Blame SOURCES/0004-Handle-kvno-increment-for-RODCs.patch

9a0aa5
From 108d3fd58e16428316dae4a4c0601633d2903a4b Mon Sep 17 00:00:00 2001
9a0aa5
From: Sumit Bose <sbose@redhat.com>
9a0aa5
Date: Wed, 1 Nov 2017 17:14:05 +0100
9a0aa5
Subject: [PATCH 4/4] Handle kvno increment for RODCs
9a0aa5
9a0aa5
Since the actual password change does not happen on the read-only domain
9a0aa5
controller (RODC) the kvno change has to be replicated back which might
9a0aa5
take some time. So we check the kvno before and after the change if we
9a0aa5
are connected to a RODC and increment the kvno if needed.
9a0aa5
---
9a0aa5
 library/adenroll.c | 31 +++++++++++++++++++++++++++++++
9a0aa5
 1 file changed, 31 insertions(+)
9a0aa5
9a0aa5
diff --git a/library/adenroll.c b/library/adenroll.c
9a0aa5
index a15e4be..40c3920 100644
9a0aa5
--- a/library/adenroll.c
9a0aa5
+++ b/library/adenroll.c
9a0aa5
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
9a0aa5
 		             adcli_enroll_flags flags)
9a0aa5
 {
9a0aa5
 	adcli_result res;
9a0aa5
+	krb5_kvno old_kvno = -1;
9a0aa5
 
9a0aa5
 	if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
9a0aa5
+
9a0aa5
+		/* Handle kvno changes for read-only domain controllers
9a0aa5
+		 * (RODC). Since the actual password change does not happen on
9a0aa5
+		 * the RODC the kvno change has to be replicated back which
9a0aa5
+		 * might take some time. So we check the kvno before and after
9a0aa5
+		 * the change if we are connected to a RODC and increment the
9a0aa5
+		 * kvno if needed. */
9a0aa5
+		if (!adcli_conn_is_writeable (enroll->conn)) {
9a0aa5
+			if (enroll->computer_attributes == NULL) {
9a0aa5
+				res = retrieve_computer_account (enroll);
9a0aa5
+				if (res != ADCLI_SUCCESS)
9a0aa5
+					return res;
9a0aa5
+			}
9a0aa5
+			old_kvno = adcli_enroll_get_kvno (enroll);
9a0aa5
+			_adcli_info ("Found old kvno '%d'", old_kvno);
9a0aa5
+
9a0aa5
+			ldap_msgfree (enroll->computer_attributes);
9a0aa5
+			enroll->computer_attributes = NULL;
9a0aa5
+			adcli_enroll_set_kvno (enroll, 0);
9a0aa5
+		}
9a0aa5
+
9a0aa5
 		res = set_computer_password (enroll);
9a0aa5
 		if (res != ADCLI_SUCCESS)
9a0aa5
 			return res;
9a0aa5
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
9a0aa5
 			return res;
9a0aa5
 	}
9a0aa5
 
9a0aa5
+	/* Handle kvno changes for read-only domain controllers (RODC) */
9a0aa5
+	if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
9a0aa5
+	    adcli_enroll_get_kvno (enroll) != 0 &&
9a0aa5
+	    adcli_enroll_get_kvno (enroll) == old_kvno) {
9a0aa5
+		enroll->kvno++;
9a0aa5
+		_adcli_info ("No kvno change detected on read-only DC,  kvno "
9a0aa5
+		             "will be incremented by 1 to '%d'", enroll->kvno);
9a0aa5
+	}
9a0aa5
+
9a0aa5
 	/* We ignore failures of setting these fields */
9a0aa5
 	update_and_calculate_enctypes (enroll);
9a0aa5
 	update_computer_account (enroll);
9a0aa5
-- 
9a0aa5
2.13.6
9a0aa5