Blob Blame History Raw
/*
 * adcli
 *
 * Copyright (C) 2012 Red Hat Inc.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02110-1301 USA
 *
 * Author: Stef Walter <stefw@gnome.org>
 */

#include "config.h"

#include "adenroll.h"
#include "adprivate.h"
#include "seq.h"

#include <gssapi/gssapi_krb5.h>
#include <krb5/krb5.h>
#include <ldap.h>
#include <sasl/sasl.h>

#include <sys/types.h>
#include <sys/socket.h>

#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

static krb5_enctype v60_later_enctypes[] = {
	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
	ENCTYPE_DES3_CBC_SHA1,
	ENCTYPE_ARCFOUR_HMAC,
	ENCTYPE_DES_CBC_MD5,
	ENCTYPE_DES_CBC_CRC,
	0
};

static krb5_enctype v51_earlier_enctypes[] = {
	ENCTYPE_DES_CBC_CRC,
	ENCTYPE_DES_CBC_MD5,
	ENCTYPE_ARCFOUR_HMAC,
	0
};

struct _adcli_enroll {
	int refs;
	adcli_conn *conn;

	char *host_fqdn;
	int host_fqdn_explicit;
	char *computer_name;
	int computer_name_explicit;
	char *computer_sam;
	char *computer_password;
	int computer_password_explicit;
	int reset_password;
	krb5_principal computer_principal;

	char *domain_ou;
	int domain_ou_validated;
	int domain_ou_explicit;
	char *computer_dn;
	char *computer_container;
	LDAPMessage *computer_attributes;

	char **service_names;
	char **service_principals;
	int service_principals_explicit;

	char *user_principal;
	int user_princpal_generate;

	char *os_name;
	char *os_version;
	char *os_service_pack;

	krb5_kvno kvno;
	char *keytab_name;
	int keytab_name_is_krb5;
	krb5_keytab keytab;
	krb5_principal *keytab_principals;
	krb5_enctype *keytab_enctypes;
	int keytab_enctypes_explicit;
	unsigned int computer_password_lifetime;
	int computer_password_lifetime_explicit;
};

static adcli_result
ensure_host_fqdn (adcli_result res,
                  adcli_enroll *enroll)
{
	const char *fqdn;

	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->host_fqdn) {
		_adcli_info ("Using fully qualified name: %s",
		             enroll->host_fqdn);
		return ADCLI_SUCCESS;
	}

	if (enroll->host_fqdn_explicit) {
		_adcli_info ("Not setting fully qualified name");
		return ADCLI_SUCCESS;
	}

	/* By default use our actual host name discovered during connecting */
	fqdn = adcli_conn_get_host_fqdn (enroll->conn);
	_adcli_str_set (&enroll->host_fqdn, fqdn);
	return ADCLI_SUCCESS;
}

static adcli_result
ensure_computer_name (adcli_result res,
                      adcli_enroll *enroll)
{
	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->computer_name) {
		_adcli_info ("Enrolling computer name: %s",
		             enroll->computer_name);
		return ADCLI_SUCCESS;
	}

	if (!enroll->host_fqdn) {
		_adcli_err ("No host name from which to determine the computer name");
		return ADCLI_ERR_CONFIG;
	}

	enroll->computer_name = _adcli_calc_netbios_name (enroll->host_fqdn);
	if (enroll->computer_name == NULL)
		return ADCLI_ERR_CONFIG;

	return ADCLI_SUCCESS;
}

static adcli_result
ensure_computer_sam (adcli_result res,
                     adcli_enroll *enroll)
{
	krb5_error_code code;
	krb5_context k5;

	if (res != ADCLI_SUCCESS)
		return res;

	free (enroll->computer_sam);
	enroll->computer_sam = NULL;

	if (asprintf (&enroll->computer_sam, "%s$", enroll->computer_name) < 0)
		return_unexpected_if_fail (enroll->computer_sam != NULL);

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_unexpected_if_fail (k5 != NULL);

	if (enroll->computer_principal)
		krb5_free_principal (k5, enroll->computer_principal);
	enroll->computer_principal = NULL;

	code = _adcli_krb5_build_principal (k5, enroll->computer_sam,
	                                    adcli_conn_get_domain_realm (enroll->conn),
	                                    &enroll->computer_principal);
	return_unexpected_if_fail (code == 0);

	return ADCLI_SUCCESS;
}

static int
filter_password_chars (char *password,
                       int length)
{
	int i, j;

	/*
	 * The MS documentation says their servers only use ASCII characters
	 * between 32 and 122 inclusive. We do that as well, and filter out
	 * all other random characters. We also remove certain characters
	 * special for use in a shell.
	 */
	for (i = 0, j = 0; i < length; i++) {
		if (password[i] >= 32 && password[i] <= 122 &&
		    strchr (" !'\"$`", password[i]) == NULL)
			password[j++] = password[i];
	}

	/* return the number of valid characters remaining */
	return j;
}

static char *
generate_host_password  (adcli_enroll *enroll,
                         size_t length)
{
	char *password;
	krb5_context k5;
	krb5_error_code code;
	krb5_data buffer;
	int at;

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_val_if_fail (k5 != NULL, NULL);

	password = malloc (length + 1);
	return_val_if_fail (password != NULL, NULL);

	at = 0;
	while (at != length) {
		buffer.length = length - at;
		buffer.data = password + at;

		code = krb5_c_random_make_octets (k5, &buffer);
		return_val_if_fail (code == 0, NULL);

		at += filter_password_chars (buffer.data, buffer.length);
		assert (at <= length);
	}

	/* This null termination works around a bug in krb5 */
	password[length] = '\0';
	return password;
}

static adcli_result
ensure_computer_password (adcli_result res,
                      adcli_enroll *enroll)
{
	const int length = 120;

	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->computer_password)
		return ADCLI_SUCCESS;

	if (enroll->reset_password) {
		assert (enroll->computer_name != NULL);
		enroll->computer_password = _adcli_calc_reset_password (enroll->computer_name);
		return_unexpected_if_fail (enroll->computer_password != NULL);
		_adcli_info ("Using default reset computer password");

	} else {
		enroll->computer_password = generate_host_password (enroll, length);
		return_unexpected_if_fail (enroll->computer_password != NULL);
		_adcli_info ("Generated %d character computer password", length);
	}


	return ADCLI_SUCCESS;
}

static adcli_result
ensure_service_names (adcli_result res,
                      adcli_enroll *enroll)
{
	int length = 0;

	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->service_names || enroll->service_principals)
		return ADCLI_SUCCESS;

	/* The default ones specified by MS */
	enroll->service_names = _adcli_strv_add (enroll->service_names,
	                                         strdup ("host"), &length);
	enroll->service_names = _adcli_strv_add (enroll->service_names,
	                                         strdup ("RestrictedKrbHost"), &length);
	return ADCLI_SUCCESS;
}

static adcli_result
ensure_service_principals (adcli_result res,
                           adcli_enroll *enroll)
{
	char *name;
	int length = 0;
	int i;

	if (res != ADCLI_SUCCESS)
		return res;

	assert (enroll->keytab_principals == NULL);

	if (!enroll->service_principals) {
		assert (enroll->service_names != NULL);

		for (i = 0; enroll->service_names[i] != NULL; i++) {
			if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->computer_name) < 0)
				return_unexpected_if_reached ();
			enroll->service_principals = _adcli_strv_add (enroll->service_principals,
			                                              name, &length);

			if (enroll->host_fqdn) {
				if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->host_fqdn) < 0)
					return_unexpected_if_reached ();
				enroll->service_principals = _adcli_strv_add (enroll->service_principals,
				                                              name, &length);
			}
		}
	}

	return ADCLI_SUCCESS;
}

static adcli_result
ensure_keytab_principals (adcli_result res,
                          adcli_enroll *enroll)
{
	krb5_context k5;
	krb5_error_code code;
	int count;
	int at, i;

	/* Prepare the principals we're going to add to the keytab */

	return_unexpected_if_fail (enroll->service_principals);
	count = _adcli_strv_len (enroll->service_principals);

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_unexpected_if_fail (k5 != NULL);

	enroll->keytab_principals = calloc (count + 3, sizeof (krb5_principal));
	at = 0;

	/* First add the principal for the computer account name */
	code = krb5_copy_principal (k5, enroll->computer_principal,
	                            &enroll->keytab_principals[at++]);
	return_unexpected_if_fail (code == 0);

	/* Next, optionally add the user principal */
	if (enroll->user_principal) {
		code = krb5_parse_name (k5, enroll->user_principal,
		                        &enroll->keytab_principals[at++]);
		if (code != 0) {
			if (code != 0) {
				_adcli_err ("Couldn't parse kerberos user principal: %s: %s",
				            enroll->user_principal,
				            krb5_get_error_message (k5, code));
				return ADCLI_ERR_CONFIG;
			}
		}
	}

	/* Now add the principals for all the various services */

	for (i = 0; i < count; i++) {
		code = _adcli_krb5_build_principal (k5, enroll->service_principals[i],
		                                    adcli_conn_get_domain_realm (enroll->conn),
		                                    &enroll->keytab_principals[at++]);
		if (code != 0) {
			_adcli_err ("Couldn't parse kerberos service principal: %s: %s",
			            enroll->service_principals[i],
			            krb5_get_error_message (k5, code));
			return ADCLI_ERR_CONFIG;
		}
	}

	return ADCLI_SUCCESS;
}

static adcli_result
ensure_user_principal (adcli_result res,
                       adcli_enroll *enroll)
{
	char *name;

	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->user_princpal_generate) {
		name = strdup (enroll->computer_name);
		return_unexpected_if_fail (name != NULL);

		_adcli_str_down (name);

		assert (enroll->user_principal == NULL);
		if (asprintf (&enroll->user_principal, "host/%s@%s",
		              name, adcli_conn_get_domain_realm (enroll->conn)) < 0)
			return_unexpected_if_reached ();

		free (name);
	}

	if (enroll->user_principal)
		_adcli_info ("With user principal: %s", enroll->user_principal);

	return ADCLI_SUCCESS;
}

static adcli_result
lookup_computer_container (adcli_enroll *enroll,
                           LDAP *ldap)
{
	char *attrs[] = { "wellKnownObjects", NULL };
	char *prefix = "B:32:AA312825768811D1ADED00C04FD8D5CD:";
	int prefix_len;
	LDAPMessage *results;
	const char *base;
	char **values;
	int ret;
	int i;

	if (enroll->computer_container)
		return ADCLI_SUCCESS;

	base = enroll->domain_ou;
	if (base == NULL)
		base = adcli_conn_get_default_naming_context (enroll->conn);
	assert (base != NULL);

	ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_BASE,
	                         "(objectClass=*)", attrs, 0, NULL, NULL,
	                         NULL, -1, &results);

	if (ret == LDAP_NO_SUCH_OBJECT && enroll->domain_ou) {
		_adcli_err ("The organizational unit does not exist: %s", enroll->domain_ou);
		return enroll->domain_ou_explicit ? ADCLI_ERR_CONFIG : ADCLI_ERR_DIRECTORY;

	} else if (ret != LDAP_SUCCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't lookup computer container: %s", base);
	}

	values = _adcli_ldap_parse_values (ldap, results, "wellKnownObjects");
	ldap_msgfree (results);

	prefix_len = strlen (prefix);
	for (i = 0; values && values[i]; i++) {
		if (strncmp (values[i], prefix, prefix_len) == 0) {
			enroll->computer_container = strdup (values[i] + prefix_len);
			return_unexpected_if_fail (enroll->computer_container != NULL);
			_adcli_info ("Found well known computer container at: %s",
			             enroll->computer_container);
			break;
		}
	}

	_adcli_strv_free (values);

	/* Try harder */
	if (!enroll->computer_container) {
		ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_BASE,
		                         "(&(objectClass=container)(cn=Computers))",
		                         attrs, 0, NULL, NULL, NULL, -1, &results);
		if (ret == LDAP_SUCCESS) {
			enroll->computer_container = _adcli_ldap_parse_dn (ldap, results);
			if (enroll->computer_container) {
				_adcli_info ("Well known computer container not "
				             "found, but found suitable one at: %s",
				             enroll->computer_container);
			}
		}

		ldap_msgfree (results);
	}

	if (!enroll->computer_container && enroll->domain_ou) {
		_adcli_warn ("Couldn't find a computer container in the ou, "
		             "creating computer account directly in: %s", enroll->domain_ou);
		enroll->computer_container = strdup (enroll->domain_ou);
		return_unexpected_if_fail (enroll->computer_container != NULL);
	}

	if (!enroll->computer_container) {
		_adcli_err ("Couldn't find location to create computer accounts");
		return ADCLI_ERR_DIRECTORY;
	}

	return ADCLI_SUCCESS;
}

static adcli_result
calculate_computer_account (adcli_enroll *enroll,
                            LDAP *ldap)
{
	adcli_result res;

	assert (enroll->computer_dn == NULL);

	/* Now need to find or validate the computer container */
	res = lookup_computer_container (enroll, ldap);
	if (res != ADCLI_SUCCESS)
		return res;

	assert (enroll->computer_container);

	free (enroll->computer_dn);
	enroll->computer_dn = NULL;

	if (asprintf (&enroll->computer_dn, "CN=%s,%s", enroll->computer_name, enroll->computer_container) < 0)
		return_unexpected_if_reached ();

	_adcli_info ("Calculated computer account: %s", enroll->computer_dn);
	return ADCLI_SUCCESS;
}

static adcli_result
create_computer_account (adcli_enroll *enroll,
                         LDAP *ldap)
{
	char *vals_objectClass[] = { "computer", NULL };
	LDAPMod objectClass = { LDAP_MOD_ADD, "objectClass", { vals_objectClass, } };
	char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
	LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
	char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
	LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };

	int ret;

	LDAPMod *mods[] = {
		&objectClass,
		&sAMAccountName,
		&userAccountControl,
		NULL,
	};

	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);

	/*
	 * Hand to head. This is really dumb... AD returns
	 * OBJECT_CLASS_VIOLATION when the 'admin' account doesn't have
	 * enough permission to create this computer account.
	 *
	 * Additionally LDAP_UNWILLING_TO_PERFORM and LDAP_CONSTRAINT_VIOLATION
	 * are seen on various Windows Servers as responses to this case.
	 *
	 * TODO: Perhaps some missing attributes are auto-generated when
	 * the administrative credentials have sufficient permissions, and
	 * those missing attributes cause the object class violation. However
	 * I've tried to screw around with this, and can't find the missing
	 * attributes. They may be hidden, like unicodePwd.
	 */

	if (ret == LDAP_INSUFFICIENT_ACCESS || ret == LDAP_OBJECT_CLASS_VIOLATION ||
	    ret == LDAP_UNWILLING_TO_PERFORM || ret == LDAP_CONSTRAINT_VIOLATION) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
		                                   "Insufficient permissions to modify computer account: %s",
		                                   enroll->computer_dn);

	} else if (ret != LDAP_SUCCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't create computer account: %s",
		                                   enroll->computer_dn);
	}

	_adcli_info ("Created computer account: %s", enroll->computer_dn);
	return ADCLI_SUCCESS;
}

static int
filter_for_necessary_updates (adcli_enroll *enroll,
                              LDAP *ldap,
                              LDAPMessage *entry,
                              LDAPMod **mods)
{
	struct berval **vals;
	int match;
	int out;
	int in;

	for (in = 0, out = 0; mods[in] != NULL; in++) {
		match = 0;

		/* Never update these attributes */
		if (strcasecmp (mods[in]->mod_type, "objectClass") == 0)
			continue;

		/* If no entry, then no filtering */
		if (entry != NULL) {
			vals = ldap_get_values_len (ldap, entry, mods[in]->mod_type);
			if (vals != NULL) {
				match = _adcli_ldap_have_in_mod (mods[in], vals);
				ldap_value_free_len (vals);
			}
		}

		if (!match)
			mods[out++] = mods[in];
	}

	mods[out] = NULL;
	return out;
}

static adcli_result
validate_computer_account (adcli_enroll *enroll,
                           int allow_overwrite,
                           int already_exists)
{
	assert (enroll->computer_dn != NULL);

	if (already_exists && !allow_overwrite) {
		_adcli_err ("The computer account %s already exists",
		            enroll->computer_name);
		return ADCLI_ERR_CONFIG;
	}

	/* Do we have an explicitly requested ou? */
	if (enroll->domain_ou && enroll->domain_ou_explicit && already_exists) {
		if (!_adcli_ldap_dn_has_ancestor (enroll->computer_dn, enroll->domain_ou)) {
			_adcli_err ("The computer account %s already exists, "
			            "but is not in the desired organizational unit.",
			            enroll->computer_name);
			return ADCLI_ERR_CONFIG;
		}
	}

	return ADCLI_SUCCESS;
}

static adcli_result
delete_computer_account (adcli_enroll *enroll,
                         LDAP *ldap)
{
	int ret;

	ret = ldap_delete_ext_s (ldap, enroll->computer_dn, NULL, NULL);
	if (ret == LDAP_INSUFFICIENT_ACCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
		                                   "Insufficient permissions to delete computer account: %s",
		                                   enroll->computer_dn);

	} else if (ret != LDAP_SUCCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't delete computer account: %s",
		                                   enroll->computer_dn);
	} else {
		_adcli_info ("Deleted computer account at: %s", enroll->computer_dn);
	}

	return ADCLI_SUCCESS;
}

static adcli_result
locate_computer_account (adcli_enroll *enroll,
                         LDAP *ldap,
                         LDAPMessage **rresults,
                         LDAPMessage **rentry)
{
	char *attrs[] = { "1.1", NULL };
	LDAPMessage *results = NULL;
	LDAPMessage *entry = NULL;
	const char *base;
	char *value;
	char *filter;
	char *dn;
	int ret = 0;

	/* If we don't yet know our computer dn, then try and find it */
	value = _adcli_ldap_escape_filter (enroll->computer_sam);
	return_unexpected_if_fail (value != NULL);
	if (asprintf (&filter, "(&(objectClass=computer)(sAMAccountName=%s))", value) < 0)
		return_unexpected_if_reached ();
	free (value);

	base = adcli_conn_get_default_naming_context (enroll->conn);
	ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_SUB, filter, attrs, 0,
	                         NULL, NULL, NULL, 1, &results);

	free (filter);

	/* ldap_search_ext_s() can return results *and* an error. */
	if (ret == LDAP_SUCCESS) {
		entry = ldap_first_entry (ldap, results);

		/* If we found a computer account, make note of dn */
		if (entry) {
			dn = ldap_get_dn (ldap, entry);
			free (enroll->computer_dn);
			enroll->computer_dn = strdup (dn);
			return_unexpected_if_fail (enroll->computer_dn != NULL);
			_adcli_info ("Found computer account for %s at: %s",
			             enroll->computer_sam, dn);
			ldap_memfree (dn);

		} else {
			ldap_msgfree (results);
			results = NULL;
			_adcli_info ("Computer account for %s does not exist",
			             enroll->computer_sam);
		}

	} else {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't lookup computer account: %s",
		                                   enroll->computer_sam);
	}

	if (rresults)
		*rresults = results;
	else
		ldap_msgfree (results);
	if (rentry) {
		assert (rresults != NULL);
		*rentry = entry;
	}

	return ADCLI_SUCCESS;
}

static adcli_result
load_computer_account (adcli_enroll *enroll,
                       LDAP *ldap,
                       LDAPMessage **rresults,
                       LDAPMessage **rentry)
{
	char *attrs[] = { "1.1", NULL };
	LDAPMessage *results = NULL;
	LDAPMessage *entry = NULL;
	int ret;

	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
	                         "(objectClass=computer)", attrs, 0,
	                         NULL, NULL, NULL, -1, &results);

	if (ret == LDAP_SUCCESS) {
		entry = ldap_first_entry (ldap, results);
		if (entry) {
			_adcli_info ("Found computer account for %s at: %s",
			             enroll->computer_sam, enroll->computer_dn);
		}

	} else if (ret == LDAP_NO_SUCH_OBJECT) {
		results = entry = NULL;

	} else {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't check computer account: %s",
		                                   enroll->computer_dn);
	}

	if (rresults)
		*rresults = results;
	else
		ldap_msgfree (results);
	if (rentry) {
		assert (rresults != NULL);
		*rentry = entry;
	}

	return ADCLI_SUCCESS;
}

static adcli_result
locate_or_create_computer_account (adcli_enroll *enroll,
                                   int allow_overwrite)
{
	LDAPMessage *results = NULL;
	LDAPMessage *entry = NULL;
	adcli_result res;
	int searched = 0;
	LDAP *ldap;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	assert (ldap != NULL);

	/* Try to find the computer account */
	if (!enroll->computer_dn) {
		res = locate_computer_account (enroll, ldap, &results, &entry);
		if (res != ADCLI_SUCCESS)
			return res;
		searched = 1;
	}

	/* Next try and come up with where we think it should be */
	if (enroll->computer_dn == NULL) {
		res = calculate_computer_account (enroll, ldap);
		if (res != ADCLI_SUCCESS)
			return res;
	}

	assert (enroll->computer_dn != NULL);

	/* Have we seen an account yet? */
	if (!searched) {
		res = load_computer_account (enroll, ldap, &results, &entry);
		if (res != ADCLI_SUCCESS)
			return res;
	}

	res = validate_computer_account (enroll, allow_overwrite, entry != NULL);
	if (res == ADCLI_SUCCESS && entry == NULL)
		res = create_computer_account (enroll, ldap);

	if (results)
		ldap_msgfree (results);

	return res;
}

static adcli_result
set_password_with_user_creds (adcli_enroll *enroll)
{
	krb5_error_code code;
	krb5_ccache ccache;
	krb5_context k5;
	krb5_data result_string = { 0, };
	krb5_data result_code_string = { 0, };
	adcli_result res;
	int result_code;
	char *message;

	assert (enroll->computer_password != NULL);
	assert (enroll->computer_principal != NULL);

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_unexpected_if_fail (k5 != NULL);

	ccache = adcli_conn_get_login_ccache (enroll->conn);
	return_unexpected_if_fail (ccache != NULL);

	memset (&result_string, 0, sizeof (result_string));
	memset (&result_code_string, 0, sizeof (result_code_string));

	code = krb5_set_password_using_ccache (k5, ccache, enroll->computer_password,
	                                       enroll->computer_principal, &result_code,
	                                       &result_code_string, &result_string);

	if (code != 0) {
		_adcli_err ("Couldn't set password for computer account: %s: %s",
		            enroll->computer_sam, krb5_get_error_message (k5, code));
		/* TODO: Parse out these values */
		res = ADCLI_ERR_DIRECTORY;

	} else if (result_code != 0) {
#ifdef HAVE_KRB5_CHPW_MESSAGE
		if (krb5_chpw_message (k5, &result_string, &message) != 0)
			message = NULL;
#else
		message = NULL;
		if (result_string.length)
			message = _adcli_str_dupn (result_string.data, result_string.length);
#endif
		_adcli_err ("Cannot set computer password: %.*s%s%s",
		            (int)result_code_string.length, result_code_string.data,
		            message ? ": " : "", message ? message : "");
		res = ADCLI_ERR_CREDENTIALS;
#ifdef HAVE_KRB5_CHPW_MESSAGE
		krb5_free_string (k5, message);
#else
		free (message);
#endif
	} else {
		_adcli_info ("Set computer password");
		res = ADCLI_SUCCESS;
	}

	krb5_free_data_contents (k5, &result_string);
	krb5_free_data_contents (k5, &result_code_string);

	return res;
}

static adcli_result
set_password_with_computer_creds (adcli_enroll *enroll)
{
	krb5_error_code code;
	krb5_creds creds;
	krb5_data result_string = { 0, };
	krb5_data result_code_string = { 0, };
	krb5_context k5;
	int result_code;
	adcli_result res;
	char *message;

	memset (&creds, 0, sizeof (creds));

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_unexpected_if_fail (k5 != NULL);

	code = _adcli_kinit_computer_creds (enroll->conn, "kadmin/changepw", NULL, &creds);
	if (code != 0) {
		_adcli_err ("Couldn't get change password ticket for computer account: %s: %s",
		            enroll->computer_sam, krb5_get_error_message (k5, code));
		return ADCLI_ERR_DIRECTORY;
	}

	code = krb5_change_password (k5, &creds, enroll->computer_password,
	                             &result_code, &result_code_string, &result_string);

	krb5_free_cred_contents (k5, &creds);

	if (code != 0) {
		_adcli_err ("Couldn't change password for computer account: %s: %s",
		            enroll->computer_sam, krb5_get_error_message (k5, code));
		/* TODO: Parse out these values */
		res = ADCLI_ERR_DIRECTORY;

	} else if (result_code != 0) {
#ifdef HAVE_KRB5_CHPW_MESSAGE
		if (krb5_chpw_message (k5, &result_string, &message) != 0)
			message = NULL;
#else
		message = NULL;
		if (result_string.length)
			message = _adcli_str_dupn (result_string.data, result_string.length);
#endif
		_adcli_err ("Cannot change computer password: %.*s%s%s",
		            (int)result_code_string.length, result_code_string.data,
		            message ? ": " : "", message ? message : "");
		res = ADCLI_ERR_CREDENTIALS;
#ifdef HAVE_KRB5_CHPW_MESSAGE
		krb5_free_string (k5, message);
#else
		free (message);
#endif
	} else {
		_adcli_info ("Changed computer password");
		if (enroll->kvno > 0) {
			enroll->kvno++;
		        _adcli_info ("kvno incremented to %d", enroll->kvno);
		}
		res = ADCLI_SUCCESS;
	}

	krb5_free_data_contents (k5, &result_string);
	krb5_free_data_contents (k5, &result_code_string);

	return res;
}

static adcli_result
set_computer_password (adcli_enroll *enroll)
{
	if (adcli_conn_get_login_type (enroll->conn) == ADCLI_LOGIN_COMPUTER_ACCOUNT)
		return set_password_with_computer_creds (enroll);
	else
		return set_password_with_user_creds (enroll);
}

static adcli_result
retrieve_computer_account (adcli_enroll *enroll)
{
	adcli_result res = ADCLI_SUCCESS;
	unsigned long kvno;
	char *value;
	LDAP *ldap;
	char *end;
	int ret;

	char *attrs[] =  {
		"msDS-KeyVersionNumber",
		"msDS-supportedEncryptionTypes",
		"dNSHostName",
		"servicePrincipalName",
		"operatingSystem",
		"operatingSystemVersion",
		"operatingSystemServicePack",
		"pwdLastSet",
		NULL,
	};

	assert (enroll->computer_dn != NULL);
	assert (enroll->computer_attributes == NULL);

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	assert (ldap != NULL);

	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
	                         &enroll->computer_attributes);

	if (ret != LDAP_SUCCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't retrieve computer account info: %s",
		                                   enroll->computer_dn);
	}

	/* Update the kvno */
	if (enroll->kvno == 0) {
		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, "msDS-KeyVersionNumber");
		if (value != NULL) {
			kvno = strtoul (value, &end, 10);
			if (end == NULL || *end != '\0') {
				_adcli_err ("Invalid kvno '%s' for computer account in directory: %s",
				            value, enroll->computer_dn);
				res = ADCLI_ERR_DIRECTORY;

			} else {
				enroll->kvno = kvno;

				_adcli_info ("Retrieved kvno '%s' for computer account in directory: %s",
				             value, enroll->computer_dn);
			}

			free (value);

		} else {
			/* Apparently old AD didn't have this attribute, use zero */
			enroll->kvno = 0;

			_adcli_info ("No kvno found for computer account in directory: %s",
			             enroll->computer_dn);
		}
	}

	return res;
}

static adcli_result
update_and_calculate_enctypes (adcli_enroll *enroll)
{
	char *value = NULL;
	krb5_enctype *read_enctypes;
	char *vals_supportedEncryptionTypes[] = { NULL, NULL };
	LDAPMod mod = { LDAP_MOD_REPLACE, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
	LDAPMod *mods[2] = { &mod, NULL };
	int is_2008_or_later;
	char *new_value;
	LDAP *ldap;
	int ret;

	/*
	 * Because we're using a keytab we want the server to be aware of the
	 * encryption types supported on the client, because we can't dynamically
	 * use a new one that's thrown at us.
	 *
	 * If the encryption types are not explicitly set by the caller of this
	 * library, then see if the account already has some encryption types
	 * marked on it.
	 *
	 * If not, write our default set to the account.
	 *
	 * Note that Windows 2003 and earlier have a standard set of encryption
	 * types, and no msDS-supportedEncryptionTypes attribute.
	 */

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	return_unexpected_if_fail (ldap != NULL);

	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);

	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
	if (is_2008_or_later) {
		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
		                                 "msDS-supportedEncryptionTypes");

		if (!enroll->keytab_enctypes_explicit && value != NULL) {
			read_enctypes = _adcli_krb5_parse_enctypes (value);
			if (read_enctypes == NULL) {
				_adcli_warn ("Invalid or unsupported encryption types are set on "
				             "the computer account (%s).", value);
			} else {
				free (enroll->keytab_enctypes);
				enroll->keytab_enctypes = read_enctypes;
			}
		}

	/* In 2003 or earlier, standard set of enc types */
	} else {
		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
	}

	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
	if (new_value == NULL) {
		free (value);
		_adcli_warn ("The encryption types desired are not available in active directory");
		return ADCLI_ERR_CONFIG;
	}

	/* If we already have this value, then don't need to update */
	if (value && strcmp (new_value, value) == 0) {
		free (value);
		free (new_value);
		return ADCLI_SUCCESS;
	}
	free (value);

	if (!is_2008_or_later) {
		free (new_value);
		_adcli_warn ("Server does not support setting encryption types");
		return ADCLI_SUCCESS;
	}

	vals_supportedEncryptionTypes[0] = new_value;

	if (filter_for_necessary_updates (enroll, ldap, enroll->computer_attributes, mods) == 0)
		ret = 0;
	else
		ret = ldap_modify_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);

	free (new_value);

	if (ret == LDAP_INSUFFICIENT_ACCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
		                                   "Insufficient permissions to set encryption types on computer account: %s",
		                                   enroll->computer_dn);

	} else if (ret != LDAP_SUCCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't set encryption types on computer account: %s",
		                                   enroll->computer_dn);
	}

	return ADCLI_SUCCESS;
}

static adcli_result
update_computer_attribute (adcli_enroll *enroll,
                           LDAP *ldap,
                           LDAPMod **mods)
{
	adcli_result res = ADCLI_SUCCESS;
	char *string;
	int ret;

	/* See if there are any changes to be made? */
	if (filter_for_necessary_updates (enroll, ldap, enroll->computer_attributes, mods) == 0)
		return ADCLI_SUCCESS;

	string = _adcli_ldap_mods_to_string (mods);
	return_unexpected_if_fail (string != NULL);

	_adcli_info ("Modifying computer account: %s", string);

	ret = ldap_modify_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);

	if (ret != LDAP_SUCCESS) {
		_adcli_warn ("Couldn't set %s on computer account: %s: %s",
		             string, enroll->computer_dn, ldap_err2string (ret));
		res = ADCLI_ERR_DIRECTORY;
	}

	free (string);
	return res;
}

static void
update_computer_account (adcli_enroll *enroll)
{
	int res = 0;
	LDAP *ldap;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	return_if_fail (ldap != NULL);

	{
		char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
		LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
		LDAPMod *mods[] = { &dNSHostName, NULL };

		res |= update_computer_attribute (enroll, ldap, mods);
	}

	if (res == ADCLI_SUCCESS) {
		char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
		LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
		LDAPMod *mods[] = { &userAccountControl, NULL };

		res |= update_computer_attribute (enroll, ldap, mods);
	}

	if (res == ADCLI_SUCCESS) {
		char *vals_operatingSystem[] = { enroll->os_name, NULL };
		LDAPMod operatingSystem = { LDAP_MOD_REPLACE, "operatingSystem", { vals_operatingSystem, } };
		char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };
		LDAPMod operatingSystemVersion = { LDAP_MOD_REPLACE, "operatingSystemVersion", { vals_operatingSystemVersion, } };
		char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
		LDAPMod operatingSystemServicePack = { LDAP_MOD_REPLACE, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
		LDAPMod *mods[] = { &operatingSystem, &operatingSystemVersion, &operatingSystemServicePack, NULL };

		res |= update_computer_attribute (enroll, ldap, mods);
	}

	if (res == ADCLI_SUCCESS) {
		char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
		LDAPMod userPrincipalName = { LDAP_MOD_REPLACE, "userPrincipalName", { vals_userPrincipalName, }, };
		LDAPMod *mods[] = { &userPrincipalName, NULL, };

		res |= update_computer_attribute (enroll, ldap, mods);
	}

	if (res != 0)
		_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
}

static adcli_result
update_service_principals (adcli_enroll *enroll)
{
	LDAPMod servicePrincipalName = { LDAP_MOD_REPLACE, "servicePrincipalName", { enroll->service_principals, } };
	LDAPMod *mods[] = { &servicePrincipalName, NULL, };
	LDAP *ldap;
	int ret;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	return_unexpected_if_fail (ldap != NULL);

	/* See if there are any changes to be made? */
	if (filter_for_necessary_updates (enroll, ldap, enroll->computer_attributes, mods) == 0)
		return ADCLI_SUCCESS;

	ret = ldap_modify_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
	if (ret == LDAP_INSUFFICIENT_ACCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
		                                   "Insufficient permissions to set service principals on computer account: %s",
		                                   enroll->computer_dn);

	} else if (ret != LDAP_SUCCESS) {
		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
		                                   "Couldn't set service principals on computer account %s",
		                                   enroll->computer_dn);
	}

	return ADCLI_SUCCESS;
}

static adcli_result
ensure_host_keytab (adcli_result res,
                    adcli_enroll *enroll)
{
	krb5_context k5;
	krb5_error_code code;
	char *name;

	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->keytab)
		return ADCLI_SUCCESS;

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_unexpected_if_fail (k5 != NULL);

	res = _adcli_krb5_open_keytab (k5, enroll->keytab_name, &enroll->keytab);
	if (res != ADCLI_SUCCESS)
		return res;

	if (!enroll->keytab_name) {
		name = malloc (MAX_KEYTAB_NAME_LEN + 1);
		return_unexpected_if_fail (name != NULL);

		code = krb5_kt_get_name (k5, enroll->keytab, name, MAX_KEYTAB_NAME_LEN + 1);
		return_unexpected_if_fail (code == 0);

		enroll->keytab_name = name;
		enroll->keytab_name_is_krb5 = 1;
	}

	_adcli_info ("Using keytab: %s", enroll->keytab_name);
	return ADCLI_SUCCESS;
}

static krb5_boolean
load_keytab_entry (krb5_context k5,
                   krb5_keytab_entry *entry,
                   void *data)
{
	adcli_enroll *enroll = data;
	krb5_error_code code;
	krb5_principal principal;
	const char *realm;
	size_t len;
	char *value;
	char *name;

	/* Skip over any entry without a principal or realm */
	principal = entry->principal;
	if (!principal || !principal->realm.length)
		return TRUE;

	/* Use the first keytab entry as realm */
	realm = adcli_conn_get_domain_realm (enroll->conn);
	if (!realm) {
		value = _adcli_str_dupn (principal->realm.data, principal->realm.length);
		adcli_conn_set_domain_realm (enroll->conn, value);
		_adcli_info ("Found realm in keytab: %s", value);
		realm = adcli_conn_get_domain_realm (enroll->conn);
		free (value);
	}

	/* Only look at entries that match the realm */
	len = strlen (realm);
	if (principal->realm.length != len && strncmp (realm, principal->realm.data, len) != 0)
		return TRUE;

	code = krb5_unparse_name_flags (k5, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
	return_val_if_fail (code == 0, FALSE);

	len = strlen (name);

	if (!enroll->service_principals_explicit) {
		if (!_adcli_strv_has (enroll->service_principals, name) && strchr (name, '/')) {
			value = strdup (name);
			return_val_if_fail (value != NULL, FALSE);
			_adcli_info ("Found service principal in keytab: %s", value);
			enroll->service_principals = _adcli_strv_add (enroll->service_principals, value, NULL);
		}
	}

	if (!enroll->host_fqdn_explicit && !enroll->computer_name_explicit) {

		/* Automatically use the netbios name */
		if (!enroll->computer_name && len > 1 && _adcli_str_is_up (name) &&
		    _adcli_str_has_suffix (name, "$") && !strchr (name, '/')) {
			enroll->computer_name = name;
			name[len - 1] = '\0';
			_adcli_info ("Found computer name in keytab: %s", name);
			name = NULL;

		} else if (!enroll->host_fqdn && _adcli_str_has_prefix (name, "host/") && strchr (name, '.')) {
			/* Skip host/ prefix */
			enroll->host_fqdn = name + 5;
			_adcli_info ("Found host qualified name in keytab: %s", name);
			name = NULL;
		}
	}

	free (name);
	return TRUE;
}

static adcli_result
load_host_keytab (adcli_enroll *enroll)
{
	krb5_error_code code;
	adcli_result res;
	krb5_context k5;
	krb5_keytab keytab;

	res = _adcli_krb5_init_context (&k5);
	if (res != ADCLI_SUCCESS)
		return res;

	res = _adcli_krb5_open_keytab (k5, enroll->keytab_name, &keytab);
	if (res == ADCLI_SUCCESS) {
		code = _adcli_krb5_keytab_enumerate (k5, keytab, load_keytab_entry, enroll);
		if (code != 0) {
			_adcli_err ("Couldn't enumerate keytab: %s: %s",
		                    enroll->keytab_name, krb5_get_error_message (k5, code));
			res = ADCLI_ERR_FAIL;
		}
		krb5_kt_close (k5, keytab);
	}

	krb5_free_context (k5);
	return ADCLI_SUCCESS;
}

typedef struct {
	krb5_kvno kvno;
	krb5_principal principal;
	int matched;
} match_principal_kvno;

static krb5_boolean
match_principal_and_kvno (krb5_context k5,
                          krb5_keytab_entry *entry,
                          void *data)
{
	match_principal_kvno *closure = data;

	assert (closure->principal);

	/*
	 * Don't match entries with kvno - 1 so that existing sessions
	 * will still work.
	 */

	if (entry->vno + 1 == closure->kvno)
		return 0;

	/* Is this the principal we're looking for? */
	if (krb5_principal_compare (k5, entry->principal, closure->principal)) {
		closure->matched = 1;
		return 1;
	}

	return 0;
}

#define DEFAULT_SALT 1

static krb5_data *
build_principal_salts (adcli_enroll *enroll,
                       krb5_context k5,
                       krb5_principal principal)
{
	krb5_error_code code;
	krb5_data *salts;
	const int count = 3;
	int i = 0;

	salts = calloc (count, sizeof (krb5_data));
	return_val_if_fail (salts != NULL, NULL);

	/* Build up the salts, first a standard kerberos salt */
	code = krb5_principal2salt (k5, principal, &salts[i++]);
	return_val_if_fail (code == 0, NULL);

	/* Then a Windows 2003 computer account salt */
	code = _adcli_krb5_w2k3_salt (k5, principal, enroll->computer_name, &salts[i++]);
	return_val_if_fail (code == 0, NULL);

	/* And lastly a null salt */
	salts[i++].data = NULL;

	assert (count == i);
	return salts;
}

static void
free_principal_salts (krb5_context k5,
                      krb5_data *salts)
{
	int i;

	for (i = 0; salts[i].data != NULL; i++)
		krb5_free_data_contents (k5, salts + i);

	free (salts);
}

static adcli_result
add_principal_to_keytab (adcli_enroll *enroll,
                         krb5_context k5,
                         krb5_principal principal,
                         const char *principal_name,
                         int *which_salt)
{
	match_principal_kvno closure;
	krb5_data password;
	krb5_error_code code;
	krb5_data *salts;
	krb5_enctype *enctypes;

	/* Remove old stuff from the keytab for this principal */

	closure.kvno = enroll->kvno;
	closure.principal = principal;
	closure.matched = 0;

	code = _adcli_krb5_keytab_clear (k5, enroll->keytab,
	                                 match_principal_and_kvno, &closure);

	if (code != 0) {
		_adcli_err ("Couldn't update keytab: %s: %s",
		            enroll->keytab_name, krb5_get_error_message (k5, code));
		return ADCLI_ERR_FAIL;
	}

	if (closure.matched) {
		_adcli_info ("Cleared old entries from keytab: %s",
		             enroll->keytab_name);
	}

	password.data = enroll->computer_password;
	password.length = strlen (enroll->computer_password);

	enctypes = adcli_enroll_get_keytab_enctypes (enroll);

	/*
	 * So we need to discover which salt to use. As a side effect we are
	 * also testing that our account works.
	 */

	salts = build_principal_salts (enroll, k5, principal);
	return_unexpected_if_fail (salts != NULL);

	if (*which_salt < 0) {
		code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
		                                         enctypes, salts, which_salt);
		if (code != 0) {
			_adcli_warn ("Couldn't authenticate with keytab while discovering which salt to use: %s: %s",
			             principal_name, krb5_get_error_message (k5, code));
			*which_salt = DEFAULT_SALT;
		} else {
			assert (*which_salt >= 0);
			_adcli_info ("Discovered which keytab salt to use");
		}
	}

	code = _adcli_krb5_keytab_add_entries (k5, enroll->keytab, principal,
	                                       enroll->kvno, &password, enctypes, &salts[*which_salt]);

	free_principal_salts (k5, salts);

	if (code != 0) {
		_adcli_err ("Couldn't add keytab entries: %s: %s",
		            enroll->keytab_name, krb5_get_error_message (k5, code));
		return ADCLI_ERR_FAIL;
	}


	_adcli_info ("Added the entries to the keytab: %s: %s",
	             principal_name, enroll->keytab_name);
	return ADCLI_SUCCESS;
}

static adcli_result
update_keytab_for_principals (adcli_enroll *enroll)
{
	krb5_context k5;
	adcli_result res;
	int which_salt = -1;
	char *name;
	int i;

	assert (enroll->keytab_principals != NULL);

	k5 = adcli_conn_get_krb5_context (enroll->conn);
	return_unexpected_if_fail (k5 != NULL);

	for (i = 0; enroll->keytab_principals[i] != 0; i++) {
		if (krb5_unparse_name (k5, enroll->keytab_principals[i], &name) != 0)
			name = "";
		res = add_principal_to_keytab (enroll, k5, enroll->keytab_principals[i],
		                               name, &which_salt);
		krb5_free_unparsed_name (k5, name);

		if (res != ADCLI_SUCCESS)
			return res;
	}

	return ADCLI_SUCCESS;
}

static void
enroll_clear_state (adcli_enroll *enroll)
{
	krb5_context k5;
	int i;

	if (enroll->keytab_principals) {
		k5 = adcli_conn_get_krb5_context (enroll->conn);
		return_if_fail (k5 != NULL);

		for (i = 0; enroll->keytab_principals[i] != NULL; i++)
			krb5_free_principal (k5, enroll->keytab_principals[i]);

		free (enroll->keytab_principals);
		enroll->keytab_principals = NULL;
	}

	if (enroll->keytab) {
		k5 = adcli_conn_get_krb5_context (enroll->conn);
		return_if_fail (k5 != NULL);

		krb5_kt_close (k5, enroll->keytab);
		enroll->keytab = NULL;
	}

	free (enroll->computer_sam);
	enroll->computer_sam = NULL;

	if (enroll->computer_principal) {
		k5 = adcli_conn_get_krb5_context (enroll->conn);
		return_if_fail (k5 != NULL);

		krb5_free_principal (k5, enroll->computer_principal);
		enroll->computer_principal = NULL;
	}

	if (!enroll->computer_password_explicit) {
		free (enroll->computer_password);
		enroll->computer_password = NULL;
	}

	free (enroll->computer_dn);
	enroll->computer_dn = NULL;

	free (enroll->computer_container);
	enroll->computer_container = NULL;

	if (!enroll->service_principals_explicit) {
		_adcli_strv_free (enroll->service_principals);
		enroll->service_principals = NULL;
	}

	if (enroll->user_princpal_generate) {
		free (enroll->user_principal);
		enroll->user_principal = NULL;
	}

	enroll->kvno = 0;

	if (enroll->computer_attributes) {
		ldap_msgfree (enroll->computer_attributes);
		enroll->computer_attributes = NULL;
	}

	if (!enroll->domain_ou_explicit) {
		free (enroll->domain_ou);
		enroll->domain_ou = NULL;
	}
}

adcli_result
adcli_enroll_prepare (adcli_enroll *enroll,
                      adcli_enroll_flags flags)
{
	adcli_result res = ADCLI_SUCCESS;

	return_unexpected_if_fail (enroll != NULL);

	adcli_clear_last_error ();

	/* Basic discovery and figuring out enroll params */
	res = ensure_host_fqdn (res, enroll);
	res = ensure_computer_name (res, enroll);
	res = ensure_computer_sam (res, enroll);
	res = ensure_user_principal (res, enroll);
	res = ensure_computer_password (res, enroll);
	if (!(flags & ADCLI_ENROLL_NO_KEYTAB))
		res = ensure_host_keytab (res, enroll);
	res = ensure_service_names (res, enroll);
	res = ensure_service_principals (res, enroll);
	res = ensure_keytab_principals (res, enroll);

	return res;
}

static adcli_result
enroll_join_or_update_tasks (adcli_enroll *enroll,
		             adcli_enroll_flags flags)
{
	adcli_result res;

	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
		res = set_computer_password (enroll);
		if (res != ADCLI_SUCCESS)
			return res;
	}

	/* kvno is not needed if no keytab */
	if (flags & ADCLI_ENROLL_NO_KEYTAB)
		enroll->kvno = -1;

	/* Get information about the computer account if needed */
	if (enroll->computer_attributes == NULL) {
		res = retrieve_computer_account (enroll);
		if (res != ADCLI_SUCCESS)
			return res;
	}

	/* We ignore failures of setting these fields */
	update_and_calculate_enctypes (enroll);
	update_computer_account (enroll);
	update_service_principals (enroll);

	if (flags & ADCLI_ENROLL_NO_KEYTAB)
		return ADCLI_SUCCESS;

	/*
	 * Salting in the keytab is wild, we need to autodetect the format
	 * that we use for salting.
	 */

	return update_keytab_for_principals (enroll);
}

adcli_result
adcli_enroll_join (adcli_enroll *enroll,
                   adcli_enroll_flags flags)
{
	adcli_result res = ADCLI_SUCCESS;

	return_unexpected_if_fail (enroll != NULL);

	adcli_clear_last_error ();
	enroll_clear_state (enroll);

	res = adcli_conn_discover (enroll->conn);
	if (res != ADCLI_SUCCESS)
		return res;

	res = adcli_enroll_prepare (enroll, flags);
	if (res != ADCLI_SUCCESS)
		return res;

	/* This is where it really happens */
	res = locate_or_create_computer_account (enroll, flags & ADCLI_ENROLL_ALLOW_OVERWRITE);
	if (res != ADCLI_SUCCESS)
		return res;

	return enroll_join_or_update_tasks (enroll, flags);
}

adcli_result
adcli_enroll_load (adcli_enroll *enroll)
{
	adcli_result res;

	adcli_clear_last_error ();

	/* Load default info from keytab */
	res = load_host_keytab (enroll);
	if (res != ADCLI_SUCCESS)
		return res;

	if (enroll->computer_name)
		enroll->computer_name_explicit = 1;
	if (enroll->host_fqdn)
		enroll->host_fqdn_explicit = 1;
	if (enroll->service_principals)
		enroll->service_principals_explicit = 1;

	return ADCLI_SUCCESS;
}

adcli_result
adcli_enroll_update (adcli_enroll *enroll,
		     adcli_enroll_flags flags)
{
	adcli_result res = ADCLI_SUCCESS;
	LDAP *ldap;
	char *value;

	return_unexpected_if_fail (enroll != NULL);

	adcli_clear_last_error ();
	enroll_clear_state (enroll);

	res = adcli_conn_discover (enroll->conn);
	if (res != ADCLI_SUCCESS)
		return res;

	res = adcli_enroll_prepare (enroll, flags);
	if (res != ADCLI_SUCCESS)
		return res;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	assert (ldap != NULL);

	/* Find the computer dn */
	if (!enroll->computer_dn) {
		res = locate_computer_account (enroll, ldap, NULL, NULL);
		if (res != ADCLI_SUCCESS)
			return res;
		if (!enroll->computer_dn) {
			_adcli_err ("No computer account for %s exists", enroll->computer_sam);
			return ADCLI_ERR_CONFIG;
		}
	}

	/* Get information about the computer account */
	res = retrieve_computer_account (enroll);
	if (res != ADCLI_SUCCESS)
		return res;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	assert (ldap != NULL);

	value = _adcli_ldap_parse_value (ldap,
	                                 enroll->computer_attributes,
	                                 "pwdLastSet");

	if (_adcli_check_nt_time_string_lifetime (value,
	                adcli_enroll_get_computer_password_lifetime (enroll))) {
		flags |= ADCLI_ENROLL_NO_KEYTAB;
		flags |= ADCLI_ENROLL_PASSWORD_VALID;
	}
	free (value);

	return enroll_join_or_update_tasks (enroll, flags);
}

adcli_result
adcli_enroll_delete (adcli_enroll *enroll,
                     adcli_enroll_flags delete_flags)
{
	adcli_result res = ADCLI_SUCCESS;
	LDAP *ldap;

	return_unexpected_if_fail (enroll != NULL);

	adcli_clear_last_error ();
	enroll_clear_state (enroll);

	res = adcli_conn_discover (enroll->conn);
	if (res != ADCLI_SUCCESS)
		return res;

	/* Basic discovery and figuring out enroll params */
	res = ensure_host_fqdn (res, enroll);
	res = ensure_computer_name (res, enroll);
	res = ensure_computer_sam (res, enroll);

	if (res != ADCLI_SUCCESS)
		return res;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	assert (ldap != NULL);

	/* Find the computer dn */
	if (!enroll->computer_dn) {
		res = locate_computer_account (enroll, ldap, NULL, NULL);
		if (res != ADCLI_SUCCESS)
			return res;
		if (!enroll->computer_dn) {
			_adcli_err ("No computer account for %s exists",
			            enroll->computer_sam);
			return ADCLI_ERR_CONFIG;
		}
	}

	return delete_computer_account (enroll, ldap);
}

adcli_result
adcli_enroll_password (adcli_enroll *enroll,
                       adcli_enroll_flags password_flags)
{
	adcli_result res = ADCLI_SUCCESS;
	LDAP *ldap;

	return_unexpected_if_fail (enroll != NULL);

	adcli_clear_last_error ();
	enroll_clear_state (enroll);

	res = adcli_conn_discover (enroll->conn);
	if (res != ADCLI_SUCCESS)
		return res;

	/* Basic discovery and figuring out enroll params */
	res = ensure_host_fqdn (res, enroll);
	res = ensure_computer_name (res, enroll);
	res = ensure_computer_sam (res, enroll);
	res = ensure_computer_password (res, enroll);

	if (res != ADCLI_SUCCESS)
		return res;

	ldap = adcli_conn_get_ldap_connection (enroll->conn);
	assert (ldap != NULL);

	/* Find the computer dn */
	if (!enroll->computer_dn) {
		res = locate_computer_account (enroll, ldap, NULL, NULL);
		if (res != ADCLI_SUCCESS)
			return res;
		if (!enroll->computer_dn) {
			_adcli_err ("No computer account for %s exists",
			            enroll->computer_sam);
			return ADCLI_ERR_CONFIG;
		}
	}

	return set_computer_password (enroll);
}

adcli_enroll *
adcli_enroll_new (adcli_conn *conn)
{
	adcli_enroll *enroll;
	const char *value;

	return_val_if_fail (conn != NULL, NULL);

	enroll = calloc (1, sizeof (adcli_enroll));
	return_val_if_fail (enroll != NULL, NULL);

	enroll->conn = adcli_conn_ref (conn);
	enroll->refs = 1;

	/* Use the latter sections of host triple as OS name */
	value = strchr (HOST_TRIPLET, '-');
	if (value == NULL)
		value = HOST_TRIPLET;
	else
		value++;
	enroll->os_name = strdup (value);
	return_val_if_fail (enroll->os_name != NULL, NULL);

	return enroll;
}

adcli_enroll *
adcli_enroll_ref (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	enroll->refs++;
	return enroll;
}

static void
enroll_free (adcli_enroll *enroll)
{
	if (enroll == NULL)
		return;

	enroll_clear_state (enroll);

	free (enroll->computer_sam);
	free (enroll->domain_ou);
	free (enroll->computer_dn);
	free (enroll->keytab_enctypes);

	free (enroll->os_name);
	free (enroll->os_version);
	free (enroll->os_service_pack);

	free (enroll->user_principal);
	_adcli_strv_free (enroll->service_names);
	_adcli_strv_free (enroll->service_principals);
	_adcli_password_free (enroll->computer_password);

	adcli_enroll_set_keytab_name (enroll, NULL);

	adcli_conn_unref (enroll->conn);
	free (enroll);
}

void
adcli_enroll_unref (adcli_enroll *enroll)
{
	if (enroll == NULL)
		return;

	if (--(enroll->refs) > 0)
		return;

	enroll_free (enroll);
}

const char *
adcli_enroll_get_host_fqdn (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->host_fqdn;
}

void
adcli_enroll_set_host_fqdn (adcli_enroll *enroll,
                            const char *value)
{
	return_if_fail (enroll != NULL);
	_adcli_str_set (&enroll->host_fqdn, value);
	enroll->host_fqdn_explicit = 1;
}

const char *
adcli_enroll_get_computer_name (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->computer_name;
}

void
adcli_enroll_set_computer_name (adcli_enroll *enroll,
                                const char *value)
{
	return_if_fail (enroll != NULL);
	_adcli_str_set (&enroll->computer_name, value);
	enroll->computer_name_explicit = (value != NULL);
}

const char *
adcli_enroll_get_domain_ou (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->domain_ou;
}

void
adcli_enroll_set_domain_ou (adcli_enroll *enroll,
                            const char *value)
{
	return_if_fail (enroll != NULL);

	enroll->domain_ou_validated = 0;
	_adcli_str_set (&enroll->domain_ou, value);
	enroll->domain_ou_explicit = (value != NULL);
}

const char *
adcli_enroll_get_computer_dn (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->computer_dn;
}

void
adcli_enroll_set_computer_dn (adcli_enroll *enroll,
                              const char *value)
{
	return_if_fail (enroll != NULL);
	_adcli_str_set (&enroll->computer_dn, value);
}

const char *
adcli_enroll_get_computer_password (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->computer_password;
}

void
adcli_enroll_set_computer_password (adcli_enroll *enroll,
                                    const char *password)
{
	char *newval = NULL;

	return_if_fail (enroll != NULL);

	if (password) {
		newval = strdup (password);
		return_if_fail (newval != NULL);
	}

	if (enroll->computer_password)
		_adcli_password_free (enroll->computer_password);

	enroll->computer_password = newval;
	enroll->computer_password_explicit = (newval != NULL);
}

void
adcli_enroll_reset_computer_password (adcli_enroll *enroll)
{
	return_if_fail (enroll != NULL);

	_adcli_password_free (enroll->computer_password);
	enroll->computer_password = NULL;
	enroll->computer_password_explicit = 0;
	enroll->reset_password = 1;
}

const char **
adcli_enroll_get_service_names (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);

	if (ensure_service_names (ADCLI_SUCCESS, enroll) != ADCLI_SUCCESS)
		return_val_if_reached (NULL);

	return (const char **)enroll->service_names;
}

void
adcli_enroll_set_service_names (adcli_enroll *enroll,
                                const char **value)
{
	return_if_fail (enroll != NULL);
	_adcli_strv_set (&enroll->service_names, value);
}

void
adcli_enroll_add_service_name (adcli_enroll *enroll,
                               const char *value)
{
	return_if_fail (enroll != NULL);
	return_if_fail (value != NULL);

	enroll->service_names = _adcli_strv_add (enroll->service_names, strdup (value), NULL);
	return_if_fail (enroll->service_names != NULL);
}

const char **
adcli_enroll_get_service_principals  (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return (const char **)enroll->service_principals;
}

void
adcli_enroll_set_service_principals (adcli_enroll *enroll,
                                     const char **value)
{
	return_if_fail (enroll != NULL);
	_adcli_strv_set (&enroll->service_principals, value);
	enroll->service_principals_explicit = (value != NULL);
}

krb5_kvno
adcli_enroll_get_kvno (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, 0);
	return enroll->kvno;
}

void
adcli_enroll_set_kvno (adcli_enroll *enroll,
                       krb5_kvno value)
{
	return_if_fail (enroll != NULL);
	enroll->kvno = value;
}

krb5_keytab
adcli_enroll_get_keytab (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->keytab;
}

const char *
adcli_enroll_get_keytab_name (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->keytab_name;
}

void
adcli_enroll_set_keytab_name (adcli_enroll *enroll,
                              const char *value)
{
	char *newval = NULL;
	krb5_context k5;

	return_if_fail (enroll != NULL);

	if (enroll->keytab_name) {
		if (enroll->keytab_name_is_krb5) {
			k5 = adcli_conn_get_krb5_context (enroll->conn);
			return_if_fail (k5 != NULL);
			krb5_free_string (k5, enroll->keytab_name);
		} else {
			free (enroll->keytab_name);
		}
	}

	if (enroll->keytab) {
		k5 = adcli_conn_get_krb5_context (enroll->conn);
		return_if_fail (k5 != NULL);
		krb5_kt_close (k5, enroll->keytab);
		enroll->keytab = NULL;
	}

	if (value) {
		newval = strdup (value);
		return_if_fail (newval != NULL);
	}

	enroll->keytab_name = newval;
	enroll->keytab_name_is_krb5 = 0;
}

krb5_enctype *
adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	if (enroll->keytab_enctypes)
		return enroll->keytab_enctypes;

	if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
		return v60_later_enctypes;
	else
		return v51_earlier_enctypes;
}

void
adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
                                  krb5_enctype *value)
{
	krb5_enctype *newval = NULL;
	int len;

	if (value) {
		for (len = 0; value[len] != 0; len++);
		newval = malloc (sizeof (krb5_enctype) * (len + 1));
		return_if_fail (newval != NULL);
		memcpy (newval, value, sizeof (krb5_enctype) * (len + 1));
	}

	free (enroll->keytab_enctypes);
	enroll->keytab_enctypes = newval;
	enroll->keytab_enctypes_explicit = (newval != NULL);
}

const char *
adcli_enroll_get_os_name (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->os_name;
}

void
adcli_enroll_set_os_name (adcli_enroll *enroll,
                          const char *value)
{
	return_if_fail (enroll != NULL);
	if (value && value[0] == '\0')
		value = NULL;
	_adcli_str_set (&enroll->os_name, value);
}

const char *
adcli_enroll_get_os_version (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->os_version;
}

void
adcli_enroll_set_os_version (adcli_enroll *enroll,
                             const char *value)
{
	return_if_fail (enroll != NULL);
	if (value && value[0] == '\0')
		value = NULL;
	_adcli_str_set (&enroll->os_version, value);
}

const char *
adcli_enroll_get_os_service_pack (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->os_service_pack;
}

void
adcli_enroll_set_os_service_pack (adcli_enroll *enroll,
                                  const char *value)
{
	return_if_fail (enroll != NULL);
	if (value && value[0] == '\0')
		value = NULL;
	_adcli_str_set (&enroll->os_service_pack, value);
}

const char *
adcli_enroll_get_user_principal (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, NULL);
	return enroll->user_principal;
}

void
adcli_enroll_set_user_principal (adcli_enroll *enroll,
                                 const char *value)
{
	return_if_fail (enroll != NULL);
	_adcli_str_set (&enroll->user_principal, value);
	enroll->user_princpal_generate = 0;
}

void
adcli_enroll_auto_user_principal (adcli_enroll *enroll)
{
	return_if_fail (enroll != NULL);
	_adcli_str_set (&enroll->user_principal, NULL);
	enroll->user_princpal_generate = 1;
}

#define DEFAULT_HOST_PW_LIFETIME 30

unsigned int
adcli_enroll_get_computer_password_lifetime (adcli_enroll *enroll)
{
	return_val_if_fail (enroll != NULL, DEFAULT_HOST_PW_LIFETIME);
	if (enroll->computer_password_lifetime_explicit) {
		return enroll->computer_password_lifetime;
	}
	return DEFAULT_HOST_PW_LIFETIME;
}

void
adcli_enroll_set_computer_password_lifetime (adcli_enroll *enroll,
                                   unsigned int lifetime)
{
	return_if_fail (enroll != NULL);
	enroll->computer_password_lifetime = lifetime;

	enroll->computer_password_lifetime_explicit = 1;
}