|
 |
541bac |
From beb7abfacc0010987d2cd8ab70f7c373d309eed9 Mon Sep 17 00:00:00 2001
|
|
|
541bac |
From: Sumit Bose <sbose@redhat.com>
|
|
|
541bac |
Date: Thu, 15 Oct 2020 18:01:12 +0200
|
|
|
541bac |
Subject: [PATCH] join/update: set dNSHostName if not set
|
|
|
541bac |
|
|
|
541bac |
If during a join or update an existing AD computer object does not have
|
|
|
541bac |
the dNSHostName attribute set it will be set with the current hostname.
|
|
|
541bac |
This is important for cases where the user doing the join or update only
|
|
|
541bac |
has "Validated write to service principal name" for the computer object.
|
|
|
541bac |
The validated write with fully-qualified names can only be successful if
|
|
|
541bac |
dNSHostName is set, see [MS-ADTS] section 3.1.1.5.3.1.1.4 "Validated
|
|
|
541bac |
Writes - servicePrincipalName" for details.
|
|
|
541bac |
|
|
|
541bac |
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1734764
|
|
|
541bac |
---
|
|
|
541bac |
library/adenroll.c | 16 ++++++++++++----
|
|
|
541bac |
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
|
541bac |
|
|
|
541bac |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
541bac |
index 246f658..e745295 100644
|
|
|
541bac |
--- a/library/adenroll.c
|
|
|
541bac |
+++ b/library/adenroll.c
|
|
|
541bac |
@@ -1403,21 +1403,29 @@ update_computer_account (adcli_enroll *enroll)
|
|
|
541bac |
{
|
|
|
541bac |
int res = 0;
|
|
|
541bac |
LDAP *ldap;
|
|
|
541bac |
+ char *value = NULL;
|
|
|
541bac |
|
|
|
541bac |
ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
|
|
541bac |
return_if_fail (ldap != NULL);
|
|
|
541bac |
|
|
|
541bac |
/* Only update attributes which are explicitly given on the command
|
|
|
541bac |
- * line. Otherwise 'adcli update' must be always called with the same
|
|
|
541bac |
- * set of options to make sure existing attributes are not deleted or
|
|
|
541bac |
- * overwritten with different values. */
|
|
|
541bac |
- if (enroll->host_fqdn_explicit) {
|
|
|
541bac |
+ * line or not set in the existing AD object. Otherwise 'adcli update'
|
|
|
541bac |
+ * must be always called with the same set of options to make sure
|
|
|
541bac |
+ * existing attributes are not deleted or overwritten with different
|
|
|
541bac |
+ * values. */
|
|
|
541bac |
+ if (enroll->computer_attributes != NULL) {
|
|
|
541bac |
+ value = _adcli_ldap_parse_value (ldap,
|
|
|
541bac |
+ enroll->computer_attributes,
|
|
|
541bac |
+ "dNSHostName");
|
|
|
541bac |
+ }
|
|
|
541bac |
+ if (enroll->host_fqdn_explicit || value == NULL ) {
|
|
|
541bac |
char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
|
|
|
541bac |
LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
|
|
|
541bac |
LDAPMod *mods[] = { &dNSHostName, NULL };
|
|
|
541bac |
|
|
|
541bac |
res |= update_computer_attribute (enroll, ldap, mods);
|
|
|
541bac |
}
|
|
|
541bac |
+ free (value);
|
|
|
541bac |
|
|
|
541bac |
if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
|
|
|
541bac |
char *vals_userAccountControl[] = { NULL , NULL };
|
|
|
541bac |
--
|
|
|
541bac |
2.28.0
|
|
|
541bac |
|