From 6fd99ff6c5dd6ef0be8d942989b1c6dcee3102d9 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 22 Mar 2019 12:37:39 +0100

Subject: [PATCH] Implement 'adcli testjoin'

By calling adcli testjoin it will be checked if the host credentials

stored in the keytab are still valid.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1622583

---

 doc/adcli.xml    | 34 +++++++++++++++++++++++

 tools/computer.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++

 tools/tools.c    |  1 +

 tools/tools.h    |  4 +++

 4 files changed, 111 insertions(+)

diff --git a/doc/adcli.xml b/doc/adcli.xml

index af73433..9605b4a 100644

--- a/doc/adcli.xml

+++ b/doc/adcli.xml

@@ -43,6 +43,9 @@

 	<cmdsynopsis>

 		<command>adcli update</command>

 	</cmdsynopsis>

+	<cmdsynopsis>

+		<command>adcli testjoin</command>

+	</cmdsynopsis>

 	<cmdsynopsis>

 		<command>adcli create-user</command>

 		<arg choice="opt">--domain=domain.example.com</arg>

@@ -474,6 +477,37 @@ $ adcli update --login-ccache=/tmp/krbcc_123

 </refsect1>

+<refsect1 id='testjoin'>

+	<title>Testing if the machine account password is valid</title>

+

+	<para><command>adcli testjoin</command> uses the current credentials in

+	the keytab and tries to authenticate with the machine account to the AD

+	domain. If this works the machine account password and the join are

+	still valid. If it fails the machine account password or the whole

+	machine account have to be refreshed with

+	<command>adcli join</command> or <command>adcli update</command>.

+	</para>

+

+<programlisting>

+$ adcli testjoin

+</programlisting>

+

+	<para>Only the global options not related to authentication are

+	available, additionally you can specify the following options to

+	control how this operation is done.</para>

+

+	<variablelist>

+		<varlistentry>

+			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>

+			<listitem><para>Specify the path to the host keytab where

+			current host credentials are stored and the new ones

+			will be written to.  If not specified, the default

+			location will be used, usually

+			<filename>/etc/krb5.keytab</filename>.</para></listitem>

+		</varlistentry>

+	</variablelist>

+</refsect1>

+

 <refsect1 id='create_user'>

 	<title>Creating a User</title>

diff --git a/tools/computer.c b/tools/computer.c

index 112340e..610ed2b 100644

--- a/tools/computer.c

+++ b/tools/computer.c

@@ -566,6 +566,78 @@ adcli_tool_computer_update (adcli_conn *conn,

 	return 0;

 }

+int

+adcli_tool_computer_testjoin (adcli_conn *conn,

+                              int argc,

+                              char *argv[])

+{

+	adcli_enroll *enroll;

+	adcli_result res;

+	const char *ktname;

+	int opt;

+

+	struct option options[] = {

+		{ "domain", required_argument, NULL, opt_domain },

+		{ "domain-controller", required_argument, NULL, opt_domain_controller },

+		{ "host-keytab", required_argument, 0, opt_host_keytab },

+		{ "verbose", no_argument, NULL, opt_verbose },

+		{ "help", no_argument, NULL, 'h' },

+		{ 0 },

+	};

+

+	static adcli_tool_desc usages[] = {

+		{ 0, "usage: adcli testjoin" },

+		{ 0 },

+	};

+

+	enroll = adcli_enroll_new (conn);

+	if (enroll == NULL)

+		errx (-1, "unexpected memory problems");

+

+	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {

+		switch (opt) {

+		case 'h':

+		case '?':

+		case ':':

+			adcli_tool_usage (options, usages);

+			adcli_tool_usage (options, common_usages);

+			adcli_enroll_unref (enroll);

+			return opt == 'h' ? 0 : 2;

+		default:

+			parse_option ((Option)opt, optarg, conn, enroll);

+			break;

+		}

+	}

+

+	/* Force use of a keytab to test the join/machine account password */

+	adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT);

+	ktname = adcli_enroll_get_keytab_name (enroll);

+	adcli_conn_set_login_keytab_name (conn, ktname ? ktname : "");

+

+	res = adcli_enroll_load (enroll);

+	if (res != ADCLI_SUCCESS) {

+		adcli_enroll_unref (enroll);

+		adcli_conn_unref (conn);

+		errx (-res, "couldn't lookup domain info from keytab: %s",

+		      adcli_get_last_error ());

+	}

+

+	res = adcli_conn_connect (conn);

+	if (res != ADCLI_SUCCESS) {

+		adcli_enroll_unref (enroll);

+		adcli_conn_unref (conn);

+		errx (-res, "couldn't connect to %s domain: %s",

+		      adcli_conn_get_domain_name (conn),

+		      adcli_get_last_error ());

+	}

+

+	printf ("Sucessfully validated join to domain %s\n",

+	        adcli_conn_get_domain_name (conn));

+

+	adcli_enroll_unref (enroll);

+

+	return 0;

+}

 int

 adcli_tool_computer_preset (adcli_conn *conn,

diff --git a/tools/tools.c b/tools/tools.c

index 915130e..c4e2851 100644

--- a/tools/tools.c

+++ b/tools/tools.c

@@ -55,6 +55,7 @@ struct {

 	{ "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS },

 	{ "join", adcli_tool_computer_join, "Join this machine to a domain", },

 	{ "update", adcli_tool_computer_update, "Update machine membership in a domain", },

+	{ "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", },

 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },

 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },

 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },

diff --git a/tools/tools.h b/tools/tools.h

index 6c97ccf..8cebbf9 100644

--- a/tools/tools.h

+++ b/tools/tools.h

@@ -70,6 +70,10 @@ int       adcli_tool_computer_update   (adcli_conn *conn,

                                         int argc,

                                         char *argv[]);

+int       adcli_tool_computer_testjoin (adcli_conn *conn,

+                                        int argc,

+                                        char *argv[]);

+

 int       adcli_tool_computer_delete   (adcli_conn *conn,

                                         int argc,

                                         char *argv[]);

-- 

2.20.1