|
|
9a0aa5 |
From 108d3fd58e16428316dae4a4c0601633d2903a4b Mon Sep 17 00:00:00 2001
|
|
|
9a0aa5 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
9a0aa5 |
Date: Wed, 1 Nov 2017 17:14:05 +0100
|
|
|
9a0aa5 |
Subject: [PATCH 4/4] Handle kvno increment for RODCs
|
|
|
9a0aa5 |
|
|
|
9a0aa5 |
Since the actual password change does not happen on the read-only domain
|
|
|
9a0aa5 |
controller (RODC) the kvno change has to be replicated back which might
|
|
|
9a0aa5 |
take some time. So we check the kvno before and after the change if we
|
|
|
9a0aa5 |
are connected to a RODC and increment the kvno if needed.
|
|
|
9a0aa5 |
---
|
|
|
9a0aa5 |
library/adenroll.c | 31 +++++++++++++++++++++++++++++++
|
|
|
9a0aa5 |
1 file changed, 31 insertions(+)
|
|
|
9a0aa5 |
|
|
|
9a0aa5 |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
9a0aa5 |
index a15e4be..40c3920 100644
|
|
|
9a0aa5 |
--- a/library/adenroll.c
|
|
|
9a0aa5 |
+++ b/library/adenroll.c
|
|
|
9a0aa5 |
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
|
9a0aa5 |
adcli_enroll_flags flags)
|
|
|
9a0aa5 |
{
|
|
|
9a0aa5 |
adcli_result res;
|
|
|
9a0aa5 |
+ krb5_kvno old_kvno = -1;
|
|
|
9a0aa5 |
|
|
|
9a0aa5 |
if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
|
|
|
9a0aa5 |
+
|
|
|
9a0aa5 |
+ /* Handle kvno changes for read-only domain controllers
|
|
|
9a0aa5 |
+ * (RODC). Since the actual password change does not happen on
|
|
|
9a0aa5 |
+ * the RODC the kvno change has to be replicated back which
|
|
|
9a0aa5 |
+ * might take some time. So we check the kvno before and after
|
|
|
9a0aa5 |
+ * the change if we are connected to a RODC and increment the
|
|
|
9a0aa5 |
+ * kvno if needed. */
|
|
|
9a0aa5 |
+ if (!adcli_conn_is_writeable (enroll->conn)) {
|
|
|
9a0aa5 |
+ if (enroll->computer_attributes == NULL) {
|
|
|
9a0aa5 |
+ res = retrieve_computer_account (enroll);
|
|
|
9a0aa5 |
+ if (res != ADCLI_SUCCESS)
|
|
|
9a0aa5 |
+ return res;
|
|
|
9a0aa5 |
+ }
|
|
|
9a0aa5 |
+ old_kvno = adcli_enroll_get_kvno (enroll);
|
|
|
9a0aa5 |
+ _adcli_info ("Found old kvno '%d'", old_kvno);
|
|
|
9a0aa5 |
+
|
|
|
9a0aa5 |
+ ldap_msgfree (enroll->computer_attributes);
|
|
|
9a0aa5 |
+ enroll->computer_attributes = NULL;
|
|
|
9a0aa5 |
+ adcli_enroll_set_kvno (enroll, 0);
|
|
|
9a0aa5 |
+ }
|
|
|
9a0aa5 |
+
|
|
|
9a0aa5 |
res = set_computer_password (enroll);
|
|
|
9a0aa5 |
if (res != ADCLI_SUCCESS)
|
|
|
9a0aa5 |
return res;
|
|
|
9a0aa5 |
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
|
9a0aa5 |
return res;
|
|
|
9a0aa5 |
}
|
|
|
9a0aa5 |
|
|
|
9a0aa5 |
+ /* Handle kvno changes for read-only domain controllers (RODC) */
|
|
|
9a0aa5 |
+ if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
|
|
|
9a0aa5 |
+ adcli_enroll_get_kvno (enroll) != 0 &&
|
|
|
9a0aa5 |
+ adcli_enroll_get_kvno (enroll) == old_kvno) {
|
|
|
9a0aa5 |
+ enroll->kvno++;
|
|
|
9a0aa5 |
+ _adcli_info ("No kvno change detected on read-only DC, kvno "
|
|
|
9a0aa5 |
+ "will be incremented by 1 to '%d'", enroll->kvno);
|
|
|
9a0aa5 |
+ }
|
|
|
9a0aa5 |
+
|
|
|
9a0aa5 |
/* We ignore failures of setting these fields */
|
|
|
9a0aa5 |
update_and_calculate_enctypes (enroll);
|
|
|
9a0aa5 |
update_computer_account (enroll);
|
|
|
9a0aa5 |
--
|
|
|
9a0aa5 |
2.13.6
|
|
|
9a0aa5 |
|