Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Use LDAP add/mod operation instead of Kerberos to set the machine
account password.
There was an issue in AD where if PacRequestorEnforcement was set to '2'
setting the machine account password via Kerberos would be rejected.
This is already fixed on the AD side bit this patch which was created
with the help of David Mulder <dmulder@suse.com> might still be useful
if setting the machine account password with Kerberos might fail.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2039349
Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/27
|
|
If the --use-ldaps option is used and there is no reply on the CLDAP
389/udp port adcli will try to send the request to the LDAPS port
636/tcp.
Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/31
|
|
Looks like 'net changesecretpw' expects the SID entry to be present to
work correctly. This patch will set the SID before trying to set the
machine account password.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1991619
|
|
linking against musl libc we need to include that specifically, actually
also according to "man 3 endian".
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690920
|
|
With the new option common LDAP attributes can be set.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690920
|
|
The new command allows to set or reset a user password with the help of
an account privileged to set the password.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1952828
|
|
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1769644
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1769644
|
|
|
|
|
|
A new option was added to 'adcli update' toggle the ACCOUNTDISABLE flag
of AD's userAccountControl LDAP attribute to disable or enable the given
host account.
'adcli join' will automatically enable the host account.
Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/21
|
|
Add a random component to the default managed service account name to
avoid name collisions.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
Make it possible to find existing manages service account by the
fully-qualified name.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
Determine keytab name more early to catch errors more early.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
Make handling of random strings more flexible.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
Use proper account type in debug messages.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
Add new sub-command to create a managed service account in AD. This can
be used if LDAP access to AD is needed but the host is already joined to
a different domain.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
Add helpers to indicate a managed service account.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
When using a restricted account with adcli some operations might fail
because the account might not have all required permissions. The man
page is extended and now explains which permissions are needed under
given circumstances.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1852080
Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/20
|
|
If during a join or update an existing AD computer object does not have
the dNSHostName attribute set it will be set with the current hostname.
This is important for cases where the user doing the join or update only
has "Validated write to service principal name" for the computer object.
The validated write with fully-qualified names can only be successful if
dNSHostName is set, see [MS-ADTS] section 3.1.1.5.3.1.1.4 "Validated
Writes - servicePrincipalName" for details.
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1734764
|
|
Do not continue processing on closed connection.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
|
|
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
|
|
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
|
|
This new option allows to set the description LDAP attribute for the AD
computer object.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
|
|
The show-computer command prints the LDAP attributes of the related
computer object from AD.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
|
|
Since the arcfour-hmac-md5 encryption types does not use salts it cannot
be used to discover the right salt.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
|
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
|
|
Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3
|
|
The new call does not only return the current encryption types set in AD
or a default list but filters them with the list of permitted encryption
types on the client. This makes sure the client can create and use the
keys.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
|
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
|
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
|
|
In add_server_side_service_principals _adcli_strv_add_unique is called
which only adds a string to a list without copying to. Since the
original list will be freed later the value must be copied.
This issue was introduce with 972f1a2f35829ed89f5353bd204683aa9ad6a2d2
and hence
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
|
adcli should not delete service principal names (SPNs) unexpectedly. If
a SPN was added on the server while presetting a host or updating an
existing entry and upcoming adcli join or update should preserver this
change.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
|
Make _adcli_krb5_build_principal a bit more robust by checking if the
given name already contains a realm suffix.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
|
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1630187
|
|
To avoid a misleading debug message indicating success a proper erro
code should be returned the no matching key was found when trying to
copy an keytab entry for a new principal.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1644311
|
|
If currently --service-name is given during the join only the service
names given by this option are added as service principal names. As a
result the default 'host' service principal name might be missing which
might cause issues e.g. with SSSD and sshd.
The patch makes sure the default service principals 'host' and
'RestrictedKrbHost' are always added during join.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1644311
|
|
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/2
|
|
Currently adcli creates service principals only with a short name if the
hostname of the client is a short name. This would fail is
Kerberos/GSSAPI clients will use the fully-qualified domain name (FQDN)
to access the host.
With this patch adcli tries to expand the short name by calling
getaddrinfo with the AI_CANONNAME hint.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/1
|
|
Originally only the host credential part was fixed in the context of
https://bugs.freedesktop.org/show_bug.cgi?id=91185. This patch adds the
fix to the case when user credentials are used.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1642546
|
|
Check if service principals is already in the list before adding it.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/16
|
|
_adcli_strv_add_unique checks is the new value already exists in the
strv before adding it. Check can be done case-sensitive or not.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/16
|
|
[MS-NRPC]
AD specifications say that DC locator must attempt to find a suitable DC for the client. That means going through all of the DCs in SRV RRs one by one until one of them answers.
The problem with adcli's original behavior is that it queries only five DCs from SRV, ever. This becomes a problem if for any reason there is a large number of DCs in the domain from which the client cannot get a CLDAP response.
|
|
|
|
|