File 0041-populate-samba-secrets-using-offline-domain-join.patch of Package adcli.35968
From 05670e9d162bb979b5aa35d3e9ba253b7bd549e0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Aug 2018 12:17:18 +0200
Subject: [PATCH 01/16] _adcli_call_external_program: silence noisy debug
message
(cherry picked from commit 185a8b7378665d1d0ef7dd4d5a78438459bad9e0)
---
library/adutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/library/adutil.c b/library/adutil.c
index 08da731..76ea158 100644
--- a/library/adutil.c
+++ b/library/adutil.c
@@ -692,7 +692,7 @@ done:
if (wret == -1) {
_adcli_err ("No sure what happend to net command.");
} else {
- if (WIFEXITED (status)) {
+ if (WIFEXITED (status) && WEXITSTATUS (status) != 0) {
_adcli_err ("net command failed with %d.",
WEXITSTATUS (status));
}
--
2.43.0
From ac9cc634ca8ba6752f84d6e4fd625a34eba3a8e8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 28 Jul 2021 12:55:16 +0200
Subject: [PATCH 02/16] configure: check for ns_get16 and ns_get32 as well
With newer versions of glibc res_query() might ba already available in
glibc with ns_get16() and ns_get32() still requires libresolv.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984891
(cherry picked from commit e841ba7513f3f8b6393183d2dea9adcbf7ba2e44)
---
configure.ac | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 68877c7..676256a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -98,13 +98,15 @@ AC_SUBST(LDAP_CFLAGS)
# -------------------------------------------------------------------
# resolv
-AC_MSG_CHECKING(for which library has res_query)
+AC_MSG_CHECKING([for which library has res_query, ns_get16 and ns_get32])
for lib in "" "-lresolv"; do
saved_LIBS="$LIBS"
LIBS="$LIBS $lib"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([#include <resolv.h>],
- [res_query (0, 0, 0, 0, 0)])
+ [res_query (0, 0, 0, 0, 0);
+ ns_get32 (NULL);
+ ns_get16 (NULL);])
],
[ AC_MSG_RESULT(${lib:-libc}); have_res_query="yes"; break; ],
[ LIBS="$saved_LIBS" ])
--
2.43.0
From 9fd580694cb49bfb5693b6b0fed993568a1eeb84 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 13:39:12 +0200
Subject: [PATCH 03/16] disco: Add functions to extract domain GUID from LDAP
ping
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/addisco.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
diff --git a/library/addisco.c b/library/addisco.c
index bf38e71..a069927 100644
--- a/library/addisco.c
+++ b/library/addisco.c
@@ -333,6 +333,78 @@ get_32_le (unsigned char **at,
return 1;
}
+static int
+get_16_le (unsigned char **at,
+ unsigned char *end,
+ uint16_t *val)
+{
+ unsigned char *p = *at;
+ if (end - p < 2)
+ return 0;
+ *val = p[0] | p[1] << 8;
+ (*at) += 2;
+ return 1;
+}
+
+struct GUID {
+ uint32_t time_low;
+ uint16_t time_mid;
+ uint16_t time_hi_and_version;
+ uint8_t clock_seq[2];
+ uint8_t node[6];
+};
+
+/* Format is "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x" */
+/* 32 chars + 4 ' ' + \0 + 2 for adding {} */
+struct GUID_txt_buf {
+ char buf[39];
+};
+
+static char *GUID_buf_string(const struct GUID *guid,
+ struct GUID_txt_buf *dst)
+{
+ if (guid == NULL) {
+ return NULL;
+ }
+ snprintf(dst->buf, sizeof(dst->buf),
+ "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+ guid->time_low, guid->time_mid,
+ guid->time_hi_and_version,
+ guid->clock_seq[0],
+ guid->clock_seq[1],
+ guid->node[0], guid->node[1],
+ guid->node[2], guid->node[3],
+ guid->node[4], guid->node[5]);
+ return dst->buf;
+}
+
+static int
+parse_guid (unsigned char **at,
+ unsigned char *end,
+ char **result)
+{
+ struct GUID g = { 0 };
+ struct GUID_txt_buf buf;
+
+ if (end - (*at) < sizeof(struct GUID)) {
+ return 0;
+ }
+
+ get_32_le(at, end, &g.time_low);
+ get_16_le(at, end, &g.time_mid);
+ get_16_le(at, end, &g.time_hi_and_version);
+
+ memcpy(&g.clock_seq, *at, sizeof(g.clock_seq));
+ (*at) += sizeof(g.clock_seq);
+
+ memcpy(&g.node, *at, sizeof(g.node));
+ (*at) += sizeof(g.node);
+
+ *result = strdup(GUID_buf_string(&g, &buf));
+
+ return 1;
+}
+
static int
skip_n (unsigned char **at,
unsigned char *end,
--
2.43.0
From 58066578f0c7e223249fea5340eb359076261231 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 13:40:08 +0200
Subject: [PATCH 04/16] disco: Extract domain GUID from LDAP ping
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/addisco.c | 14 ++------------
library/addisco.h | 1 +
2 files changed, 3 insertions(+), 12 deletions(-)
diff --git a/library/addisco.c b/library/addisco.c
index a069927..985e684 100644
--- a/library/addisco.c
+++ b/library/addisco.c
@@ -405,17 +405,6 @@ parse_guid (unsigned char **at,
return 1;
}
-static int
-skip_n (unsigned char **at,
- unsigned char *end,
- int n)
-{
- if (end - (*at) < n)
- return 0;
- (*at) += n;
- return 1;
-}
-
static adcli_disco *
parse_disco_data (struct berval *bv)
{
@@ -434,7 +423,7 @@ parse_disco_data (struct berval *bv)
/* domain forest */
if (!get_32_le (&at, end, &type) || type != 23 ||
!get_32_le (&at, end, &disco->flags) ||
- !skip_n (&at, end, 16) || /* guid */
+ !parse_guid (&at, end, &disco->domain_guid) ||
!parse_disco_string (beg, end, &at, &disco->forest) ||
!parse_disco_string (beg, end, &at, &disco->domain) ||
!parse_disco_string (beg, end, &at, &disco->host_name) ||
@@ -851,6 +840,7 @@ adcli_disco_free (adcli_disco *disco)
free (disco->host_addr);
free (disco->host_name);
free (disco->host_short);
+ free (disco->domain_guid);
free (disco->forest);
free (disco->domain);
free (disco->domain_short);
diff --git a/library/addisco.h b/library/addisco.h
index 06b69a9..79ec34f 100644
--- a/library/addisco.h
+++ b/library/addisco.h
@@ -48,6 +48,7 @@ typedef struct _adcli_disco {
char *forest;
char *domain;
char *domain_short;
+ char *domain_guid;
char *host_name;
char *host_addr;
char *host_short;
--
2.43.0
From 703fa4a87432ff6a260b00924ecac1118101f92c Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 13:43:47 +0200
Subject: [PATCH 05/16] conn: Copy domain GUID from disco
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adconn.c | 14 ++++++++++++++
library/adconn.h | 2 ++
2 files changed, 16 insertions(+)
diff --git a/library/adconn.c b/library/adconn.c
index 7bab852..58db795 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -74,6 +74,7 @@ struct _adcli_conn_ctx {
char *canonical_host;
char *domain_short;
char *domain_sid;
+ char *domain_guid;
adcli_disco *domain_disco;
char *default_naming_context;
char *configuration_naming_context;
@@ -159,6 +160,11 @@ disco_dance_if_necessary (adcli_conn *conn)
conn->domain_short = strdup (conn->domain_disco->domain_short);
return_if_fail (conn->domain_short != NULL);
}
+
+ if (!conn->domain_guid && conn->domain_disco->domain_guid) {
+ conn->domain_guid = strdup(conn->domain_disco->domain_guid);
+ return_if_fail (conn->domain_guid != NULL);
+ }
}
}
@@ -1287,6 +1293,7 @@ conn_free (adcli_conn *conn)
free (conn->domain_realm);
free (conn->domain_controller);
free (conn->domain_short);
+ free (conn->domain_guid);
free (conn->default_naming_context);
free (conn->configuration_naming_context);
_adcli_strv_free (conn->supported_capabilities);
@@ -1395,6 +1402,13 @@ adcli_conn_get_domain_name (adcli_conn *conn)
return conn->domain_name;
}
+const char *
+adcli_conn_get_domain_guid(adcli_conn *conn)
+{
+ return_val_if_fail (conn != NULL, NULL);
+ return conn->domain_guid;
+}
+
void
adcli_conn_set_domain_name (adcli_conn *conn,
const char *value)
diff --git a/library/adconn.h b/library/adconn.h
index 1d5faa8..fe0ea85 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -97,6 +97,8 @@ const char * adcli_conn_get_domain_short (adcli_conn *conn);
const char * adcli_conn_get_domain_sid (adcli_conn *conn);
+const char * adcli_conn_get_domain_guid (adcli_conn *conn);
+
LDAP * adcli_conn_get_ldap_connection (adcli_conn *conn);
krb5_context adcli_conn_get_krb5_context (adcli_conn *conn);
--
2.43.0
From 932198a327d691248a967beaa59fd76deaaa2ab8 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 13:45:06 +0200
Subject: [PATCH 06/16] conn: Copy forest name from disco
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adconn.c | 14 ++++++++++++++
library/adconn.h | 2 ++
2 files changed, 16 insertions(+)
diff --git a/library/adconn.c b/library/adconn.c
index 58db795..e1c5539 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -75,6 +75,7 @@ struct _adcli_conn_ctx {
char *domain_short;
char *domain_sid;
char *domain_guid;
+ char *forest;
adcli_disco *domain_disco;
char *default_naming_context;
char *configuration_naming_context;
@@ -161,6 +162,11 @@ disco_dance_if_necessary (adcli_conn *conn)
return_if_fail (conn->domain_short != NULL);
}
+ if (!conn->forest && conn->domain_disco->forest) {
+ conn->forest = strdup(conn->domain_disco->forest);
+ return_if_fail (conn->forest != NULL);
+ }
+
if (!conn->domain_guid && conn->domain_disco->domain_guid) {
conn->domain_guid = strdup(conn->domain_disco->domain_guid);
return_if_fail (conn->domain_guid != NULL);
@@ -1294,6 +1300,7 @@ conn_free (adcli_conn *conn)
free (conn->domain_controller);
free (conn->domain_short);
free (conn->domain_guid);
+ free (conn->forest);
free (conn->default_naming_context);
free (conn->configuration_naming_context);
_adcli_strv_free (conn->supported_capabilities);
@@ -1402,6 +1409,13 @@ adcli_conn_get_domain_name (adcli_conn *conn)
return conn->domain_name;
}
+const char *
+adcli_conn_get_forest_name (adcli_conn *conn)
+{
+ return_val_if_fail (conn != NULL, NULL);
+ return conn->forest;
+}
+
const char *
adcli_conn_get_domain_guid(adcli_conn *conn)
{
diff --git a/library/adconn.h b/library/adconn.h
index fe0ea85..faca953 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -76,6 +76,8 @@ void adcli_conn_set_host_fqdn (adcli_conn *conn,
const char * adcli_conn_get_domain_name (adcli_conn *conn);
+const char * adcli_conn_get_forest_name (adcli_conn *conn);
+
void adcli_conn_set_domain_name (adcli_conn *conn,
const char *value);
--
2.43.0
From 5df2918a3fab6fd1afd084d84018264ba5ffb0b9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 17:56:24 +0200
Subject: [PATCH 07/16] conn: Stop as soon as we have a valid LDAP connection
No need to test all possible addresses.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adconn.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/library/adconn.c b/library/adconn.c
index e1c5539..f57eb1f 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -863,6 +863,7 @@ connect_to_address (const char *host,
break;
}
}
+ break;
}
}
--
2.43.0
From b6e3b7ea9b0da9db83e32af93ff3846bba1fe003 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 14:56:54 +0200
Subject: [PATCH 08/16] conn: Store the address of the connected server
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adconn.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/library/adconn.c b/library/adconn.c
index f57eb1f..ab4467e 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -84,6 +84,7 @@ struct _adcli_conn_ctx {
/* Connect state */
LDAP *ldap;
+ struct sockaddr *addr;
int ldap_authenticated;
krb5_context k5;
krb5_ccache ccache;
@@ -787,7 +788,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
static LDAP *
connect_to_address (const char *host,
const char *canonical_host,
- bool use_ldaps)
+ bool use_ldaps,
+ struct sockaddr **addr)
{
struct addrinfo *res = NULL;
struct addrinfo *ai;
@@ -870,6 +872,11 @@ connect_to_address (const char *host,
if (!ldap && error)
_adcli_err ("Couldn't connect to host: %s: %s", host, strerror (error));
+ *addr = malloc(sizeof(struct sockaddr));
+ if (*addr != NULL) {
+ memcpy(*addr, ai->ai_addr, sizeof(struct sockaddr));
+ }
+
freeaddrinfo (res);
/* coverity[leaked_handle] - the socket is carried inside the ldap struct */
return ldap;
@@ -883,6 +890,7 @@ connect_and_lookup_naming (adcli_conn *conn,
LDAPMessage *results;
adcli_result res;
LDAP *ldap;
+ struct sockaddr *addr;
int ret;
int ver;
@@ -895,13 +903,15 @@ connect_and_lookup_naming (adcli_conn *conn,
};
assert (conn->ldap == NULL);
+ assert (conn->addr == NULL);
canonical_host = disco->host_name;
if (!canonical_host)
canonical_host = disco->host_addr;
ldap = connect_to_address (disco->host_addr, canonical_host,
- adcli_conn_get_use_ldaps (conn));
+ adcli_conn_get_use_ldaps (conn),
+ &addr);
if (ldap == NULL)
return ADCLI_ERR_DIRECTORY;
@@ -964,6 +974,7 @@ connect_and_lookup_naming (adcli_conn *conn,
}
conn->ldap = ldap;
+ conn->addr = addr;
free (conn->canonical_host);
conn->canonical_host = strdup (canonical_host);
@@ -1203,6 +1214,10 @@ conn_clear_state (adcli_conn *conn)
ldap_unbind_ext_s (conn->ldap, NULL, NULL);
conn->ldap = NULL;
+ if (conn->addr)
+ free(conn->addr);
+ conn->addr = NULL;
+
free (conn->canonical_host);
conn->canonical_host = NULL;
--
2.43.0
From faba57d59553a657ddd905f1391b5314730c3039 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 31 Aug 2023 17:11:55 +0200
Subject: [PATCH 09/16] conn: Allow to retrieve the connected LDAP address
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adconn.c | 7 +++++++
library/adconn.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/library/adconn.c b/library/adconn.c
index ab4467e..94cc82e 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -1516,6 +1516,13 @@ adcli_conn_get_ldap_connection (adcli_conn *conn)
return conn->ldap;
}
+struct sockaddr *
+adcli_conn_get_ldap_address (adcli_conn *conn)
+{
+ return_val_if_fail (conn != NULL, NULL);
+ return conn->addr;
+}
+
krb5_context
adcli_conn_get_krb5_context (adcli_conn *conn)
{
diff --git a/library/adconn.h b/library/adconn.h
index faca953..6984c13 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -103,6 +103,8 @@ const char * adcli_conn_get_domain_guid (adcli_conn *conn);
LDAP * adcli_conn_get_ldap_connection (adcli_conn *conn);
+struct sockaddr * adcli_conn_get_ldap_address (adcli_conn *conn);
+
krb5_context adcli_conn_get_krb5_context (adcli_conn *conn);
void adcli_conn_set_krb5_context (adcli_conn *conn,
--
2.43.0
From afe0ad08ccff58b29fc144af30dd496103d936ac Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 6 Sep 2023 11:49:19 +0200
Subject: [PATCH 10/16] util: Allow to append variables to external program
environment
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adenroll.c | 4 +--
library/adprivate.h | 1 +
library/adutil.c | 69 +++++++++++++++++++++++++++++++++++++++------
3 files changed, 64 insertions(+), 10 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index ab26e30..bbfe479 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1869,14 +1869,14 @@ update_samba_data (adcli_enroll *enroll)
_adcli_info ("Trying to set domain SID %s for Samba.",
argv_sid[2]);
ret = _adcli_call_external_program (argv_sid[0], argv_sid,
- NULL, NULL, NULL);
+ NULL, NULL, NULL, NULL);
if (ret != ADCLI_SUCCESS) {
_adcli_err ("Failed to set Samba domain SID.");
}
}
_adcli_info ("Trying to set Samba secret.");
- ret = _adcli_call_external_program (argv_pw[0], argv_pw,
+ ret = _adcli_call_external_program (argv_pw[0], argv_pw, NULL,
enroll->computer_password, NULL, NULL);
if (ret != ADCLI_SUCCESS) {
_adcli_err ("Failed to set Samba computer account password.");
diff --git a/library/adprivate.h b/library/adprivate.h
index 0806430..8f8c4ee 100644
--- a/library/adprivate.h
+++ b/library/adprivate.h
@@ -306,6 +306,7 @@ bool _adcli_check_nt_time_string_lifetime (const char *nt_time_strin
adcli_result _adcli_call_external_program (const char *binary,
char * const *argv,
+ char * const *envp,
const char *stdin_data,
uint8_t **stdout_data,
size_t *stdout_data_len);
diff --git a/library/adutil.c b/library/adutil.c
index 76ea158..1a663df 100644
--- a/library/adutil.c
+++ b/library/adutil.c
@@ -550,7 +550,7 @@ _adcli_check_nt_time_string_lifetime (const char *nt_time_string,
adcli_result
_adcli_call_external_program (const char *binary, char * const *argv,
- const char *stdin_data,
+ char * const *envp, const char *stdin_data,
uint8_t **stdout_data, size_t *stdout_data_len)
{
int ret;
@@ -564,6 +564,48 @@ _adcli_call_external_program (const char *binary, char * const *argv,
int status;
uint8_t read_buf[4096];
uint8_t *out;
+ char **child_env = NULL;
+ size_t child_env_size = 0;
+
+ /* prepare child environment, append envp to environ */
+ if (envp != NULL) {
+ size_t environ_size = 0;
+ size_t envp_size = 0;
+ int i, j;
+
+ for (i = 0; environ[i] != NULL; i++) {
+ environ_size++;
+ }
+
+ for (i = 0; envp[i] != NULL; i++) {
+ envp_size++;
+ }
+
+ child_env_size = environ_size + envp_size + 1;
+ child_env = calloc(child_env_size, sizeof(char *));
+ if (child_env == NULL) {
+ _adcli_err("Failed to allocate memory.");
+ return ADCLI_ERR_FAIL;
+ }
+
+ memset(child_env, 0, child_env_size);
+
+ for (i = 0, j = 0; environ[i] != NULL; i++, j++) {
+ child_env[j] = strdup(environ[i]);
+ if (child_env[j] == NULL) {
+ _adcli_err("Failed to allocate memory.");
+ return ADCLI_ERR_FAIL;
+ }
+ }
+
+ for (i = 0; envp[i] != NULL; i++, j++) {
+ child_env[j] = strdup(envp[i]);
+ if (child_env[j] == NULL) {
+ _adcli_err("Failed to allocate memory.");
+ return ADCLI_ERR_FAIL;
+ }
+ }
+ }
errno = 0;
ret = access (binary, X_OK);
@@ -612,7 +654,11 @@ _adcli_call_external_program (const char *binary, char * const *argv,
exit (EXIT_FAILURE);
}
- execv (binary, argv);
+ if (child_env != NULL) {
+ execve(binary, argv, child_env);
+ } else {
+ execv(binary, argv);
+ }
_adcli_err ("Failed to run %s.", binary);
ret = ADCLI_ERR_FAIL;
goto done;
@@ -671,6 +717,13 @@ _adcli_call_external_program (const char *binary, char * const *argv,
goto done;
}
+ if (child_env != NULL) {
+ for (int i = 0; i < child_env_size; i++) {
+ free(child_env[i]);
+ }
+ free(child_env);
+ }
+
ret = ADCLI_SUCCESS;
done:
@@ -852,25 +905,25 @@ test_call_external_program (void)
size_t stdout_data_len;
argv[0] = "/does/not/exists";
- res = _adcli_call_external_program (argv[0], argv, NULL, NULL, NULL);
+ res = _adcli_call_external_program (argv[0], argv, NULL, NULL, NULL, NULL);
assert (res == ADCLI_ERR_FAIL);
#ifdef BIN_CAT
argv[0] = BIN_CAT;
- res = _adcli_call_external_program (argv[0], argv, "Hello",
+ res = _adcli_call_external_program (argv[0], argv, NULL, "Hello",
&stdout_data, &stdout_data_len);
assert (res == ADCLI_SUCCESS);
assert (strncmp ("Hello", (char *) stdout_data, stdout_data_len) == 0);
free (stdout_data);
- res = _adcli_call_external_program (argv[0], argv, "Hello",
+ res = _adcli_call_external_program (argv[0], argv, NULL, "Hello",
NULL, NULL);
assert (res == ADCLI_SUCCESS);
#endif
#ifdef BIN_REV
argv[0] = BIN_REV;
- res = _adcli_call_external_program (argv[0], argv, "Hello\n",
+ res = _adcli_call_external_program (argv[0], argv, NULL, "Hello\n",
&stdout_data, &stdout_data_len);
assert (res == ADCLI_SUCCESS);
assert (strncmp ("olleH\n", (char *) stdout_data, stdout_data_len) == 0);
@@ -879,7 +932,7 @@ test_call_external_program (void)
#ifdef BIN_TAC
argv[0] = BIN_TAC;
- res = _adcli_call_external_program (argv[0], argv, "Hello\nWorld\n",
+ res = _adcli_call_external_program (argv[0], argv, NULL, "Hello\nWorld\n",
&stdout_data, &stdout_data_len);
assert (res == ADCLI_SUCCESS);
assert (strncmp ("World\nHello\n", (char *) stdout_data, stdout_data_len) == 0);
@@ -889,7 +942,7 @@ test_call_external_program (void)
#ifdef BIN_ECHO
argv[0] = BIN_ECHO;
argv[1] = "Hello";
- res = _adcli_call_external_program (argv[0], argv, NULL,
+ res = _adcli_call_external_program (argv[0], argv, NULL, NULL,
&stdout_data, &stdout_data_len);
assert (res == ADCLI_SUCCESS);
assert (strncmp ("Hello\n", (char *) stdout_data, stdout_data_len) == 0);
--
2.43.0
From 239607bc8d9b05a187a68453a7f3cbae7ed0365e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 6 Sep 2023 12:05:03 +0200
Subject: [PATCH 11/16] util: Flag write end of pipe as invalid after closing
it
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/library/adutil.c b/library/adutil.c
index 1a663df..31e83d2 100644
--- a/library/adutil.c
+++ b/library/adutil.c
@@ -678,7 +678,7 @@ _adcli_call_external_program (const char *binary, char * const *argv,
close (pipefd_to_child[0]);
pipefd_to_child[0] = -1;
close (pipefd_to_child[1]);
- pipefd_to_child[0] = -1;
+ pipefd_to_child[1] = -1;
if (stdout_data != NULL || stdout_data_len != NULL) {
rlen = read (pipefd_from_child[0], read_buf, sizeof (read_buf));
--
2.43.0
From eb3e1e2e91b2cc9d65aef90705d592f042066c1f Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 6 Sep 2023 16:30:45 +0200
Subject: [PATCH 12/16] util: Return failure if child exit status reports so
Otherwise error string from stdout won't be printed.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adutil.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/library/adutil.c b/library/adutil.c
index 31e83d2..02f9aa2 100644
--- a/library/adutil.c
+++ b/library/adutil.c
@@ -748,6 +748,7 @@ done:
if (WIFEXITED (status) && WEXITSTATUS (status) != 0) {
_adcli_err ("net command failed with %d.",
WEXITSTATUS (status));
+ ret = ADCLI_ERR_FAIL;
}
}
}
--
2.43.0
From a3f1bce1ee64385734a269fce6fa1e60b66434f0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 6 Sep 2023 16:29:32 +0200
Subject: [PATCH 13/16] enroll: Issue a warning if Samba provision was
requested but failed
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adenroll.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index bbfe479..c68621a 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2056,9 +2056,9 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
if ( (flags & ADCLI_ENROLL_ADD_SAMBA_DATA) && ! (flags & ADCLI_ENROLL_PASSWORD_VALID)) {
res = update_samba_data (enroll);
if (res != ADCLI_SUCCESS) {
- _adcli_info ("Failed to add Samba specific data, smbd "
+ _adcli_warn ("Failed to add Samba specific data, smbd "
"or winbindd might not work as "
- "expected.\n");
+ "expected.");
}
}
--
2.43.0
From b9f0dbf82c1eeed906bac514b119635c93561cd9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 6 Sep 2023 12:55:50 +0200
Subject: [PATCH 14/16] enroll: Add a function to convert an IP address to text
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adutil.c | 34 ++++++++++++++++++++++++++++++++++
library/adutil.h | 5 +++++
2 files changed, 39 insertions(+)
diff --git a/library/adutil.c b/library/adutil.c
index 02f9aa2..81186fa 100644
--- a/library/adutil.c
+++ b/library/adutil.c
@@ -37,6 +37,7 @@
#include <stdint.h>
#include <time.h>
#include <sys/wait.h>
+#include <arpa/inet.h>
static adcli_message_func message_func = NULL;
static char last_error[2048] = { 0, };
@@ -756,6 +757,39 @@ done:
return ret;
}
+adcli_result
+adcli_sockaddr_to_string(struct sockaddr *sa, char *addr, size_t addr_len)
+{
+ const char *p;
+
+ if (sa == NULL) {
+ return ADCLI_ERR_FAIL;
+ }
+
+ errno = 0;
+ switch (sa->sa_family) {
+ case AF_INET:
+ p = inet_ntop(AF_INET,
+ &(((struct sockaddr_in *)sa)->sin_addr),
+ addr, addr_len);
+ break;
+ case AF_INET6:
+ p = inet_ntop(AF_INET6,
+ &(((struct sockaddr_in6 *)sa)->sin6_addr),
+ addr, addr_len);
+ break;
+ default:
+ _adcli_err("Failed to get LDAP server address, unknown socket family");
+ return ADCLI_ERR_FAIL;
+ }
+
+ if (p == NULL) {
+ _adcli_err("Failed to convert LDAP server address: %s", strerror(errno));
+ return ADCLI_ERR_FAIL;
+ }
+
+ return ADCLI_SUCCESS;
+}
#ifdef UTIL_TESTS
diff --git a/library/adutil.h b/library/adutil.h
index a07c5da..27c0587 100644
--- a/library/adutil.h
+++ b/library/adutil.h
@@ -26,6 +26,7 @@
#include <stdlib.h>
#include <stdbool.h>
+#include <sys/socket.h>
typedef enum {
/* Successful completion */
@@ -91,4 +92,8 @@ void adcli_clear_last_error (void);
const char * adcli_get_last_error (void);
+adcli_result adcli_sockaddr_to_string (struct sockaddr *sa,
+ char *addr,
+ size_t addr_len);
+
#endif /* ADUTIL_H_ */
--
2.43.0
From 617c4c09ed0bdec0800909919e1b79e8ad1454ef Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 7 Sep 2023 10:13:38 +0200
Subject: [PATCH 15/16] build: Check for NetComposeOfflineDomainJoin in samba's
netapi library
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
configure.ac | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/configure.ac b/configure.ac
index 676256a..fdb27d1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -95,6 +95,12 @@ AC_CHECK_LIB(ldap, ldap_init_fd, [true], [
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
+# -------------------------------------------------------------------
+# samba
+
+AC_CHECK_LIB([netapi], [NetComposeOfflineDomainJoin],
+ [AC_DEFINE(SAMBA_NETAPI_HAS_COMPOSEODJ, 1, [Samba NetApi supports composeodj])])
+
# -------------------------------------------------------------------
# resolv
--
2.43.0
From 89c5351355cb5873c89022dbaffc5163fcbce6fc Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 7 Sep 2023 10:19:29 +0200
Subject: [PATCH 16/16] enroll: Populate Samba's secrets database using offline
domain join
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
library/adenroll.c | 146 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 146 insertions(+)
diff --git a/library/adenroll.c b/library/adenroll.c
index c68621a..c12ab0b 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1848,6 +1848,150 @@ update_keytab_for_principals (adcli_enroll *enroll,
return ADCLI_SUCCESS;
}
+#if defined(SAMBA_NETAPI_HAS_COMPOSEODJ)
+
+#define CHECK_SNPRINTF(x, v) \
+ do { if ((x) < 0 || (x) >= sizeof((v))) { \
+ _adcli_err ("%s: Insufficient buffer for %s", __func__, #v); \
+ return ADCLI_ERR_FAIL; \
+ } } while (0)
+
+static adcli_result
+update_samba_data (adcli_enroll *enroll)
+{
+ int ret;
+ char dns_domain_name[128];
+ char netbios_domain_name[128];
+ char domain_sid[128];
+ char domain_guid[128];
+ char forest_name[128];
+ char machine_account_name[128];
+ char dc_name[128];
+ char dc_address[128];
+ char ldap_address[INET6_ADDRSTRLEN];
+ char *envp_composeodj[] = {"PASSWD_FD=0", NULL};
+ char *argv_composeodj[] = {
+ NULL,
+ "offlinejoin",
+ "composeodj",
+ dns_domain_name,
+ netbios_domain_name,
+ domain_sid,
+ domain_guid,
+ forest_name,
+ machine_account_name,
+ dc_name,
+ dc_address,
+ "printblob",
+ NULL};
+ char *argv_requestodj[] = {
+ NULL,
+ "offlinejoin",
+ "requestodj",
+ "-i",
+ NULL};
+ uint8_t *compose_out_data = NULL;
+ size_t compose_out_data_len = 0;
+ uint8_t *request_out_data = NULL;
+ size_t request_out_data_len = 0;
+
+ argv_composeodj[0] = (char *)adcli_enroll_get_samba_data_tool(enroll);
+ if (argv_composeodj[0] == NULL) {
+ _adcli_err("Samba data tool not available.");
+ return ADCLI_ERR_FAIL;
+ }
+ argv_requestodj[0] = argv_composeodj[0];
+
+ ret = adcli_sockaddr_to_string(adcli_conn_get_ldap_address(enroll->conn),
+ ldap_address, sizeof(ldap_address));
+ if (ret != ADCLI_SUCCESS) {
+ return ret;
+ }
+
+ ret = snprintf(dns_domain_name, sizeof(dns_domain_name), "--realm=%s",
+ adcli_conn_get_domain_name(enroll->conn));
+ CHECK_SNPRINTF(ret, dns_domain_name);
+
+ ret = snprintf(netbios_domain_name, sizeof(netbios_domain_name),
+ "--workgroup=%s", adcli_conn_get_domain_short(enroll->conn));
+ CHECK_SNPRINTF(ret, netbios_domain_name);
+
+ ret = snprintf(domain_sid, sizeof(domain_sid), "domain_sid=%s",
+ adcli_conn_get_domain_sid(enroll->conn));
+ CHECK_SNPRINTF(ret, domain_sid);
+
+ ret = snprintf(domain_guid, sizeof(domain_guid), "domain_guid=%s",
+ adcli_conn_get_domain_guid(enroll->conn));
+ CHECK_SNPRINTF(ret, domain_guid);
+
+ ret = snprintf(forest_name, sizeof(forest_name), "forest_name=%s",
+ adcli_conn_get_forest_name(enroll->conn));
+ CHECK_SNPRINTF(ret, forest_name);
+
+ ret = snprintf(machine_account_name, sizeof(machine_account_name),
+ "--user=%s", enroll->computer_sam);
+ CHECK_SNPRINTF(ret, machine_account_name);
+
+ ret = snprintf(dc_name, sizeof(dc_name), "--server=%s",
+ adcli_conn_get_domain_controller(enroll->conn));
+ CHECK_SNPRINTF(ret, dc_name);
+
+ ret = snprintf(dc_address, sizeof(dc_address), "--ipaddress=%s",
+ ldap_address);
+ CHECK_SNPRINTF(ret, dc_address);
+
+ _adcli_info("Trying to compose Samba ODJ blob.");
+ ret = _adcli_call_external_program(argv_composeodj[0],
+ argv_composeodj, envp_composeodj,
+ enroll->computer_password,
+ &compose_out_data, &compose_out_data_len);
+ if (ret != ADCLI_SUCCESS) {
+ while (compose_out_data && compose_out_data_len > 0 &&
+ compose_out_data[compose_out_data_len - 1] == '\n') {
+ compose_out_data_len--;
+ }
+ _adcli_err("Failed to compose Samba ODJ blob: %.*s",
+ (int)compose_out_data_len, (char *)compose_out_data);
+ goto out;
+ }
+
+ if (compose_out_data == NULL || compose_out_data_len == 0) {
+ _adcli_err("Failed to compose ODJ blob, no data returned.");
+ ret = ADCLI_ERR_FAIL;
+ goto out;
+ }
+
+ _adcli_info("Trying to request Samba ODJ.");
+ ret = _adcli_call_external_program(argv_requestodj[0],
+ argv_requestodj, NULL,
+ (const char *)compose_out_data,
+ &request_out_data, &request_out_data_len);
+ if (ret != ADCLI_SUCCESS) {
+ while (request_out_data && request_out_data_len > 0 &&
+ request_out_data[request_out_data_len - 1] == '\n') {
+ request_out_data_len--;
+ }
+ _adcli_err("Failed to request Samba ODJ: %.*s",
+ (int)request_out_data_len, request_out_data);
+ goto out;
+ }
+
+ ret = ADCLI_SUCCESS;
+out:
+ if (compose_out_data != NULL) {
+ /* Burn memory, the blob contains the machine password */
+ memset(compose_out_data, 0, compose_out_data_len);
+ free(compose_out_data);
+ }
+ if (request_out_data != NULL) {
+ free(request_out_data);
+ }
+
+ return ret;
+}
+
+#else /* defined(SAMBA_NETAPI_HAS_COMPOSEODJ) */
+
static adcli_result
update_samba_data (adcli_enroll *enroll)
{
@@ -1885,6 +2029,8 @@ update_samba_data (adcli_enroll *enroll)
return ret;
}
+#endif
+
static void
enroll_clear_state (adcli_enroll *enroll)
{
--
2.43.0
