File 0036-Add-dont-expire-password-option.patch of Package adcli.22052
From e244c842a094ffe4fafb19f48fcbeb08f200bb17 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 2 Jun 2021 17:24:07 +0200
Subject: [PATCH 1/2] Add dont-expire-password option
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1769644
---
doc/adcli.xml | 28 ++++++++++++++++++++++++++++
library/adenroll.c | 46 ++++++++++++++++++++++++++++++++++++++++++++--
library/adenroll.h | 5 +++++
tools/computer.c | 12 ++++++++++++
4 files changed, 89 insertions(+), 2 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 6bd5697..697b3d6 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -321,6 +321,20 @@ Password for Administrator:
not allow that Kerberos tickets can be forwarded to the
host.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--dont-expire-password=<parameter>yes|no|true|false</parameter></option></term>
+ <listitem><para>Set or unset the DONT_EXPIRE_PASSWORD
+ flag in the userAccountControl attribute to indicate if
+ the machine account password should expire or not. By
+ default adcli will set this flag while joining the
+ domain which corresponds to the default behavior of
+ Windows clients.</para>
+ <para>Please note that if the password will expire
+ (--dont-expire-password=false) a renewal mechanism has
+ to be enabled on the client to not loose the
+ connectivity to AD if the password expires.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
<listitem><para>Add a service principal name. In
@@ -460,6 +474,20 @@ $ adcli update --login-ccache=/tmp/krbcc_123
not allow that Kerberos tickets can be forwarded to the
host.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--dont-expire-password=<parameter>yes|no|true|false</parameter></option></term>
+ <listitem><para>Set or unset the DONT_EXPIRE_PASSWORD
+ flag in the userAccountControl attribute to indicate if
+ the machine account password should expire or not. By
+ default adcli will set this flag while joining the
+ domain which corresponds to the default behavior of
+ Windows clients.</para>
+ <para>Please note that if the password will expire
+ (--dont-expire-password=false) a renewal mechanism has
+ to be enabled on the client to not loose the
+ connectivity to AD if the password expires.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
<listitem><para>Add a service principal name. In
diff --git a/library/adenroll.c b/library/adenroll.c
index e72972d..f0297e1 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -128,6 +128,8 @@ struct _adcli_enroll {
char *samba_data_tool;
bool trusted_for_delegation;
int trusted_for_delegation_explicit;
+ bool dont_expire_password;
+ int dont_expire_password_explicit;
};
static adcli_result
@@ -707,6 +709,8 @@ create_computer_account (adcli_enroll *enroll,
int ret;
size_t c;
size_t m;
+ uint32_t uac = UAC_WORKSTATION_TRUST_ACCOUNT | UAC_DONT_EXPIRE_PASSWORD ;
+ char *uac_str = NULL;
LDAPMod *all_mods[] = {
&objectClass,
@@ -726,11 +730,21 @@ create_computer_account (adcli_enroll *enroll,
LDAPMod *mods[mods_count];
if (adcli_enroll_get_trusted_for_delegation (enroll)) {
- vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
+ uac |= UAC_TRUSTED_FOR_DELEGATION;
+ }
+
+ if (!adcli_enroll_get_dont_expire_password (enroll)) {
+ uac &= ~(UAC_DONT_EXPIRE_PASSWORD);
+ }
+
+ if (asprintf (&uac_str, "%d", uac) < 0) {
+ return_val_if_reached (ADCLI_ERR_UNEXPECTED);
}
+ vals_userAccountControl[0] = uac_str;
ret = calculate_enctypes (enroll, &val);
if (ret != ADCLI_SUCCESS) {
+ free (uac_str);
return ret;
}
vals_supportedEncryptionTypes[0] = val;
@@ -745,6 +759,7 @@ create_computer_account (adcli_enroll *enroll,
mods[m] = NULL;
ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
+ free (uac_str);
free (val);
/*
@@ -1343,6 +1358,14 @@ static char *get_user_account_control (adcli_enroll *enroll)
uac &= ~(UAC_TRUSTED_FOR_DELEGATION);
}
+ if (enroll->dont_expire_password_explicit) {
+ if (adcli_enroll_get_dont_expire_password (enroll)) {
+ uac |= UAC_DONT_EXPIRE_PASSWORD;
+ } else {
+ uac &= ~(UAC_DONT_EXPIRE_PASSWORD);
+ }
+ }
+
if (asprintf (&uac_str, "%d", uac) < 0) {
return_val_if_reached (NULL);
}
@@ -1371,7 +1394,8 @@ update_computer_account (adcli_enroll *enroll)
res |= update_computer_attribute (enroll, ldap, mods);
}
- if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
+ if (res == ADCLI_SUCCESS && (enroll->trusted_for_delegation_explicit ||
+ enroll->dont_expire_password_explicit)) {
char *vals_userAccountControl[] = { NULL , NULL };
LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
LDAPMod *mods[] = { &userAccountControl, NULL };
@@ -2776,6 +2800,24 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
enroll->trusted_for_delegation_explicit = 1;
}
+bool
+adcli_enroll_get_dont_expire_password (adcli_enroll *enroll)
+{
+ return_val_if_fail (enroll != NULL, false);
+
+ return enroll->dont_expire_password;
+}
+
+void
+adcli_enroll_set_dont_expire_password (adcli_enroll *enroll,
+ bool value)
+{
+ return_if_fail (enroll != NULL);
+
+ enroll->dont_expire_password = value;
+ enroll->dont_expire_password_explicit = 1;
+}
+
const char **
adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
{
diff --git a/library/adenroll.h b/library/adenroll.h
index 1d5d00d..e06c2a4 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -121,6 +121,11 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
bool value);
+bool adcli_enroll_get_dont_expire_password (adcli_enroll *enroll);
+void adcli_enroll_set_dont_expire_password (adcli_enroll *enroll,
+ bool value);
+
+
krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll);
void adcli_enroll_set_kvno (adcli_enroll *enroll,
diff --git a/tools/computer.c b/tools/computer.c
index 6a9b3bc..8221fc8 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -110,6 +110,7 @@ typedef enum {
opt_add_samba_data,
opt_samba_data_tool,
opt_trusted_for_delegation,
+ opt_dont_expire_password,
opt_add_service_principal,
opt_remove_service_principal,
opt_use_ldaps,
@@ -142,6 +143,8 @@ static adcli_tool_desc common_usages[] = {
{ opt_computer_password_lifetime, "lifetime of the host accounts password in days", },
{ opt_trusted_for_delegation, "set/unset the TRUSTED_FOR_DELEGATION flag\n"
"in the userAccountControl attribute", },
+ { opt_dont_expire_password, "set/unset the DONT_EXPIRE_PASSWORD flag\n"
+ "in the userAccountControl attribute", },
{ opt_add_service_principal, "add the given service principal to the account\n" },
{ opt_remove_service_principal, "remove the given service principal from the account\n" },
{ opt_no_password, "don't prompt for or read a password" },
@@ -295,6 +298,13 @@ parse_option (Option opt,
adcli_enroll_set_trusted_for_delegation (enroll, false);
}
return;
+ case opt_dont_expire_password:
+ if (strcasecmp (optarg, "true") == 0 || strcasecmp (optarg, "yes") == 0) {
+ adcli_enroll_set_dont_expire_password (enroll, true);
+ } else {
+ adcli_enroll_set_dont_expire_password (enroll, false);
+ }
+ return;
case opt_add_service_principal:
adcli_enroll_add_service_principal_to_add (enroll, optarg);
return;
@@ -369,6 +379,7 @@ adcli_tool_computer_join (adcli_conn *conn,
{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
{ "user-principal", optional_argument, NULL, opt_user_principal },
{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+ { "dont-expire-password", required_argument, NULL, opt_dont_expire_password },
{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
{ "show-details", no_argument, NULL, opt_show_details },
{ "show-password", no_argument, NULL, opt_show_password },
@@ -475,6 +486,7 @@ adcli_tool_computer_update (adcli_conn *conn,
{ "user-principal", optional_argument, NULL, opt_user_principal },
{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+ { "dont-expire-password", required_argument, NULL, opt_dont_expire_password },
{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
{ "remove-service-principal", required_argument, NULL, opt_remove_service_principal },
{ "show-details", no_argument, NULL, opt_show_details },
--
2.33.0