Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
adcli
0034-Implement-adcli-testjoin.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0034-Implement-adcli-testjoin.patch of Package adcli
From c9c9e7a59c2a38baf7ab3f4eff56fcd6c6a19254 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Fri, 22 Mar 2019 12:37:39 +0100 Subject: [PATCH 34/34] Implement 'adcli testjoin' By calling adcli testjoin it will be checked if the host credentials stored in the keytab are still valid. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1622583 (cherry picked from commit 6fd99ff6c5dd6ef0be8d942989b1c6dcee3102d9) --- doc/adcli.xml | 34 +++++++++++++++++++++++ tools/computer.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ tools/tools.c | 1 + tools/tools.h | 4 +++ 4 files changed, 111 insertions(+) diff --git a/doc/adcli.xml b/doc/adcli.xml index b3ea801..154df07 100644 --- a/doc/adcli.xml +++ b/doc/adcli.xml @@ -43,6 +43,9 @@ <cmdsynopsis> <command>adcli update</command> </cmdsynopsis> + <cmdsynopsis> + <command>adcli testjoin</command> + </cmdsynopsis> <cmdsynopsis> <command>adcli create-user</command> <arg choice="opt">--domain=domain.example.com</arg> @@ -498,6 +501,37 @@ $ adcli update --login-ccache=/tmp/krbcc_123 </refsect1> +<refsect1 id='testjoin'> + <title>Testing if the machine account password is valid</title> + + <para><command>adcli testjoin</command> uses the current credentials in + the keytab and tries to authenticate with the machine account to the AD + domain. If this works the machine account password and the join are + still valid. If it fails the machine account password or the whole + machine account have to be refreshed with + <command>adcli join</command> or <command>adcli update</command>. + </para> + +<programlisting> +$ adcli testjoin +</programlisting> + + <para>Only the global options not related to authentication are + available, additionally you can specify the following options to + control how this operation is done.</para> + + <variablelist> + <varlistentry> + <term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term> + <listitem><para>Specify the path to the host keytab where + current host credentials are stored and the new ones + will be written to. If not specified, the default + location will be used, usually + <filename>/etc/krb5.keytab</filename>.</para></listitem> + </varlistentry> + </variablelist> +</refsect1> + <refsect1 id='create_user'> <title>Creating a User</title> diff --git a/tools/computer.c b/tools/computer.c index 929f18c..6a9b3bc 100644 --- a/tools/computer.c +++ b/tools/computer.c @@ -559,6 +559,78 @@ adcli_tool_computer_update (adcli_conn *conn, return 0; } +int +adcli_tool_computer_testjoin (adcli_conn *conn, + int argc, + char *argv[]) +{ + adcli_enroll *enroll; + adcli_result res; + const char *ktname; + int opt; + + struct option options[] = { + { "domain", required_argument, NULL, opt_domain }, + { "domain-controller", required_argument, NULL, opt_domain_controller }, + { "host-keytab", required_argument, 0, opt_host_keytab }, + { "verbose", no_argument, NULL, opt_verbose }, + { "help", no_argument, NULL, 'h' }, + { 0 }, + }; + + static adcli_tool_desc usages[] = { + { 0, "usage: adcli testjoin" }, + { 0 }, + }; + + enroll = adcli_enroll_new (conn); + if (enroll == NULL) + errx (-1, "unexpected memory problems"); + + while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { + switch (opt) { + case 'h': + case '?': + case ':': + adcli_tool_usage (options, usages); + adcli_tool_usage (options, common_usages); + adcli_enroll_unref (enroll); + return opt == 'h' ? 0 : 2; + default: + parse_option ((Option)opt, optarg, conn, enroll); + break; + } + } + + /* Force use of a keytab to test the join/machine account password */ + adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT); + ktname = adcli_enroll_get_keytab_name (enroll); + adcli_conn_set_login_keytab_name (conn, ktname ? ktname : ""); + + res = adcli_enroll_load (enroll); + if (res != ADCLI_SUCCESS) { + adcli_enroll_unref (enroll); + adcli_conn_unref (conn); + errx (-res, "couldn't lookup domain info from keytab: %s", + adcli_get_last_error ()); + } + + res = adcli_conn_connect (conn); + if (res != ADCLI_SUCCESS) { + adcli_enroll_unref (enroll); + adcli_conn_unref (conn); + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); + } + + printf ("Sucessfully validated join to domain %s\n", + adcli_conn_get_domain_name (conn)); + + adcli_enroll_unref (enroll); + + return 0; +} int adcli_tool_computer_preset (adcli_conn *conn, diff --git a/tools/tools.c b/tools/tools.c index 915130e..c4e2851 100644 --- a/tools/tools.c +++ b/tools/tools.c @@ -55,6 +55,7 @@ struct { { "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS }, { "join", adcli_tool_computer_join, "Join this machine to a domain", }, { "update", adcli_tool_computer_update, "Update machine membership in a domain", }, + { "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", }, { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", }, { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", }, { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", }, diff --git a/tools/tools.h b/tools/tools.h index 6c97ccf..8cebbf9 100644 --- a/tools/tools.h +++ b/tools/tools.h @@ -70,6 +70,10 @@ int adcli_tool_computer_update (adcli_conn *conn, int argc, char *argv[]); +int adcli_tool_computer_testjoin (adcli_conn *conn, + int argc, + char *argv[]); + int adcli_tool_computer_delete (adcli_conn *conn, int argc, char *argv[]); -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor