Blame 0020-join-add-all-attributes-while-creating-computer-obje.patch

461678c
From cbe33b3e6d0d3415e4642d71942380d1793311f1 Mon Sep 17 00:00:00 2001
461678c
From: Sumit Bose <sbose@redhat.com>
461678c
Date: Mon, 11 Jun 2018 09:44:49 +0200
461678c
Subject: [PATCH 20/23] join: add all attributes while creating computer object
461678c
461678c
It is possible to create special accounts which can only join a computer
461678c
to a domain but is not allowed to do any further operations which the
461678c
computer object. As a result if such an account is used during the join
461678c
only the ldapadd operation is permitted but not any later ldapmodify
461678c
operation. To create the computer object correctly in this case all
461678c
attributes must be added while the object is created and not later.
461678c
461678c
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
461678c
---
461678c
 library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----
461678c
 1 file changed, 47 insertions(+), 5 deletions(-)
461678c
461678c
diff --git a/library/adenroll.c b/library/adenroll.c
461678c
index 75ac1e4..b508caf 100644
461678c
--- a/library/adenroll.c
461678c
+++ b/library/adenroll.c
461678c
@@ -573,7 +573,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
461678c
 	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
461678c
 
461678c
 	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
461678c
-	if (is_2008_or_later) {
461678c
+	if (is_2008_or_later && enroll->computer_attributes != NULL) {
461678c
 		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
461678c
 		                                 "msDS-supportedEncryptionTypes");
461678c
 
461678c
@@ -618,7 +618,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
461678c
 	return ADCLI_SUCCESS;
461678c
 }
461678c
 
461678c
-
461678c
 static adcli_result
461678c
 create_computer_account (adcli_enroll *enroll,
461678c
                          LDAP *ldap)
461678c
@@ -628,22 +627,65 @@ create_computer_account (adcli_enroll *enroll,
461678c
 	char *vals_sAMAccountName[] = { enroll->computer_sam, NULL };
461678c
 	LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } };
461678c
 	char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */
461678c
-	LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
461678c
+	LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } };
461678c
+	char *vals_supportedEncryptionTypes[] = { NULL, NULL };
461678c
+	LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
461678c
+	char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
461678c
+	LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } };
461678c
+	char *vals_operatingSystem[] = { enroll->os_name, NULL };
461678c
+	LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } };
461678c
+	char *vals_operatingSystemVersion[] = { enroll->os_version, NULL };
461678c
+	LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } };
461678c
+	char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
461678c
+	LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
461678c
+	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
461678c
+	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
461678c
+	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
461678c
+
461678c
+	char *val = NULL;
461678c
 
461678c
 	int ret;
461678c
+	size_t c;
461678c
+	size_t m;
461678c
 
461678c
-	LDAPMod *mods[] = {
461678c
+	LDAPMod *all_mods[] = {
461678c
 		&objectClass,
461678c
 		&sAMAccountName,
461678c
 		&userAccountControl,
461678c
-		NULL,
461678c
+		&encTypes,
461678c
+		&dNSHostName,
461678c
+		&operatingSystem,
461678c
+		&operatingSystemVersion,
461678c
+		&operatingSystemServicePack,
461678c
+		&userPrincipalName,
461678c
+		&servicePrincipalName,
461678c
+		NULL
461678c
 	};
461678c
 
461678c
+	size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *);
461678c
+	LDAPMod *mods[mods_count];
461678c
+
461678c
 	if (adcli_enroll_get_trusted_for_delegation (enroll)) {
461678c
 		vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
461678c
 	}
461678c
 
461678c
+	ret = calculate_enctypes (enroll, &val;;
461678c
+	if (ret != ADCLI_SUCCESS) {
461678c
+		return ret;
461678c
+	}
461678c
+	vals_supportedEncryptionTypes[0] = val;
461678c
+
461678c
+	m = 0;
461678c
+	for (c = 0; c < mods_count - 1; c++) {
461678c
+		/* Skip empty LDAP sttributes */
461678c
+		if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) {
461678c
+			mods[m++] = all_mods[c];
461678c
+		}
461678c
+	}
461678c
+	mods[m] = NULL;
461678c
+
461678c
 	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
461678c
+	free (val);
461678c
 
461678c
 	/*
461678c
 	 * Hand to head. This is really dumb... AD returns
461678c
-- 
461678c
2.14.4
461678c