Ubuntu
adcli package

Merge ~ahasenack/ubuntu/+source/adcli:groovy-adcli-upstream-fixes into ubuntu/+source/adcli:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/adcli
  3. groovy-adcli-upstream-fixes
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 778a64390fe2bd9c6a78f898a268dc9dacaa3fd7
Merged at revision: 778a64390fe2bd9c6a78f898a268dc9dacaa3fd7
Proposed branch: ~ahasenack/ubuntu/+source/adcli:groovy-adcli-upstream-fixes
Merge into: ubuntu/+source/adcli:ubuntu/devel
Diff against target: 1448 lines (+1356/-1)
14 files modified
debian/changelog (+33/-0)
debian/control (+2/-1)
debian/patches/Use-GSS-SPNEGO-if-available.patch (+127/-0)
debian/patches/add-description-option-to-join-and-update.patch (+186/-0)
debian/patches/add-option-use-ldaps.patch (+383/-0)
debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch (+34/-0)
debian/patches/discovery-fix.patch (+29/-0)
debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch (+46/-0)
debian/patches/man-make-handling-of-optional-credential-cache-more-.patch (+43/-0)
debian/patches/man-move-note-to-the-right-section.patch (+50/-0)
debian/patches/series (+11/-0)
debian/patches/tools-add-show-computer-command.patch (+341/-0)
debian/patches/tools-disable-SSSD-s-locator-plugin.patch (+43/-0)
debian/patches/tools-fix-typo-in-show-password-help-output.patch (+28/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+390164@code.launchpad.net

Description of the change

I cherry picked many fixes from upstream's git repo. They are not yet released, but fedora has them, and they are upstream essentially.

There are 4 groups of fixes:
- documentation fixes: no FFe needed
- fix for new AD settings introduced this year: bug #1868703 which already existed for sssd. I added an adcli task and an FFe request/justification. Initially I didn't think this needed an FFe, but changed my mind. Happy to discuss.
- new features that I thought were useful: new FFe bug #1893784
- other random fixes, no FFe

Not all of these can be tested/verified without an AD server lying around. Others you can check that the manpage was updated/fixed, or the new command and parameter exist when you check "adcli --help".

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This missed a review slot, I created one and grabbed it - but I'll need some more time after Lunch to complete.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FFe is required but already present - ok

Thanks for explaining yesterday that they have rare releases and a stack of packaging patches seems to be a common way - otherwise I'd have asked just that.

I think on the mechanical side (changelog, version, filenames, ...) everything is fine.
I'll next go through the patches one by one to see if I spot anything concerning.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

tools-add-show-computer-command.patch - FFe, but ok
add-description-option-to-join-and-update.patch - FFe, but ok
Use-GSS-SPNEGO-if-available.patch - FFe, but ok
add-option-use-ldaps.patch - FFe, but ok
man-move-note-to-the-right-section.patch - ok
man-explain-optional-parameter-of-login-ccache-bette.patch - ok
man-make-handling-of-optional-credential-cache-more-.patch - ok
tools-fix-typo-in-show-password-help-output.patch - ok
discovery-fix.patch - ok
delete-do-not-exit-if-keytab-cannot-be-read.patch - ok
tools-disable-SSSD-s-locator-plugin.patch - FFe, but ok

The latter IMHO could cause a FFe worthy behavior change, but since you have an FFe bug already that isn't important.

-> All patches are upstream accepted.
-> No Further patches in the upload.
-> No patch forgotten in Changelog.

P.S. I have no test setup for adcli either and as you said "Not all of these can be tested/verified without an AD server lying around" :-/ But I have no better suggestion right now.
OTOH if these changes would be part of an upstream release we'd also not test them one by one.

LGTM +1!

Just curious, do you intend to submit that to Debian as well?
Or are we waiting on the (known to be slow) upstream release to drop this?

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Marking as approved, pending FFe verification.

Yes, I intend to submit all of this to debian

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Both ffes were just approved.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagging and uploading 778a64390fe2bd9c6a78f898a268dc9dacaa3fd7

$ git push pkg upload/0.9.0-1ubuntu1
Enumerating objects: 74, done.
Counting objects: 100% (74/74), done.
Delta compression using up to 4 threads
Compressing objects: 100% (69/69), done.
Writing objects: 100% (70/70), 23.07 KiB | 3.84 MiB/s, done.
Total 70 (delta 42), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/adcli
 * [new tag] upload/0.9.0-1ubuntu1 -> upload/0.9.0-1ubuntu1

$ dput ubuntu ../adcli_0.9.0-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../adcli_0.9.0-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../adcli_0.9.0-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading adcli_0.9.0-1ubuntu1.dsc: done.
  Uploading adcli_0.9.0-1ubuntu1.debian.tar.xz: done.
  Uploading adcli_0.9.0-1ubuntu1_source.buildinfo: done.
  Uploading adcli_0.9.0-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 716a3a6..3445006 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
1adcli (0.9.0-1ubuntu1) groovy; urgency=medium
2
3 * New features (LP: #1893784):
4 - d/p/tools-add-show-computer-command.patch: add a show-computer
5 command to print the LDAP attrs of the computer object
6 - d/p/add-description-option-to-join-and-update.patch: allow setting
7 an optional description on the computer account
8 * Handle new Active Directory requirements from
9 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
10 (LP: #1868703):
11 - d/p/Use-GSS-SPNEGO-if-available.patch: prefer GSS-SPNEGO over
12 GSSAPI if available, as that can handle some of the more advanced
13 features which can be required by an AD server
14 - d/p/add-option-use-ldaps.patch: add option to use LDAPS, useful
15 if for some reason the LDAP port is blocked.
16 * Documentation fixes:
17 - d/p/man-move-note-to-the-right-section.patch: move note about
18 password lifetime to the update section
19 - d/p/man-explain-optional-parameter-of-login-ccache-bette.patch,
20 d/p/man-make-handling-of-optional-credential-cache-more-.patch:
21 better explain the login-ccache and -C parameters
22 - d/p/tools-fix-typo-in-show-password-help-output.patch: typo fix
23 * Other fixes:
24 - d/p/discovery-fix.patch: do not continue processing on a closed
25 connection
26 - d/p/delete-do-not-exit-if-keytab-cannot-be-read.patch: fix computer
27 deletion when keytab cannot be read
28 - d/p/tools-disable-SSSD-s-locator-plugin.patch: ignore MIT's locator
29 plugin to avoid conflicts if it returns a different DC than the one
30 used for the LDAP connection
31
32 -- Andreas Hasenack <andreas@canonical.com> Wed, 02 Sep 2020 09:50:18 -0300
33
1adcli (0.9.0-1) unstable; urgency=medium34adcli (0.9.0-1) unstable; urgency=medium
235
3 * New upstream release. (Closes: #941583)36 * New upstream release. (Closes: #941583)
diff --git a/debian/control b/debian/control
index 642e623..f529834 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: adcli1Source: adcli
2Section: admin2Section: admin
3Priority: optional3Priority: optional
4Maintainer: Laurent Bigonville <bigon@debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Laurent Bigonville <bigon@debian.org>
5Build-Depends: debhelper (>= 12),6Build-Depends: debhelper (>= 12),
6 libkrb5-dev,7 libkrb5-dev,
7 libldap2-dev,8 libldap2-dev,
diff --git a/debian/patches/Use-GSS-SPNEGO-if-available.patch b/debian/patches/Use-GSS-SPNEGO-if-available.patch
8new file mode 1006449new file mode 100644
index 0000000..f61ef39
--- /dev/null
+++ b/debian/patches/Use-GSS-SPNEGO-if-available.patch
@@ -0,0 +1,127 @@
1From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Fri, 11 Oct 2019 16:39:25 +0200
4Subject: [PATCH] Use GSS-SPNEGO if available
5
6Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
7and to establish encryption. While this works in general it does not
8handle some of the more advanced features which can be required by AD
9DCs.
10
11The GSS-SPNEGO mechanism can handle them and is used with this patch by
12adcli if the AD DC indicates that it supports it.
13
14Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
15---
16 library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
17 library/adconn.h | 3 +++
18 2 files changed, 37 insertions(+), 1 deletion(-)
19
20Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
21Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868703
22Last-Update: 2020-09-01
23diff --git a/library/adconn.c b/library/adconn.c
24index bcaced8..ffb54f9 100644
25--- a/library/adconn.c
26+++ b/library/adconn.c
27@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
28 char *default_naming_context;
29 char *configuration_naming_context;
30 char **supported_capabilities;
31+ char **supported_sasl_mechs;
32
33 /* Connect state */
34 LDAP *ldap;
35@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
36 "defaultNamingContext",
37 "configurationNamingContext",
38 "supportedCapabilities",
39+ "supportedSASLMechanisms",
40 NULL
41 };
42
43@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
44 "supportedCapabilities");
45 }
46
47+ if (conn->supported_sasl_mechs == NULL) {
48+ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
49+ "supportedSASLMechanisms");
50+ }
51+
52 ldap_msgfree (results);
53
54 if (conn->default_naming_context == NULL) {
55@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
56 OM_uint32 minor;
57 ber_len_t ssf;
58 int ret;
59+ const char *mech = "GSSAPI";
60
61 if (conn->ldap_authenticated)
62 return ADCLI_SUCCESS;
63@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
64 ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
65 return_unexpected_if_fail (ret == 0);
66
67- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
68+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
69+ mech = "GSS-SPNEGO";
70+ }
71+
72+ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
73 LDAP_SASL_QUIET, sasl_interact, NULL);
74
75 /* Clear the credential cache GSSAPI to use (for this thread) */
76@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
77 free (conn->default_naming_context);
78 free (conn->configuration_naming_context);
79 _adcli_strv_free (conn->supported_capabilities);
80+ _adcli_strv_free (conn->supported_sasl_mechs);
81
82 free (conn->computer_name);
83 free (conn->host_fqdn);
84@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
85 return 0;
86 }
87
88+bool
89+adcli_conn_server_has_sasl_mech (adcli_conn *conn,
90+ const char *mech)
91+{
92+ int i;
93+
94+ return_val_if_fail (conn != NULL, false);
95+ return_val_if_fail (mech != NULL, false);
96+
97+ if (!conn->supported_sasl_mechs)
98+ return false;
99+
100+ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
101+ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
102+ return true;
103+ }
104+
105+ return false;
106+}
107+
108 bool adcli_conn_is_writeable (adcli_conn *conn)
109 {
110 disco_dance_if_necessary (conn);
111diff --git a/library/adconn.h b/library/adconn.h
112index 1ad5715..37ebdd9 100644
113--- a/library/adconn.h
114+++ b/library/adconn.h
115@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn,
116 int adcli_conn_server_has_capability (adcli_conn *conn,
117 const char *capability);
118
119+bool adcli_conn_server_has_sasl_mech (adcli_conn *conn,
120+ const char *mech);
121+
122 bool adcli_conn_is_writeable (adcli_conn *conn);
123
124 #endif /* ADCONN_H_ */
125--
126GitLab
127
diff --git a/debian/patches/add-description-option-to-join-and-update.patch b/debian/patches/add-description-option-to-join-and-update.patch
0new file mode 100644128new file mode 100644
index 0000000..e8de6eb
--- /dev/null
+++ b/debian/patches/add-description-option-to-join-and-update.patch
@@ -0,0 +1,186 @@
1From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Wed, 27 Nov 2019 14:48:32 +0100
4Subject: [PATCH] add description option to join and update
5
6This new option allows to set the description LDAP attribute for the AD
7computer object.
8
9Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
10---
11 doc/adcli.xml | 10 ++++++++++
12 library/adenroll.c | 29 +++++++++++++++++++++++++++++
13 library/adenroll.h | 4 ++++
14 tools/computer.c | 7 +++++++
15 4 files changed, 50 insertions(+)
16
17Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/3937a2a7db90611aa7a93248233b0c5d31e85a3e
18Bug-Ubuntu: https://bugs.launchpad.net/bugs/1893784
19Last-Update: 2020-09-02
20diff --git a/doc/adcli.xml b/doc/adcli.xml
21index 1f93186..dd30435 100644
22--- a/doc/adcli.xml
23+++ b/doc/adcli.xml
24@@ -275,6 +275,11 @@ Password for Administrator:
25 <listitem><para>Set the operating system version on the computer
26 account. Not set by default.</para></listitem>
27 </varlistentry>
28+ <varlistentry>
29+ <term><option>--description=<parameter>description</parameter></option></term>
30+ <listitem><para>Set the description attribute on the computer
31+ account. Not set by default.</para></listitem>
32+ </varlistentry>
33 <varlistentry>
34 <term><option>--service-name=<parameter>service</parameter></option></term>
35 <listitem><para>Additional service name for a kerberos
36@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
37 <listitem><para>Set the operating system version on the computer
38 account. Not set by default.</para></listitem>
39 </varlistentry>
40+ <varlistentry>
41+ <term><option>--description=<parameter>description</parameter></option></term>
42+ <listitem><para>Set the description attribute on the computer
43+ account. Not set by default.</para></listitem>
44+ </varlistentry>
45 <varlistentry>
46 <term><option>--service-name=<parameter>service</parameter></option></term>
47 <listitem><para>Additional service name for a Kerberos
48diff --git a/library/adenroll.c b/library/adenroll.c
49index 8d2adeb..246f658 100644
50--- a/library/adenroll.c
51+++ b/library/adenroll.c
52@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] = {
53 "operatingSystemServicePack",
54 "pwdLastSet",
55 "userAccountControl",
56+ "description",
57 NULL,
58 };
59
60@@ -143,6 +144,7 @@ struct _adcli_enroll {
61 char *samba_data_tool;
62 bool trusted_for_delegation;
63 int trusted_for_delegation_explicit;
64+ char *description;
65 };
66
67 static adcli_result
68@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
69 char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
70 LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
71 LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
72+ char *vals_description[] = { enroll->description, NULL };
73+ LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
74
75 char *val = NULL;
76
77@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
78 &operatingSystemServicePack,
79 &userPrincipalName,
80 &servicePrincipalName,
81+ &description,
82 NULL
83 };
84
85@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
86 res |= update_computer_attribute (enroll, ldap, mods);
87 }
88
89+ if (res == ADCLI_SUCCESS && enroll->description != NULL) {
90+ char *vals_description[] = { enroll->description, NULL };
91+ LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
92+ LDAPMod *mods[] = { &description, NULL, };
93+
94+ res |= update_computer_attribute (enroll, ldap, mods);
95+ }
96+
97 if (res != 0)
98 _adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
99 }
100@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
101 enroll->trusted_for_delegation_explicit = 1;
102 }
103
104+void
105+adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
106+{
107+ return_if_fail (enroll != NULL);
108+ if (value != NULL && value[0] != '\0') {
109+ _adcli_str_set (&enroll->description, value);
110+ }
111+}
112+
113+const char *
114+adcli_enroll_get_desciption (adcli_enroll *enroll)
115+{
116+ return_val_if_fail (enroll != NULL, NULL);
117+ return enroll->description;
118+}
119+
120 const char **
121 adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
122 {
123diff --git a/library/adenroll.h b/library/adenroll.h
124index 11eb517..0606169 100644
125--- a/library/adenroll.h
126+++ b/library/adenroll.h
127@@ -126,6 +126,10 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
128 void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
129 bool value);
130
131+const char * adcli_enroll_get_desciption (adcli_enroll *enroll);
132+void adcli_enroll_set_description (adcli_enroll *enroll,
133+ const char *value);
134+
135 krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll);
136
137 void adcli_enroll_set_kvno (adcli_enroll *enroll,
138diff --git a/tools/computer.c b/tools/computer.c
139index c8b96a4..840e334 100644
140--- a/tools/computer.c
141+++ b/tools/computer.c
142@@ -112,6 +112,7 @@ typedef enum {
143 opt_trusted_for_delegation,
144 opt_add_service_principal,
145 opt_remove_service_principal,
146+ opt_description,
147 } Option;
148
149 static adcli_tool_desc common_usages[] = {
150@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
151 "in the userAccountControl attribute", },
152 { opt_add_service_principal, "add the given service principal to the account\n" },
153 { opt_remove_service_principal, "remove the given service principal from the account\n" },
154+ { opt_description, "add a description to the account\n" },
155 { opt_no_password, "don't prompt for or read a password" },
156 { opt_prompt_password, "prompt for a password if necessary" },
157 { opt_stdin_password, "read a password from stdin (until EOF) if\n"
158@@ -306,6 +308,9 @@ parse_option (Option opt,
159 case opt_remove_service_principal:
160 adcli_enroll_add_service_principal_to_remove (enroll, optarg);
161 return ADCLI_SUCCESS;
162+ case opt_description:
163+ adcli_enroll_set_description (enroll, optarg);
164+ return ADCLI_SUCCESS;
165 case opt_verbose:
166 return ADCLI_SUCCESS;
167
168@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
169 { "os-name", required_argument, NULL, opt_os_name },
170 { "os-version", required_argument, NULL, opt_os_version },
171 { "os-service-pack", optional_argument, NULL, opt_os_service_pack },
172+ { "description", optional_argument, NULL, opt_description },
173 { "user-principal", optional_argument, NULL, opt_user_principal },
174 { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
175 { "add-service-principal", required_argument, NULL, opt_add_service_principal },
176@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
177 { "os-name", required_argument, NULL, opt_os_name },
178 { "os-version", required_argument, NULL, opt_os_version },
179 { "os-service-pack", optional_argument, NULL, opt_os_service_pack },
180+ { "description", optional_argument, NULL, opt_description },
181 { "user-principal", optional_argument, NULL, opt_user_principal },
182 { "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
183 { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
184--
185GitLab
186
diff --git a/debian/patches/add-option-use-ldaps.patch b/debian/patches/add-option-use-ldaps.patch
0new file mode 100644187new file mode 100644
index 0000000..47d9431
--- /dev/null
+++ b/debian/patches/add-option-use-ldaps.patch
@@ -0,0 +1,383 @@
1From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Thu, 19 Dec 2019 07:22:33 +0100
4Subject: [PATCH] add option use-ldaps
5
6In general using the LDAP port with GSS-SPNEGO should satifiy all
7requirements an AD DC should have for authentication on an encrypted
8LDAP connection.
9
10But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
11with TLS encryption might be an alternative. For this use case the
12--use-ldaps option is added.
13
14Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
15---
16 doc/adcli.xml | 24 +++++++++++++++
17 library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
18 library/adconn.h | 4 +++
19 tools/computer.c | 10 ++++++
20 tools/entry.c | 11 +++++++
21 5 files changed, 119 insertions(+), 9 deletions(-)
22
23 Ubuntu backport note: adjusted the ldap.conf path in the documentation
24
25Origin: backport, https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
26Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868703
27Last-Update: 2020-09-01
28diff --git a/doc/adcli.xml b/doc/adcli.xml
29index dd30435..acced25 100644
30--- a/doc/adcli.xml
31+++ b/doc/adcli.xml
32@@ -128,6 +128,30 @@
33 If not specified, then an appropriate domain controller
34 is automatically discovered.</para></listitem>
35 </varlistentry>
36+ <varlistentry>
37+ <term><option>--use-ldaps</option></term>
38+ <listitem><para>Connect to the domain controller
39+ with LDAPS. By default the LDAP port is used and SASL
40+ GSS-SPNEGO or GSSAPI is used for authentication and to
41+ establish encryption. This should satisfy all
42+ requirements set on the server side and LDAPS should
43+ only be used if the LDAP port is not accessible due to
44+ firewalls or other reasons.</para>
45+ <para> Please note that the place where CA certificates
46+ can be found to validate the AD DC certificates
47+ must be configured in the OpenLDAP configuration
48+ file, e.g. <filename>/etc/ldap/ldap.conf</filename>.
49+ As an alternative it can be specified with the help of
50+ an environment variable, e.g.
51+<programlisting>
52+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
53+...
54+</programlisting>
55+ Please see
56+ <citerefentry><refentrytitle>ldap.conf</refentrytitle>
57+ <manvolnum>5</manvolnum></citerefentry> for details.
58+ </para></listitem>
59+ </varlistentry>
60 <varlistentry>
61 <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
62 <listitem><para>Use the specified kerberos credential
63diff --git a/library/adconn.c b/library/adconn.c
64index ffb54f9..7bab852 100644
65--- a/library/adconn.c
66+++ b/library/adconn.c
67@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
68 char *domain_name;
69 char *domain_realm;
70 char *domain_controller;
71+ bool use_ldaps;
72 char *canonical_host;
73 char *domain_short;
74 char *domain_sid;
75@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
76
77 static LDAP *
78 connect_to_address (const char *host,
79- const char *canonical_host)
80+ const char *canonical_host,
81+ bool use_ldaps)
82 {
83 struct addrinfo *res = NULL;
84 struct addrinfo *ai;
85@@ -783,6 +785,16 @@ connect_to_address (const char *host,
86 char *url;
87 int sock;
88 int rc;
89+ int opt_rc;
90+ const char *port = "389";
91+ const char *proto = "ldap";
92+ const char *errmsg = NULL;
93+
94+ if (use_ldaps) {
95+ port = "636";
96+ proto = "ldaps";
97+ _adcli_info ("Using LDAPS to connect to %s", host);
98+ }
99
100 memset (&hints, '\0', sizeof(hints));
101 #ifdef AI_ADDRCONFIG
102@@ -794,7 +806,7 @@ connect_to_address (const char *host,
103 if (!canonical_host)
104 canonical_host = host;
105
106- rc = getaddrinfo (host, "389", &hints, &res);
107+ rc = getaddrinfo (host, port, &hints, &res);
108 if (rc != 0) {
109 _adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
110 return NULL;
111@@ -810,7 +822,7 @@ connect_to_address (const char *host,
112 close (sock);
113 } else {
114 error = 0;
115- if (asprintf (&url, "ldap://%s", canonical_host) < 0)
116+ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
117 return_val_if_reached (NULL);
118 rc = ldap_init_fd (sock, 1, url, &ldap);
119 free (url);
120@@ -820,6 +832,25 @@ connect_to_address (const char *host,
121 ldap_err2string (rc));
122 break;
123 }
124+
125+ if (use_ldaps) {
126+ rc = ldap_install_tls (ldap);
127+ if (rc != LDAP_SUCCESS) {
128+ opt_rc = ldap_get_option (ldap,
129+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
130+ (void *) &errmsg);
131+ if (opt_rc != LDAP_SUCCESS) {
132+ errmsg = NULL;
133+ }
134+ _adcli_err ("Couldn't initialize TLS [%s]: %s",
135+ ldap_err2string (rc),
136+ errmsg == NULL ? "- no details -"
137+ : errmsg);
138+ ldap_unbind_ext_s (ldap, NULL, NULL);
139+ ldap = NULL;
140+ break;
141+ }
142+ }
143 }
144 }
145
146@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
147 if (!canonical_host)
148 canonical_host = disco->host_addr;
149
150- ldap = connect_to_address (disco->host_addr, canonical_host);
151+ ldap = connect_to_address (disco->host_addr, canonical_host,
152+ adcli_conn_get_use_ldaps (conn));
153 if (ldap == NULL)
154 return ADCLI_ERR_DIRECTORY;
155
156@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
157 status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
158 return_unexpected_if_fail (status == 0);
159
160- /* Clumsily tell ldap + cyrus-sasl that we want encryption */
161- ssf = 1;
162- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
163- return_unexpected_if_fail (ret == 0);
164+ if (adcli_conn_get_use_ldaps (conn)) {
165+ /* do not use SASL encryption on LDAPS connection */
166+ ssf = 0;
167+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
168+ return_unexpected_if_fail (ret == 0);
169+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
170+ return_unexpected_if_fail (ret == 0);
171+ } else {
172+ /* Clumsily tell ldap + cyrus-sasl that we want encryption */
173+ ssf = 1;
174+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
175+ return_unexpected_if_fail (ret == 0);
176+ }
177
178- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
179+ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
180+ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
181+ * without LDAPS. */
182+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
183+ && !adcli_conn_get_use_ldaps (conn)) {
184 mech = "GSS-SPNEGO";
185 }
186+ _adcli_info ("Using %s for SASL bind", mech);
187
188 ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
189 LDAP_SASL_QUIET, sasl_interact, NULL);
190@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
191 conn->refs = 1;
192 conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
193 adcli_conn_set_domain_name (conn, domain_name);
194+ adcli_conn_set_use_ldaps (conn, false);
195 return conn;
196 }
197
198@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
199 no_more_disco (conn);
200 }
201
202+bool
203+adcli_conn_get_use_ldaps (adcli_conn *conn)
204+{
205+ return_val_if_fail (conn != NULL, NULL);
206+ return conn->use_ldaps;
207+}
208+
209+void
210+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
211+{
212+ return_if_fail (conn != NULL);
213+ conn->use_ldaps = value;
214+}
215+
216 const char *
217 adcli_conn_get_domain_short (adcli_conn *conn)
218 {
219diff --git a/library/adconn.h b/library/adconn.h
220index 37ebdd9..1d5faa8 100644
221--- a/library/adconn.h
222+++ b/library/adconn.h
223@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn);
224 void adcli_conn_set_domain_controller (adcli_conn *conn,
225 const char *value);
226
227+bool adcli_conn_get_use_ldaps (adcli_conn *conn);
228+void adcli_conn_set_use_ldaps (adcli_conn *conn,
229+ bool value);
230+
231 const char * adcli_conn_get_domain_short (adcli_conn *conn);
232
233 const char * adcli_conn_get_domain_sid (adcli_conn *conn);
234diff --git a/tools/computer.c b/tools/computer.c
235index 840e334..292c4d8 100644
236--- a/tools/computer.c
237+++ b/tools/computer.c
238@@ -113,12 +113,14 @@ typedef enum {
239 opt_add_service_principal,
240 opt_remove_service_principal,
241 opt_description,
242+ opt_use_ldaps,
243 } Option;
244
245 static adcli_tool_desc common_usages[] = {
246 { opt_domain, "active directory domain name" },
247 { opt_domain_realm, "kerberos realm for the domain" },
248 { opt_domain_controller, "domain controller to connect to" },
249+ { opt_use_ldaps, "use LDAPS port for communication" },
250 { opt_host_fqdn, "override the fully qualified domain name of the\n"
251 "local machine" },
252 { opt_host_keytab, "filename for the host kerberos keytab" },
253@@ -311,6 +313,9 @@ parse_option (Option opt,
254 case opt_description:
255 adcli_enroll_set_description (enroll, optarg);
256 return ADCLI_SUCCESS;
257+ case opt_use_ldaps:
258+ adcli_conn_set_use_ldaps (conn, true);
259+ return ADCLI_SUCCESS;
260 case opt_verbose:
261 return ADCLI_SUCCESS;
262
263@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
264 { "domain-realm", required_argument, NULL, opt_domain_realm },
265 { "domain-controller", required_argument, NULL, opt_domain_controller },
266 { "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
267+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
268 { "login-user", required_argument, NULL, opt_login_user },
269 { "user", required_argument, NULL, opt_login_user }, /* compat */
270 { "login-ccache", optional_argument, NULL, opt_login_ccache },
271@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
272 { "domain", required_argument, NULL, opt_domain },
273 { "domain-realm", required_argument, NULL, opt_domain_realm },
274 { "domain-controller", required_argument, NULL, opt_domain_controller },
275+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
276 { "domain-ou", required_argument, NULL, opt_domain_ou },
277 { "login-user", required_argument, NULL, opt_login_user },
278 { "login-ccache", optional_argument, NULL, opt_login_ccache },
279@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
280 { "domain", required_argument, NULL, opt_domain },
281 { "domain-realm", required_argument, NULL, opt_domain_realm },
282 { "domain-controller", required_argument, NULL, opt_domain_controller },
283+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
284 { "login-user", required_argument, NULL, opt_login_user },
285 { "login-ccache", optional_argument, NULL, opt_login_ccache },
286 { "login-type", required_argument, NULL, opt_login_type },
287@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
288 { "domain", required_argument, NULL, opt_domain },
289 { "domain-realm", required_argument, NULL, opt_domain_realm },
290 { "domain-controller", required_argument, NULL, opt_domain_controller },
291+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
292 { "login-user", required_argument, NULL, opt_login_user },
293 { "login-ccache", optional_argument, NULL, opt_login_ccache },
294 { "no-password", no_argument, 0, opt_no_password },
295@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
296 { "domain", required_argument, NULL, opt_domain },
297 { "domain-realm", required_argument, NULL, opt_domain_realm },
298 { "domain-controller", required_argument, NULL, opt_domain_controller },
299+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
300 { "login-user", required_argument, NULL, opt_login_user },
301 { "login-ccache", optional_argument, NULL, opt_login_ccache },
302 { "login-type", required_argument, NULL, opt_login_type },
303diff --git a/tools/entry.c b/tools/entry.c
304index f361845..05e4313 100644
305--- a/tools/entry.c
306+++ b/tools/entry.c
307@@ -53,6 +53,7 @@ typedef enum {
308 opt_unix_gid,
309 opt_unix_shell,
310 opt_nis_domain,
311+ opt_use_ldaps,
312 } Option;
313
314 static adcli_tool_desc common_usages[] = {
315@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
316 { opt_domain, "active directory domain name" },
317 { opt_domain_realm, "kerberos realm for the domain" },
318 { opt_domain_controller, "domain directory server to connect to" },
319+ { opt_use_ldaps, "use LDAPS port for communication" },
320 { opt_login_ccache, "kerberos credential cache file which contains\n"
321 "ticket to used to connect to the domain" },
322 { opt_login_user, "user (usually administrative) login name of\n"
323@@ -136,6 +138,9 @@ parse_option (Option opt,
324 stdin_password = 1;
325 }
326 return ADCLI_SUCCESS;
327+ case opt_use_ldaps:
328+ adcli_conn_set_use_ldaps (conn, true);
329+ return ADCLI_SUCCESS;
330 case opt_verbose:
331 return ADCLI_SUCCESS;
332 default:
333@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
334 { "domain", required_argument, NULL, opt_domain },
335 { "domain-realm", required_argument, NULL, opt_domain_realm },
336 { "domain-controller", required_argument, NULL, opt_domain_controller },
337+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
338 { "login-user", required_argument, NULL, opt_login_user },
339 { "login-ccache", optional_argument, NULL, opt_login_ccache },
340 { "no-password", no_argument, 0, opt_no_password },
341@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
342 { "domain", required_argument, NULL, opt_domain },
343 { "domain-realm", required_argument, NULL, opt_domain_realm },
344 { "domain-controller", required_argument, NULL, opt_domain_controller },
345+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
346 { "login-user", required_argument, NULL, opt_login_user },
347 { "login-ccache", optional_argument, NULL, opt_login_ccache },
348 { "no-password", no_argument, 0, opt_no_password },
349@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
350 { "domain", required_argument, NULL, opt_domain },
351 { "domain-realm", required_argument, NULL, opt_domain_realm },
352 { "domain-controller", required_argument, NULL, opt_domain_controller },
353+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
354 { "domain-ou", required_argument, NULL, opt_domain_ou },
355 { "login-user", required_argument, NULL, opt_login_user },
356 { "login-ccache", optional_argument, NULL, opt_login_ccache },
357@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
358 { "domain", required_argument, NULL, opt_domain },
359 { "domain-realm", required_argument, NULL, opt_domain_realm },
360 { "domain-controller", required_argument, NULL, opt_domain_controller },
361+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
362 { "login-user", required_argument, NULL, opt_login_user },
363 { "login-ccache", optional_argument, NULL, opt_login_ccache },
364 { "no-password", no_argument, 0, opt_no_password },
365@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
366 { "domain", required_argument, NULL, opt_domain },
367 { "domain-realm", required_argument, NULL, opt_domain_realm },
368 { "domain-controller", required_argument, NULL, opt_domain_controller },
369+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
370 { "login-user", required_argument, NULL, opt_login_user },
371 { "login-ccache", optional_argument, NULL, opt_login_ccache },
372 { "no-password", no_argument, 0, opt_no_password },
373@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
374 { "domain", required_argument, NULL, opt_domain },
375 { "domain-realm", required_argument, NULL, opt_domain_realm },
376 { "domain-controller", required_argument, NULL, opt_domain_controller },
377+ { "use-ldaps", no_argument, 0, opt_use_ldaps },
378 { "login-user", required_argument, NULL, opt_login_user },
379 { "login-ccache", optional_argument, NULL, opt_login_ccache },
380 { "no-password", no_argument, 0, opt_no_password },
381--
382GitLab
383
diff --git a/debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch b/debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch
0new file mode 100644384new file mode 100644
index 0000000..d5f8ac8
--- /dev/null
+++ b/debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch
@@ -0,0 +1,34 @@
1From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Fri, 5 Jun 2020 17:06:58 +0200
4Subject: [PATCH] delete: do not exit if keytab cannot be read
5
6Reading the keytab is not required when deleting a host object in AD. It
7is only needed in the case where the host was added with a manual set
8NetBIOS name (--computer-name option) which does not match the short
9hostname and no computer name was given at the delete-computer command
10line.
11
12Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
13---
14 tools/computer.c | 2 --
15 1 file changed, 2 deletions(-)
16
17Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/40d3be22f6e518e4354aa7c3d0278291fcbed32f
18Last-Update: 2020-09-02
19diff --git a/tools/computer.c b/tools/computer.c
20index 292c4d8..a90c4b2 100644
21--- a/tools/computer.c
22+++ b/tools/computer.c
23@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
24 if (res != ADCLI_SUCCESS) {
25 warnx ("couldn't lookup domain info from keytab: %s",
26 adcli_get_last_error ());
27- adcli_enroll_unref (enroll);
28- return -res;
29 }
30
31 res = adcli_conn_connect (conn);
32--
33GitLab
34
diff --git a/debian/patches/discovery-fix.patch b/debian/patches/discovery-fix.patch
0new file mode 10064435new file mode 100644
index 0000000..ebd1adf
--- /dev/null
+++ b/debian/patches/discovery-fix.patch
@@ -0,0 +1,29 @@
1From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Tue, 11 Feb 2020 17:42:03 +0100
4Subject: [PATCH] discovery fix
5
6Do not continue processing on closed connection.
7
8Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
9---
10 library/addisco.c | 1 +
11 1 file changed, 1 insertion(+)
12
13Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/08bac0946de29f3e5de90743ce6dfc7118d4ad20
14Last-Update: 2020-09-02
15diff --git a/library/addisco.c b/library/addisco.c
16index 6e73ead..f3b3546 100644
17--- a/library/addisco.c
18+++ b/library/addisco.c
19@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
20 "Couldn't perform discovery search");
21 ldap_unbind_ext_s (ldap[i], NULL, NULL);
22 ldap[i] = NULL;
23+ continue;
24 }
25
26 /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
27--
28GitLab
29
diff --git a/debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch b/debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch
0new file mode 10064430new file mode 100644
index 0000000..0f3919b
--- /dev/null
+++ b/debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch
@@ -0,0 +1,46 @@
1From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Mon, 15 Jun 2020 15:57:47 +0200
4Subject: [PATCH] man: explain optional parameter of login-ccache better
5
6Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
7---
8 doc/adcli.xml | 20 +++++++++++++-------
9 1 file changed, 13 insertions(+), 7 deletions(-)
10
11Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/93a39bd12db11dd407676f428cfbc30406a88c36
12Last-Update: 2020-09-02
13diff --git a/doc/adcli.xml b/doc/adcli.xml
14index acced25..ecf8726 100644
15--- a/doc/adcli.xml
16+++ b/doc/adcli.xml
17@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
18 <varlistentry>
19 <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
20 <listitem><para>Use the specified kerberos credential
21- cache to authenticate with the domain. If no credential
22- cache is specified, the default kerberos credential
23- cache will be used. Credential caches of type FILE can
24- be given with the path to the file. For other
25- credential cache types, e.g. DIR, KEYRING or KCM, the
26- type must be specified explicitly together with a
27- suitable identifier.</para></listitem>
28+ cache to authenticate with the domain. If no credential
29+ cache is specified, the default kerberos credential
30+ cache will be used. Credential caches of type FILE can
31+ be given with the path to the file. For other
32+ credential cache types, e.g. DIR, KEYRING or KCM, the
33+ type must be specified explicitly together with a
34+ suitable identifier.</para>
35+ <para>Please note that since the
36+ <parameter>ccache_name</parameter> is optional the
37+ =(equal) sign is mandatory. If = is missing the
38+ parameter is treated as optionless extra argument. How
39+ this is handled depends on the specific sub-command.
40+ </para></listitem>
41 </varlistentry>
42 <varlistentry>
43 <term><option>-U, --login-user=<parameter>User</parameter></option></term>
44--
45GitLab
46
diff --git a/debian/patches/man-make-handling-of-optional-credential-cache-more-.patch b/debian/patches/man-make-handling-of-optional-credential-cache-more-.patch
0new file mode 10064447new file mode 100644
index 0000000..da13c13
--- /dev/null
+++ b/debian/patches/man-make-handling-of-optional-credential-cache-more-.patch
@@ -0,0 +1,43 @@
1From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Thu, 13 Aug 2020 17:10:01 +0200
4Subject: [PATCH] man: make handling of optional credential cache more clear
5
6The optional Kerberos credential cache can only be used with the long
7option name --login-ccache and not with the short version -C. To make
8this more clear each option get its own entry.
9
10Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
11---
12 doc/adcli.xml | 12 +++++++++---
13 1 file changed, 9 insertions(+), 3 deletions(-)
14
15Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/88fbb7e2395dec20b37697a213a097909870c21f
16Last-Update: 2020-09-02
17diff --git a/doc/adcli.xml b/doc/adcli.xml
18index ecf8726..1437679 100644
19--- a/doc/adcli.xml
20+++ b/doc/adcli.xml
21@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
22 </para></listitem>
23 </varlistentry>
24 <varlistentry>
25- <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
26- <listitem><para>Use the specified kerberos credential
27+ <term><option>-C</option></term>
28+ <listitem><para>Use the default Kerberos credential
29+ cache to authenticate with the domain.
30+ </para></listitem>
31+ </varlistentry>
32+ <varlistentry>
33+ <term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
34+ <listitem><para>Use the specified Kerberos credential
35 cache to authenticate with the domain. If no credential
36- cache is specified, the default kerberos credential
37+ cache is specified, the default Kerberos credential
38 cache will be used. Credential caches of type FILE can
39 be given with the path to the file. For other
40 credential cache types, e.g. DIR, KEYRING or KCM, the
41--
42GitLab
43
diff --git a/debian/patches/man-move-note-to-the-right-section.patch b/debian/patches/man-move-note-to-the-right-section.patch
0new file mode 10064444new file mode 100644
index 0000000..0b25c4d
--- /dev/null
+++ b/debian/patches/man-move-note-to-the-right-section.patch
@@ -0,0 +1,50 @@
1From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Wed, 27 Nov 2019 18:26:44 +0100
4Subject: [PATCH] man: move note to the right section
5
6Unfortunately the note about the password lifetime was added to the join
7section. This patch move it to the update section where it belongs to.
8
9Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
10 https://bugzilla.redhat.com/show_bug.cgi?id=1745931
11 https://bugzilla.redhat.com/show_bug.cgi?id=1774622
12---
13 doc/adcli.xml | 12 ++++++------
14 1 file changed, 6 insertions(+), 6 deletions(-)
15
16Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/d2d3879bdfcea70757a8b0527882e79e8b5c6e70
17Last-Update: 2020-09-02
18diff --git a/doc/adcli.xml b/doc/adcli.xml
19index 4f201e0..9faf96a 100644
20--- a/doc/adcli.xml
21+++ b/doc/adcli.xml
22@@ -330,11 +330,7 @@ Password for Administrator:
23 important here is currently the
24 <option>workgroup</option> option, see
25 <citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
26- for details.</para>
27- <para>Note that if the machine account password is not
28- older than 30 days, you have to pass
29- <option>--computer-password-lifetime=0</option> to
30- force the update.</para></listitem>
31+ for details.</para></listitem>
32 </varlistentry>
33 <varlistentry>
34 <term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
35@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
36 important here is currently the
37 <option>workgroup</option> option, see
38 <citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
39- for details.</para></listitem>
40+ for details.</para>
41+ <para>Note that if the machine account password is not
42+ older than 30 days, you have to pass
43+ <option>--computer-password-lifetime=0</option> to
44+ force the update.</para></listitem>
45 </varlistentry>
46 <varlistentry>
47 <term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
48--
49GitLab
50
diff --git a/debian/patches/series b/debian/patches/series
0new file mode 10064451new file mode 100644
index 0000000..0d3657d
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,11 @@
1tools-add-show-computer-command.patch
2add-description-option-to-join-and-update.patch
3Use-GSS-SPNEGO-if-available.patch
4add-option-use-ldaps.patch
5man-move-note-to-the-right-section.patch
6man-explain-optional-parameter-of-login-ccache-bette.patch
7man-make-handling-of-optional-credential-cache-more-.patch
8tools-fix-typo-in-show-password-help-output.patch
9discovery-fix.patch
10delete-do-not-exit-if-keytab-cannot-be-read.patch
11tools-disable-SSSD-s-locator-plugin.patch
diff --git a/debian/patches/tools-add-show-computer-command.patch b/debian/patches/tools-add-show-computer-command.patch
0new file mode 10064412new file mode 100644
index 0000000..29bb77f
--- /dev/null
+++ b/debian/patches/tools-add-show-computer-command.patch
@@ -0,0 +1,341 @@
1From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Wed, 27 Nov 2019 12:34:45 +0100
4Subject: [PATCH] tools: add show-computer command
5
6The show-computer command prints the LDAP attributes of the related
7computer object from AD.
8
9Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
10---
11 doc/adcli.xml | 28 ++++++++++++++
12 library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
13 library/adenroll.h | 5 +++
14 tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++
15 tools/tools.c | 1 +
16 tools/tools.h | 4 ++
17 6 files changed, 191 insertions(+), 18 deletions(-)
18
19Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/0a169bd9b2687293f74bb57694eb82f9769610c9
20Bug-Ubuntu: https://bugs.launchpad.net/bugs/1893784
21Last-Update: 2020-09-02
22diff --git a/doc/adcli.xml b/doc/adcli.xml
23index 9faf96a..1f93186 100644
24--- a/doc/adcli.xml
25+++ b/doc/adcli.xml
26@@ -93,6 +93,11 @@
27 <arg choice="opt">--domain=domain.example.com</arg>
28 <arg choice="plain">computer</arg>
29 </cmdsynopsis>
30+ <cmdsynopsis>
31+ <command>adcli show-computer</command>
32+ <arg choice="opt">--domain=domain.example.com</arg>
33+ <arg choice="plain">computer</arg>
34+ </cmdsynopsis>
35 </refsynopsisdiv>
36
37 <refsect1 id='general_overview'>
38@@ -811,6 +816,29 @@ Password for Administrator:
39
40 </refsect1>
41
42+<refsect1 id='show_computer_account'>
43+ <title>Show Computer Account Attributes</title>
44+
45+ <para><command>adcli show-computer</command> show the computer account
46+ attributes stored in AD. The account must already exist.</para>
47+
48+<programlisting>
49+$ adcli show-computer --domain=domain.example.com host2
50+Password for Administrator:
51+</programlisting>
52+
53+ <para>If the computer name contains a dot, then it is
54+ treated as fully qualified host name, otherwise it is treated
55+ as short computer name.</para>
56+
57+ <para>If no computer name is specified, then the host name of the
58+ computer adcli is running on is used, as returned by
59+ <literal>gethostname()</literal>.</para>
60+
61+ <para>The various global options can be used.</para>
62+
63+</refsect1>
64+
65 <refsect1 id='bugs'>
66 <title>Bugs</title>
67 <para>
68diff --git a/library/adenroll.c b/library/adenroll.c
69index 524663a..8d2adeb 100644
70--- a/library/adenroll.c
71+++ b/library/adenroll.c
72@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
73 0
74 };
75
76+static char *default_ad_ldap_attrs[] = {
77+ "sAMAccountName",
78+ "userPrincipalName",
79+ "msDS-KeyVersionNumber",
80+ "msDS-supportedEncryptionTypes",
81+ "dNSHostName",
82+ "servicePrincipalName",
83+ "operatingSystem",
84+ "operatingSystemVersion",
85+ "operatingSystemServicePack",
86+ "pwdLastSet",
87+ "userAccountControl",
88+ NULL,
89+};
90+
91 /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
92 * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
93 * for details. */
94@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
95 char *end;
96 int ret;
97
98- char *attrs[] = {
99- "msDS-KeyVersionNumber",
100- "msDS-supportedEncryptionTypes",
101- "dNSHostName",
102- "servicePrincipalName",
103- "operatingSystem",
104- "operatingSystemVersion",
105- "operatingSystemServicePack",
106- "pwdLastSet",
107- "userAccountControl",
108- NULL,
109- };
110-
111 assert (enroll->computer_dn != NULL);
112 assert (enroll->computer_attributes == NULL);
113
114@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
115 assert (ldap != NULL);
116
117 ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
118- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
119+ "(objectClass=*)", default_ad_ldap_attrs,
120+ 0, NULL, NULL, NULL, -1,
121 &enroll->computer_attributes);
122
123 if (ret != LDAP_SUCCESS) {
124@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
125 }
126
127 adcli_result
128-adcli_enroll_update (adcli_enroll *enroll,
129- adcli_enroll_flags flags)
130+adcli_enroll_read_computer_account (adcli_enroll *enroll,
131+ adcli_enroll_flags flags)
132 {
133 adcli_result res = ADCLI_SUCCESS;
134 LDAP *ldap;
135- char *value;
136
137 return_unexpected_if_fail (enroll != NULL);
138
139@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
140 }
141
142 /* Get information about the computer account */
143- res = retrieve_computer_account (enroll);
144+ return retrieve_computer_account (enroll);
145+}
146+
147+adcli_result
148+adcli_enroll_update (adcli_enroll *enroll,
149+ adcli_enroll_flags flags)
150+{
151+ adcli_result res = ADCLI_SUCCESS;
152+ LDAP *ldap;
153+ char *value;
154+
155+ res = adcli_enroll_read_computer_account (enroll, flags);
156 if (res != ADCLI_SUCCESS)
157 return res;
158
159@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
160 return enroll_join_or_update_tasks (enroll, flags);
161 }
162
163+adcli_result
164+adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
165+{
166+ LDAP *ldap;
167+ size_t c;
168+ char **vals;
169+ size_t v;
170+
171+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
172+ assert (ldap != NULL);
173+
174+ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
175+ vals = _adcli_ldap_parse_values (ldap,
176+ enroll->computer_attributes,
177+ default_ad_ldap_attrs[c]);
178+ printf ("%s:\n", default_ad_ldap_attrs[c]);
179+ if (vals == NULL) {
180+ printf (" - not set -\n");
181+ } else {
182+ for (v = 0; vals[v] != NULL; v++) {
183+ printf (" %s\n", vals[v]);
184+ }
185+ }
186+ _adcli_strv_free (vals);
187+ }
188+
189+ return ADCLI_SUCCESS;
190+}
191+
192 adcli_result
193 adcli_enroll_delete (adcli_enroll *enroll,
194 adcli_enroll_flags delete_flags)
195diff --git a/library/adenroll.h b/library/adenroll.h
196index 1d5d00d..11eb517 100644
197--- a/library/adenroll.h
198+++ b/library/adenroll.h
199@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll,
200 adcli_result adcli_enroll_update (adcli_enroll *enroll,
201 adcli_enroll_flags flags);
202
203+adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll,
204+ adcli_enroll_flags flags);
205+
206+adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
207+
208 adcli_result adcli_enroll_delete (adcli_enroll *enroll,
209 adcli_enroll_flags delete_flags);
210
211diff --git a/tools/computer.c b/tools/computer.c
212index ac8a203..c8b96a4 100644
213--- a/tools/computer.c
214+++ b/tools/computer.c
215@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
216 adcli_enroll_unref (enroll);
217 return 0;
218 }
219+
220+int
221+adcli_tool_computer_show (adcli_conn *conn,
222+ int argc,
223+ char *argv[])
224+{
225+ adcli_enroll *enroll;
226+ adcli_result res;
227+ int opt;
228+
229+ struct option options[] = {
230+ { "domain", required_argument, NULL, opt_domain },
231+ { "domain-realm", required_argument, NULL, opt_domain_realm },
232+ { "domain-controller", required_argument, NULL, opt_domain_controller },
233+ { "login-user", required_argument, NULL, opt_login_user },
234+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
235+ { "login-type", required_argument, NULL, opt_login_type },
236+ { "no-password", no_argument, 0, opt_no_password },
237+ { "stdin-password", no_argument, 0, opt_stdin_password },
238+ { "prompt-password", no_argument, 0, opt_prompt_password },
239+ { "verbose", no_argument, NULL, opt_verbose },
240+ { "help", no_argument, NULL, 'h' },
241+ { 0 },
242+ };
243+
244+ static adcli_tool_desc usages[] = {
245+ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
246+ { 0 },
247+ };
248+
249+ enroll = adcli_enroll_new (conn);
250+ if (enroll == NULL) {
251+ warnx ("unexpected memory problems");
252+ return -1;
253+ }
254+
255+ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
256+ switch (opt) {
257+ case 'h':
258+ case '?':
259+ case ':':
260+ adcli_tool_usage (options, usages);
261+ adcli_tool_usage (options, common_usages);
262+ adcli_enroll_unref (enroll);
263+ return opt == 'h' ? 0 : 2;
264+ default:
265+ res = parse_option ((Option)opt, optarg, conn, enroll);
266+ if (res != ADCLI_SUCCESS) {
267+ adcli_enroll_unref (enroll);
268+ return res;
269+ }
270+ break;
271+ }
272+ }
273+
274+ argc -= optind;
275+ argv += optind;
276+
277+ res = adcli_conn_connect (conn);
278+ if (res != ADCLI_SUCCESS) {
279+ warnx ("couldn't connect to %s domain: %s",
280+ adcli_conn_get_domain_name (conn),
281+ adcli_get_last_error ());
282+ adcli_enroll_unref (enroll);
283+ return -res;
284+ }
285+
286+ if (argc == 1) {
287+ parse_fqdn_or_name (enroll, argv[0]);
288+ }
289+
290+ res = adcli_enroll_read_computer_account (enroll, 0);
291+ if (res != ADCLI_SUCCESS) {
292+ warnx ("couldn't read data for %s: %s",
293+ adcli_enroll_get_host_fqdn (enroll) != NULL
294+ ? adcli_enroll_get_host_fqdn (enroll)
295+ : adcli_enroll_get_computer_name (enroll),
296+ adcli_get_last_error ());
297+ adcli_enroll_unref (enroll);
298+ return -res;
299+ }
300+
301+ res = adcli_enroll_show_computer_attribute (enroll);
302+ if (res != ADCLI_SUCCESS) {
303+ warnx ("couldn't print data for %s: %s",
304+ argv[0], adcli_get_last_error ());
305+ adcli_enroll_unref (enroll);
306+ return -res;
307+ }
308+
309+ adcli_enroll_unref (enroll);
310+ return 0;
311+}
312diff --git a/tools/tools.c b/tools/tools.c
313index fc9fa9a..9d422f2 100644
314--- a/tools/tools.c
315+++ b/tools/tools.c
316@@ -59,6 +59,7 @@ struct {
317 { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
318 { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
319 { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
320+ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
321 { "create-user", adcli_tool_user_create, "Create a user account", },
322 { "delete-user", adcli_tool_user_delete, "Delete a user account", },
323 { "create-group", adcli_tool_group_create, "Create a group", },
324diff --git a/tools/tools.h b/tools/tools.h
325index 8cebbf9..3702875 100644
326--- a/tools/tools.h
327+++ b/tools/tools.h
328@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn,
329 int argc,
330 char *argv[]);
331
332+int adcli_tool_computer_show (adcli_conn *conn,
333+ int argc,
334+ char *argv[]);
335+
336 int adcli_tool_user_create (adcli_conn *conn,
337 int argc,
338 char *argv[]);
339--
340GitLab
341
diff --git a/debian/patches/tools-disable-SSSD-s-locator-plugin.patch b/debian/patches/tools-disable-SSSD-s-locator-plugin.patch
0new file mode 100644342new file mode 100644
index 0000000..8fa4ecb
--- /dev/null
+++ b/debian/patches/tools-disable-SSSD-s-locator-plugin.patch
@@ -0,0 +1,43 @@
1From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Fri, 5 Jun 2020 17:28:28 +0200
4Subject: [PATCH] tools: disable SSSD's locator plugin
5
6MIT's libkrb5 checks available locator plugins first before checking the
7config file. This might cause issues when the locator plugin returns a
8different DC than the one used for the LDAP connection if some data must
9be replicated.
10
11This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
12'true' to disable SSSD's locator plugin for adcli.
13
14Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
15---
16 tools/tools.c | 2 ++
17 1 file changed, 2 insertions(+)
18
19Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/50d580c58dab5928cadfc6ca82aedccee58eaced
20Last-Update: 2020-09-02
21diff --git a/tools/tools.c b/tools/tools.c
22index 9d422f2..1b6d879 100644
23--- a/tools/tools.c
24+++ b/tools/tools.c
25@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
26 }
27
28 unsetenv ("KRB5_CONFIG");
29+ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
30 }
31
32 static void
33@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
34 adcli_krb5_conf_filename = filename;
35 adcli_krb5_d_directory = snippets;
36 setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
37+ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
38
39 } else {
40 free (filename);
41--
42GitLab
43
diff --git a/debian/patches/tools-fix-typo-in-show-password-help-output.patch b/debian/patches/tools-fix-typo-in-show-password-help-output.patch
0new file mode 10064444new file mode 100644
index 0000000..cf712b2
--- /dev/null
+++ b/debian/patches/tools-fix-typo-in-show-password-help-output.patch
@@ -0,0 +1,28 @@
1From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Mon, 15 Jun 2020 15:41:53 +0200
4Subject: [PATCH] tools: fix typo in show-password help output
5
6Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
7---
8 tools/computer.c | 2 +-
9 1 file changed, 1 insertion(+), 1 deletion(-)
10
11Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/d70075c597e7ebc1683d407409c45b04110676a0
12Last-Update: 2020-09-02
13diff --git a/tools/computer.c b/tools/computer.c
14index a90c4b2..24ea258 100644
15--- a/tools/computer.c
16+++ b/tools/computer.c
17@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
18 "accounts" },
19 { opt_show_details, "show information about joining the domain after\n"
20 "a successful join" },
21- { opt_show_password, "show computer account password after after a\n"
22+ { opt_show_password, "show computer account password after a\n"
23 "successful join" },
24 { opt_add_samba_data, "add domain SID and computer account password\n"
25 "to the Samba specific configuration database" },
26--
27GitLab
28

Subscribers

People subscribed via source and target branches