diff --git a/SOURCES/0001-correct-spelling-of-adcli_tool_computer_delete-descr.patch b/SOURCES/0001-correct-spelling-of-adcli_tool_computer_delete-descr.patch new file mode 100644 index 0000000..f51933a --- /dev/null +++ b/SOURCES/0001-correct-spelling-of-adcli_tool_computer_delete-descr.patch @@ -0,0 +1,26 @@ +From faa93cfbd679f193a61def8c2bbc203e507d2466 Mon Sep 17 00:00:00 2001 +From: Striker Leggette +Date: Wed, 1 Nov 2017 11:16:39 +0100 +Subject: [PATCH 1/4] correct spelling of 'adcli_tool_computer_delete' + description + +--- + tools/tools.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tools.c b/tools/tools.c +index 4b243de..915130e 100644 +--- a/tools/tools.c ++++ b/tools/tools.c +@@ -57,7 +57,7 @@ struct { + { "update", adcli_tool_computer_update, "Update machine membership in a domain", }, + { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", }, + { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", }, +- { "delete-computer", adcli_tool_computer_delete, "Delete a computer acocunt", }, ++ { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", }, + { "create-user", adcli_tool_user_create, "Create a user account", }, + { "delete-user", adcli_tool_user_delete, "Delete a user account", }, + { "create-group", adcli_tool_group_create, "Create a group", }, +-- +2.13.6 + diff --git a/SOURCES/0001-doc-Update-the-documentation-about-the-default-kerbe.patch b/SOURCES/0001-doc-Update-the-documentation-about-the-default-kerbe.patch new file mode 100644 index 0000000..a20768f --- /dev/null +++ b/SOURCES/0001-doc-Update-the-documentation-about-the-default-kerbe.patch @@ -0,0 +1,29 @@ +From 40acf5f12379c8e7c86f2fec34e1e276ede5ef47 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Thu, 16 Jun 2016 15:27:45 +0200 +Subject: [PATCH] doc: Update the documentation about the default kerberos + cache + +https://bugs.freedesktop.org/show_bug.cgi?id=96544 +--- + doc/adcli.xml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index a83e321..e18ba5d 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -120,7 +120,9 @@ + + + Use the specified kerberos credential +- cache to authenticate with the domain. ++ cache to authenticate with the domain. If no file is specified or ++ is used, then the default kerberos credential cache will ++ be used. + + + +-- +2.13.6 + diff --git a/SOURCES/0002-doc-explain-that-all-credential-cache-types-are-supp.patch b/SOURCES/0002-doc-explain-that-all-credential-cache-types-are-supp.patch new file mode 100644 index 0000000..39167a9 --- /dev/null +++ b/SOURCES/0002-doc-explain-that-all-credential-cache-types-are-supp.patch @@ -0,0 +1,37 @@ +From 7e71dd109601d3be09cdda37cd4bf99ba867ce19 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 1 Nov 2017 12:01:18 +0100 +Subject: [PATCH 2/4] doc: explain that all credential cache types are + supported + +--- + doc/adcli.xml | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/doc/adcli.xml b/doc/adcli.xml +index e18ba5d..c54cc1b 100644 +--- a/doc/adcli.xml ++++ b/doc/adcli.xml +@@ -118,11 +118,15 @@ + is automatically discovered. + + +- ++ + Use the specified kerberos credential +- cache to authenticate with the domain. If no file is specified or +- is used, then the default kerberos credential cache will +- be used. ++ cache to authenticate with the domain. If no credential ++ cache is specified, the default kerberos credential ++ cache will be used. Credential caches of type FILE can ++ be given with the path to the file. For other ++ credential cache types, e.g. DIR, KEYRING or KCM, the ++ type must be specified explicitly together with a ++ suitable identifier. + + + +-- +2.13.6 + diff --git a/SOURCES/0003-library-add-adcli_conn_is_writeable.patch b/SOURCES/0003-library-add-adcli_conn_is_writeable.patch new file mode 100644 index 0000000..d674fda --- /dev/null +++ b/SOURCES/0003-library-add-adcli_conn_is_writeable.patch @@ -0,0 +1,38 @@ +From e4de685cb3f924e0af54159d49ef3174ff94e7af Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 1 Nov 2017 16:29:19 +0100 +Subject: [PATCH 3/4] library: add adcli_conn_is_writeable() + +--- + library/adconn.c | 6 ++++++ + library/adconn.h | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/library/adconn.c b/library/adconn.c +index a294dfd..67bdfd9 100644 +--- a/library/adconn.c ++++ b/library/adconn.c +@@ -1528,3 +1528,9 @@ adcli_conn_server_has_capability (adcli_conn *conn, + + return 0; + } ++ ++bool adcli_conn_is_writeable (adcli_conn *conn) ++{ ++ disco_dance_if_necessary (conn); ++ return ( (conn->domain_disco->flags & ADCLI_DISCO_WRITABLE) != 0); ++} +diff --git a/library/adconn.h b/library/adconn.h +index a0cb1f8..ed1cc58 100644 +--- a/library/adconn.h ++++ b/library/adconn.h +@@ -144,4 +144,6 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn, + int adcli_conn_server_has_capability (adcli_conn *conn, + const char *capability); + ++bool adcli_conn_is_writeable (adcli_conn *conn); ++ + #endif /* ADCONN_H_ */ +-- +2.13.6 + diff --git a/SOURCES/0004-Handle-kvno-increment-for-RODCs.patch b/SOURCES/0004-Handle-kvno-increment-for-RODCs.patch new file mode 100644 index 0000000..3d4977e --- /dev/null +++ b/SOURCES/0004-Handle-kvno-increment-for-RODCs.patch @@ -0,0 +1,67 @@ +From 108d3fd58e16428316dae4a4c0601633d2903a4b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 1 Nov 2017 17:14:05 +0100 +Subject: [PATCH 4/4] Handle kvno increment for RODCs + +Since the actual password change does not happen on the read-only domain +controller (RODC) the kvno change has to be replicated back which might +take some time. So we check the kvno before and after the change if we +are connected to a RODC and increment the kvno if needed. +--- + library/adenroll.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/library/adenroll.c b/library/adenroll.c +index a15e4be..40c3920 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, + adcli_enroll_flags flags) + { + adcli_result res; ++ krb5_kvno old_kvno = -1; + + if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) { ++ ++ /* Handle kvno changes for read-only domain controllers ++ * (RODC). Since the actual password change does not happen on ++ * the RODC the kvno change has to be replicated back which ++ * might take some time. So we check the kvno before and after ++ * the change if we are connected to a RODC and increment the ++ * kvno if needed. */ ++ if (!adcli_conn_is_writeable (enroll->conn)) { ++ if (enroll->computer_attributes == NULL) { ++ res = retrieve_computer_account (enroll); ++ if (res != ADCLI_SUCCESS) ++ return res; ++ } ++ old_kvno = adcli_enroll_get_kvno (enroll); ++ _adcli_info ("Found old kvno '%d'", old_kvno); ++ ++ ldap_msgfree (enroll->computer_attributes); ++ enroll->computer_attributes = NULL; ++ adcli_enroll_set_kvno (enroll, 0); ++ } ++ + res = set_computer_password (enroll); + if (res != ADCLI_SUCCESS) + return res; +@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, + return res; + } + ++ /* Handle kvno changes for read-only domain controllers (RODC) */ ++ if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 && ++ adcli_enroll_get_kvno (enroll) != 0 && ++ adcli_enroll_get_kvno (enroll) == old_kvno) { ++ enroll->kvno++; ++ _adcli_info ("No kvno change detected on read-only DC, kvno " ++ "will be incremented by 1 to '%d'", enroll->kvno); ++ } ++ + /* We ignore failures of setting these fields */ + update_and_calculate_enctypes (enroll); + update_computer_account (enroll); +-- +2.13.6 + diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec index 2dad527..c191b55 100644 --- a/SPECS/adcli.spec +++ b/SPECS/adcli.spec @@ -1,6 +1,6 @@ Name: adcli Version: 0.8.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Active Directory enrollment License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/adcli @@ -11,6 +11,11 @@ Patch3: 0003-Remove-n-or-r-n-from-stdin-password.patch Patch4: 0001-delete-use-keytab-data-to-determine-realm-and-NetBIO.patch Patch5: 0001-Remove-upper-case-only-check-when-looking-for-the-Ne.patch Patch6: 0002-Use-strdup-if-offset-are-used.patch +Patch7: 0001-correct-spelling-of-adcli_tool_computer_delete-descr.patch +Patch8: 0001-doc-Update-the-documentation-about-the-default-kerbe.patch +Patch9: 0002-doc-explain-that-all-credential-cache-types-are-supp.patch +Patch10: 0003-library-add-adcli_conn_is_writeable.patch +Patch11: 0004-Handle-kvno-increment-for-RODCs.patch BuildRequires: intltool pkgconfig @@ -40,6 +45,11 @@ standard LDAP and Kerberos calls. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build %configure --disable-static --disable-silent-rules @@ -65,6 +75,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %doc %{_mandir}/*/* %changelog +* Thu Nov 02 2017 Sumit Bose - 0.8.1-4 +- adcli doesn't update kvno while joining system to AD domain (RODC) [#1471021] +- adcli_tool_computer_delete description spelling [#1450179] +- adcli man page should not only mention FILE type credential caches [#1423871] + * Wed Aug 24 2016 Sumit Bose - 0.8.1-3 - fix crash when name is specified on the command line and detect names with lower case characters [#1359773]