Blame 0006-Handle-kvno-increment-for-RODCs.patch

461678c
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
461678c
From: Sumit Bose <sbose@redhat.com>
461678c
Date: Wed, 1 Nov 2017 17:14:05 +0100
461678c
Subject: [PATCH 06/23] Handle kvno increment for RODCs
461678c
461678c
Since the actual password change does not happen on the read-only domain
461678c
controller (RODC) the kvno change has to be replicated back which might
461678c
take some time. So we check the kvno before and after the change if we
461678c
are connected to a RODC and increment the kvno if needed.
461678c
---
461678c
 library/adenroll.c | 31 +++++++++++++++++++++++++++++++
461678c
 1 file changed, 31 insertions(+)
461678c
461678c
diff --git a/library/adenroll.c b/library/adenroll.c
461678c
index 05885d0..bb970d1 100644
461678c
--- a/library/adenroll.c
461678c
+++ b/library/adenroll.c
461678c
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
461678c
 		             adcli_enroll_flags flags)
461678c
 {
461678c
 	adcli_result res;
461678c
+	krb5_kvno old_kvno = -1;
461678c
 
461678c
 	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
461678c
+
461678c
+		/* Handle kvno changes for read-only domain controllers
461678c
+		 * (RODC). Since the actual password change does not happen on
461678c
+		 * the RODC the kvno change has to be replicated back which
461678c
+		 * might take some time. So we check the kvno before and after
461678c
+		 * the change if we are connected to a RODC and increment the
461678c
+		 * kvno if needed. */
461678c
+		if (!adcli_conn_is_writeable (enroll->conn)) {
461678c
+			if (enroll->computer_attributes == NULL) {
461678c
+				res = retrieve_computer_account (enroll);
461678c
+				if (res != ADCLI_SUCCESS)
461678c
+					return res;
461678c
+			}
461678c
+			old_kvno = adcli_enroll_get_kvno (enroll);
461678c
+			_adcli_info ("Found old kvno '%d'", old_kvno);
461678c
+
461678c
+			ldap_msgfree (enroll->computer_attributes);
461678c
+			enroll->computer_attributes = NULL;
461678c
+			adcli_enroll_set_kvno (enroll, 0);
461678c
+		}
461678c
+
461678c
 		res = set_computer_password (enroll);
461678c
 		if (res != ADCLI_SUCCESS)
461678c
 			return res;
461678c
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
461678c
 			return res;
461678c
 	}
461678c
 
461678c
+	/* Handle kvno changes for read-only domain controllers (RODC) */
461678c
+	if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
461678c
+	    adcli_enroll_get_kvno (enroll) != 0 &&
461678c
+	    adcli_enroll_get_kvno (enroll) == old_kvno) {
461678c
+		enroll->kvno++;
461678c
+		_adcli_info ("No kvno change detected on read-only DC,  kvno "
461678c
+		             "will be incremented by 1 to '%d'", enroll->kvno);
461678c
+	}
461678c
+
461678c
 	/* We ignore failures of setting these fields */
461678c
 	update_and_calculate_enctypes (enroll);
461678c
 	update_computer_account (enroll);
461678c
-- 
461678c
2.14.4
461678c