From cd296bf24e7cc56fb8d00bad7e9a56c539894309 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 19 Mar 2019 20:44:36 +0100
Subject: [PATCH 1/2] join: always add service principals

If currently --service-name is given during the join only the service
names given by this option are added as service principal names. As a
result the default 'host' service principal name might be missing which
might cause issues e.g. with SSSD and sshd.

The patch makes sure the default service principals 'host' and
'RestrictedKrbHost' are always added during join.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1644311
---
 library/adenroll.c | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/library/adenroll.c b/library/adenroll.c
index 58362c2..d1f746c 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -288,16 +288,23 @@ ensure_computer_password (adcli_result res,
 }
 
 static adcli_result
-ensure_service_names (adcli_result res,
-                      adcli_enroll *enroll)
+ensure_default_service_names (adcli_enroll *enroll)
 {
 	int length = 0;
 
-	if (res != ADCLI_SUCCESS)
-		return res;
+	if (enroll->service_names != NULL) {
+		length = seq_count (enroll->service_names);
 
-	if (enroll->service_names || enroll->service_principals)
-		return ADCLI_SUCCESS;
+		/* Make sure there is no entry with an unexpected case. AD
+		 * would not care but since the client side is case-sensitive
+		 * we should make sure we use the expected spelling. */
+		seq_remove_unsorted (enroll->service_names,
+		                     &length, "host",
+		                     (seq_compar)strcasecmp, free);
+		seq_remove_unsorted (enroll->service_names,
+		                     &length, "RestrictedKrbHost",
+		                     (seq_compar)strcasecmp, free);
+	}
 
 	/* The default ones specified by MS */
 	enroll->service_names = _adcli_strv_add (enroll->service_names,
@@ -307,6 +314,19 @@ ensure_service_names (adcli_result res,
 	return ADCLI_SUCCESS;
 }
 
+static adcli_result
+ensure_service_names (adcli_result res,
+                      adcli_enroll *enroll)
+{
+	if (res != ADCLI_SUCCESS)
+		return res;
+
+	if (enroll->service_names || enroll->service_principals)
+		return ADCLI_SUCCESS;
+
+	return ensure_default_service_names (enroll);
+}
+
 static adcli_result
 add_service_names_to_service_principals (adcli_enroll *enroll)
 {
@@ -2039,6 +2059,10 @@ adcli_enroll_join (adcli_enroll *enroll,
 	if (res != ADCLI_SUCCESS)
 		return res;
 
+	res = ensure_default_service_names (enroll);
+	if (res != ADCLI_SUCCESS)
+		return res;
+
 	res = adcli_enroll_prepare (enroll, flags);
 	if (res != ADCLI_SUCCESS)
 		return res;
-- 
2.20.1