroll->service_principals_to_remove = _adcli_strv_add (enroll->service_principals_to_remove,
2e5ed6 
+							    strdup (value), NULL);
2e5ed6 
+	return_if_fail (enroll->service_principals_to_remove != NULL);
2e5ed6 
+}
2e5ed6 
diff --git a/library/adenroll.h b/library/adenroll.h
2e5ed6 
index be2ca18..f87dffa 100644
2e5ed6 
--- a/library/adenroll.h
2e5ed6 
+++ b/library/adenroll.h
2e5ed6 
@@ -98,6 +98,14 @@ const char **      adcli_enroll_get_service_principals  (adcli_enroll *enroll);
2e5ed6 
 void               adcli_enroll_set_service_principals  (adcli_enroll *enroll,
2e5ed6 
                                                          const char **value);
2e5ed6
2e5ed6 
+const char **      adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll);
2e5ed6 
+void               adcli_enroll_add_service_principal_to_add (adcli_enroll *enroll,
2e5ed6 
+                                                              const char *value);
2e5ed6 
+
2e5ed6 
+const char **      adcli_enroll_get_service_principals_to_remove (adcli_enroll *enroll);
2e5ed6 
+void               adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
2e5ed6 
+                                                                 const char *value);
2e5ed6 
+
2e5ed6 
 const char *       adcli_enroll_get_user_principal      (adcli_enroll *enroll);
2e5ed6
2e5ed6 
 void               adcli_enroll_set_user_principal      (adcli_enroll *enroll,
2e5ed6 
diff --git a/library/adldap.c b/library/adldap.c
2e5ed6 
index 07dc373..d93efb7 100644
2e5ed6 
--- a/library/adldap.c
2e5ed6 
+++ b/library/adldap.c
2e5ed6 
@@ -210,16 +210,24 @@ _adcli_ldap_have_in_mod (LDAPMod *mod,
2e5ed6 
 	struct berval *vals;
2e5ed6 
 	struct berval **pvals;
2e5ed6 
 	int count = 0;
2e5ed6 
+	int count_have = 0;
2e5ed6 
 	int i;
2e5ed6 
 	int ret;
2e5ed6
2e5ed6 
-	/* Already in berval format, just compare */
2e5ed6 
-	if (mod->mod_op & LDAP_MOD_BVALUES)
2e5ed6 
-		return _adcli_ldap_have_vals (mod->mod_vals.modv_bvals, have);
2e5ed6 
-
2e5ed6 
 	/* Count number of values */
2e5ed6 
 	for (i = 0; mod->mod_vals.modv_strvals[i] != 0; i++)
2e5ed6 
 		count++;
2e5ed6 
+	for (i = 0; have[i] != 0; i++)
2e5ed6 
+		count_have++;
2e5ed6 
+
2e5ed6 
+	/* If numbers different something has to be added or removed */
2e5ed6 
+	if (count != count_have) {
2e5ed6 
+		return 0;
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	/* Already in berval format, just compare */
2e5ed6 
+	if (mod->mod_op & LDAP_MOD_BVALUES)
2e5ed6 
+		return _adcli_ldap_have_vals (mod->mod_vals.modv_bvals, have);
2e5ed6
2e5ed6 
 	vals = malloc (sizeof (struct berval) * (count + 1));
2e5ed6 
 	pvals = malloc (sizeof (struct berval *) * (count + 1));
2e5ed6 
diff --git a/tools/computer.c b/tools/computer.c
2e5ed6 
index b905fd1..377d449 100644
2e5ed6 
--- a/tools/computer.c
2e5ed6 
+++ b/tools/computer.c
2e5ed6 
@@ -110,6 +110,8 @@ typedef enum {
2e5ed6 
 	opt_add_samba_data,
2e5ed6 
 	opt_samba_data_tool,
2e5ed6 
 	opt_trusted_for_delegation,
2e5ed6 
+	opt_add_service_principal,
2e5ed6 
+	opt_remove_service_principal,
2e5ed6 
 } Option;
2e5ed6
2e5ed6 
 static adcli_tool_desc common_usages[] = {
2e5ed6 
@@ -138,6 +140,8 @@ static adcli_tool_desc common_usages[] = {
2e5ed6 
 	{ opt_computer_password_lifetime, "lifetime of the host accounts password in days", },
2e5ed6 
 	{ opt_trusted_for_delegation, "set/unset the TRUSTED_FOR_DELEGATION flag\n"
2e5ed6 
 	                              "in the userAccountControl attribute", },
2e5ed6 
+	{ opt_add_service_principal, "add the given service principal to the account\n" },
2e5ed6 
+	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
2e5ed6 
 	{ opt_no_password, "don't prompt for or read a password" },
2e5ed6 
 	{ opt_prompt_password, "prompt for a password if necessary" },
2e5ed6 
 	{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
2e5ed6 
@@ -289,6 +293,12 @@ parse_option (Option opt,
2e5ed6 
 			adcli_enroll_set_trusted_for_delegation (enroll, false);
2e5ed6 
 		}
2e5ed6 
 		return;
2e5ed6 
+	case opt_add_service_principal:
2e5ed6 
+		adcli_enroll_add_service_principal_to_add (enroll, optarg);
2e5ed6 
+		return;
2e5ed6 
+	case opt_remove_service_principal:
2e5ed6 
+		adcli_enroll_add_service_principal_to_remove (enroll, optarg);
2e5ed6 
+		return;
2e5ed6 
 	case opt_verbose:
2e5ed6 
 		return;
2e5ed6
2e5ed6 
@@ -353,6 +363,7 @@ adcli_tool_computer_join (adcli_conn *conn,
2e5ed6 
 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
2e5ed6 
 		{ "user-principal", optional_argument, NULL, opt_user_principal },
2e5ed6 
 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
2e5ed6 
+		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
2e5ed6 
 		{ "show-details", no_argument, NULL, opt_show_details },
2e5ed6 
 		{ "show-password", no_argument, NULL, opt_show_password },
2e5ed6 
 		{ "add-samba-data", no_argument, NULL, opt_add_samba_data },
2e5ed6 
@@ -458,6 +469,8 @@ adcli_tool_computer_update (adcli_conn *conn,
2e5ed6 
 		{ "user-principal", optional_argument, NULL, opt_user_principal },
2e5ed6 
 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
2e5ed6 
 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
2e5ed6 
+		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
2e5ed6 
+		{ "remove-service-principal", required_argument, NULL, opt_remove_service_principal },
2e5ed6 
 		{ "show-details", no_argument, NULL, opt_show_details },
2e5ed6 
 		{ "show-password", no_argument, NULL, opt_show_password },
2e5ed6 
 		{ "add-samba-data", no_argument, NULL, opt_add_samba_data },
2e5ed6 
--
2e5ed6 
2.14.4
2e5ed6

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation