Blame 0010-service-account-add-random-suffix-to-account-name.patch

7f6164b
From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001
7f6164b
From: Sumit Bose <sbose@redhat.com>
7f6164b
Date: Tue, 27 Oct 2020 15:23:04 +0100
7f6164b
Subject: [PATCH 10/10] service-account: add random suffix to account name
7f6164b
7f6164b
Add a random component to the default managed service account name to
7f6164b
avoid name collisions.
7f6164b
7f6164b
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
7f6164b
---
7f6164b
 library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++
7f6164b
 1 file changed, 79 insertions(+)
7f6164b
7f6164b
diff --git a/library/adenroll.c b/library/adenroll.c
7f6164b
index 98cd5fa..f693e58 100644
7f6164b
--- a/library/adenroll.c
7f6164b
+++ b/library/adenroll.c
7f6164b
@@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll,
7f6164b
 	return ADCLI_SUCCESS;
7f6164b
 }
7f6164b
 
7f6164b
+static adcli_result
7f6164b
+refresh_service_account_name_sam_and_princ (adcli_enroll *enroll,
7f6164b
+                                            const char *name)
7f6164b
+{
7f6164b
+	adcli_result res;
7f6164b
+
7f6164b
+	adcli_enroll_set_computer_name (enroll, name);
7f6164b
+	res = ensure_computer_sam (ADCLI_SUCCESS, enroll);
7f6164b
+	res = ensure_keytab_principals (res, enroll);
7f6164b
+
7f6164b
+	return res;
7f6164b
+}
7f6164b
+
7f6164b
+static adcli_result
7f6164b
+calculate_random_service_account_name (adcli_enroll *enroll)
7f6164b
+{
7f6164b
+	char *suffix;
7f6164b
+	char *new_name;
7f6164b
+	int ret;
7f6164b
+	adcli_result res;
7f6164b
+
7f6164b
+	suffix = generate_host_password (enroll, 3, filter_sam_chars);
7f6164b
+	return_unexpected_if_fail (suffix != NULL);
7f6164b
+
7f6164b
+	ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix);
7f6164b
+	free (suffix);
7f6164b
+	return_unexpected_if_fail (ret > 0);
7f6164b
+
7f6164b
+	res = refresh_service_account_name_sam_and_princ (enroll, new_name);
7f6164b
+	free (new_name);
7f6164b
+
7f6164b
+	return res;
7f6164b
+}
7f6164b
+
7f6164b
+static adcli_result
7f6164b
+get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results)
7f6164b
+{
7f6164b
+	LDAP *ldap;
7f6164b
+	char *cn;
7f6164b
+	adcli_result res;
7f6164b
+
7f6164b
+	ldap = adcli_conn_get_ldap_connection (enroll->conn);
7f6164b
+	assert (ldap != NULL);
7f6164b
+
7f6164b
+	cn = _adcli_ldap_parse_value (ldap, results, "CN");
7f6164b
+	return_unexpected_if_fail (cn != NULL);
7f6164b
+
7f6164b
+	res = refresh_service_account_name_sam_and_princ (enroll, cn);
7f6164b
+	free (cn);
7f6164b
+
7f6164b
+	return res;
7f6164b
+}
7f6164b
+
7f6164b
 static adcli_result
7f6164b
 locate_or_create_computer_account (adcli_enroll *enroll,
7f6164b
                                    int allow_overwrite)
7f6164b
@@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll,
7f6164b
 		searched = 1;
7f6164b
 	}
7f6164b
 
7f6164b
+	/* Try with fqdn for service accounts */
7f6164b
+	if (!enroll->computer_dn && enroll->is_service
7f6164b
+	                && enroll->host_fqdn != NULL) {
7f6164b
+		res = locate_computer_account (enroll, ldap, true,
7f6164b
+		                               &results, &entry);
7f6164b
+		if (res != ADCLI_SUCCESS)
7f6164b
+			return res;
7f6164b
+		searched = 1;
7f6164b
+
7f6164b
+		if (results != NULL) {
7f6164b
+			res = get_service_account_name_from_ldap (enroll,
7f6164b
+			                                          results);
7f6164b
+			if (res != ADCLI_SUCCESS) {
7f6164b
+				return res;
7f6164b
+			}
7f6164b
+		}
7f6164b
+	}
7f6164b
+
7f6164b
 	/* Next try and come up with where we think it should be */
7f6164b
 	if (enroll->computer_dn == NULL) {
7f6164b
+		if (enroll->is_service && !enroll->computer_name_explicit) {
7f6164b
+			res = calculate_random_service_account_name (enroll);
7f6164b
+			if (res != ADCLI_SUCCESS) {
7f6164b
+				return res;
7f6164b
+			}
7f6164b
+		}
7f6164b
 		res = calculate_computer_account (enroll, ldap);
7f6164b
 		if (res != ADCLI_SUCCESS)
7f6164b
 			return res;
7f6164b
@@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll,
7f6164b
 
7f6164b
 	if (enroll->is_service) {
7f6164b
 		/* Ensure basic params for service accounts */
7f6164b
+		res = ensure_host_fqdn (res, enroll);
7f6164b
+		res = ensure_computer_name (res, enroll);
7f6164b
 		res = ensure_computer_sam (res, enroll);
7f6164b
 		res = ensure_computer_password (res, enroll);
7f6164b
 		res = ensure_host_keytab (res, enroll);
7f6164b
-- 
7f6164b
2.28.0
7f6164b