From 6fd99ff6c5dd6ef0be8d942989b1c6dcee3102d9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 22 Mar 2019 12:37:39 +0100
Subject: [PATCH] Implement 'adcli testjoin'

By calling adcli testjoin it will be checked if the host credentials
stored in the keytab are still valid.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1622583
---
 doc/adcli.xml    | 34 +++++++++++++++++++++++
 tools/computer.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
 tools/tools.c    |  1 +
 tools/tools.h    |  4 +++
 4 files changed, 111 insertions(+)

diff --git a/doc/adcli.xml b/doc/adcli.xml
index af73433..9605b4a 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -43,6 +43,9 @@
 	<cmdsynopsis>
 		<command>adcli update</command>
 	</cmdsynopsis>
+	<cmdsynopsis>
+		<command>adcli testjoin</command>
+	</cmdsynopsis>
 	<cmdsynopsis>
 		<command>adcli create-user</command>
 		<arg choice="opt">--domain=domain.example.com</arg>
@@ -474,6 +477,37 @@ $ adcli update --login-ccache=/tmp/krbcc_123
 
 </refsect1>
 
+<refsect1 id='testjoin'>
+	<title>Testing if the machine account password is valid</title>
+
+	<para><command>adcli testjoin</command> uses the current credentials in
+	the keytab and tries to authenticate with the machine account to the AD
+	domain. If this works the machine account password and the join are
+	still valid. If it fails the machine account password or the whole
+	machine account have to be refreshed with
+	<command>adcli join</command> or <command>adcli update</command>.
+	</para>
+
+<programlisting>
+$ adcli testjoin
+</programlisting>
+
+	<para>Only the global options not related to authentication are
+	available, additionally you can specify the following options to
+	control how this operation is done.</para>
+
+	<variablelist>
+		<varlistentry>
+			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
+			<listitem><para>Specify the path to the host keytab where
+			current host credentials are stored and the new ones
+			will be written to.  If not specified, the default
+			location will be used, usually
+			<filename>/etc/krb5.keytab</filename>.</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect1>
+
 <refsect1 id='create_user'>
 	<title>Creating a User</title>
 
diff --git a/tools/computer.c b/tools/computer.c
index 112340e..610ed2b 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -566,6 +566,78 @@ adcli_tool_computer_update (adcli_conn *conn,
 	return 0;
 }
 
+int
+adcli_tool_computer_testjoin (adcli_conn *conn,
+                              int argc,
+                              char *argv[])
+{
+	adcli_enroll *enroll;
+	adcli_result res;
+	const char *ktname;
+	int opt;
+
+	struct option options[] = {
+		{ "domain", required_argument, NULL, opt_domain },
+		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "host-keytab", required_argument, 0, opt_host_keytab },
+		{ "verbose", no_argument, NULL, opt_verbose },
+		{ "help", no_argument, NULL, 'h' },
+		{ 0 },
+	};
+
+	static adcli_tool_desc usages[] = {
+		{ 0, "usage: adcli testjoin" },
+		{ 0 },
+	};
+
+	enroll = adcli_enroll_new (conn);
+	if (enroll == NULL)
+		errx (-1, "unexpected memory problems");
+
+	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+		switch (opt) {
+		case 'h':
+		case '?':
+		case ':':
+			adcli_tool_usage (options, usages);
+			adcli_tool_usage (options, common_usages);
+			adcli_enroll_unref (enroll);
+			return opt == 'h' ? 0 : 2;
+		default:
+			parse_option ((Option)opt, optarg, conn, enroll);
+			break;
+		}
+	}
+
+	/* Force use of a keytab to test the join/machine account password */
+	adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT);
+	ktname = adcli_enroll_get_keytab_name (enroll);
+	adcli_conn_set_login_keytab_name (conn, ktname ? ktname : "");
+
+	res = adcli_enroll_load (enroll);
+	if (res != ADCLI_SUCCESS) {
+		adcli_enroll_unref (enroll);
+		adcli_conn_unref (conn);
+		errx (-res, "couldn't lookup domain info from keytab: %s",
+		      adcli_get_last_error ());
+	}
+
+	res = adcli_conn_connect (conn);
+	if (res != ADCLI_SUCCESS) {
+		adcli_enroll_unref (enroll);
+		adcli_conn_unref (conn);
+		errx (-res, "couldn't connect to %s domain: %s",
+		      adcli_conn_get_domain_name (conn),
+		      adcli_get_last_error ());
+	}
+
+	printf ("Sucessfully validated join to domain %s\n",
+	        adcli_conn_get_domain_name (conn));
+
+	adcli_enroll_unref (enroll);
+
+	return 0;
+}
 
 int
 adcli_tool_computer_preset (adcli_conn *conn,
diff --git a/tools/tools.c b/tools/tools.c
index 915130e..c4e2851 100644
--- a/tools/tools.c
+++ b/tools/tools.c
@@ -55,6 +55,7 @@ struct {
 	{ "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS },
 	{ "join", adcli_tool_computer_join, "Join this machine to a domain", },
 	{ "update", adcli_tool_computer_update, "Update machine membership in a domain", },
+	{ "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", },
 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
diff --git a/tools/tools.h b/tools/tools.h
index 6c97ccf..8cebbf9 100644
--- a/tools/tools.h
+++ b/tools/tools.h
@@ -70,6 +70,10 @@ int       adcli_tool_computer_update   (adcli_conn *conn,
                                         int argc,
                                         char *argv[]);
 
+int       adcli_tool_computer_testjoin (adcli_conn *conn,
+                                        int argc,
+                                        char *argv[]);
+
 int       adcli_tool_computer_delete   (adcli_conn *conn,
                                         int argc,
                                         char *argv[]);
-- 
2.20.1