|
|
f441eb |
From 6b60f4c08d811e4bc3a68d1a4770c2ce5619c890 Mon Sep 17 00:00:00 2001
|
|
|
f441eb |
From: Sumit Bose <sbose@redhat.com>
|
|
|
f441eb |
Date: Wed, 1 Nov 2017 17:14:05 +0100
|
|
|
f441eb |
Subject: [PATCH 06/23] Handle kvno increment for RODCs
|
|
|
f441eb |
|
|
|
f441eb |
Since the actual password change does not happen on the read-only domain
|
|
|
f441eb |
controller (RODC) the kvno change has to be replicated back which might
|
|
|
f441eb |
take some time. So we check the kvno before and after the change if we
|
|
|
f441eb |
are connected to a RODC and increment the kvno if needed.
|
|
|
f441eb |
---
|
|
|
f441eb |
library/adenroll.c | 31 +++++++++++++++++++++++++++++++
|
|
|
f441eb |
1 file changed, 31 insertions(+)
|
|
|
f441eb |
|
|
|
f441eb |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
f441eb |
index 05885d0..bb970d1 100644
|
|
|
f441eb |
--- a/library/adenroll.c
|
|
|
f441eb |
+++ b/library/adenroll.c
|
|
|
f441eb |
@@ -1633,8 +1633,30 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
|
f441eb |
adcli_enroll_flags flags)
|
|
|
f441eb |
{
|
|
|
f441eb |
adcli_result res;
|
|
|
f441eb |
+ krb5_kvno old_kvno = -1;
|
|
|
f441eb |
|
|
|
f441eb |
if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) {
|
|
|
f441eb |
+
|
|
|
f441eb |
+ /* Handle kvno changes for read-only domain controllers
|
|
|
f441eb |
+ * (RODC). Since the actual password change does not happen on
|
|
|
f441eb |
+ * the RODC the kvno change has to be replicated back which
|
|
|
f441eb |
+ * might take some time. So we check the kvno before and after
|
|
|
f441eb |
+ * the change if we are connected to a RODC and increment the
|
|
|
f441eb |
+ * kvno if needed. */
|
|
|
f441eb |
+ if (!adcli_conn_is_writeable (enroll->conn)) {
|
|
|
f441eb |
+ if (enroll->computer_attributes == NULL) {
|
|
|
f441eb |
+ res = retrieve_computer_account (enroll);
|
|
|
f441eb |
+ if (res != ADCLI_SUCCESS)
|
|
|
f441eb |
+ return res;
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+ old_kvno = adcli_enroll_get_kvno (enroll);
|
|
|
f441eb |
+ _adcli_info ("Found old kvno '%d'", old_kvno);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ ldap_msgfree (enroll->computer_attributes);
|
|
|
f441eb |
+ enroll->computer_attributes = NULL;
|
|
|
f441eb |
+ adcli_enroll_set_kvno (enroll, 0);
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+
|
|
|
f441eb |
res = set_computer_password (enroll);
|
|
|
f441eb |
if (res != ADCLI_SUCCESS)
|
|
|
f441eb |
return res;
|
|
|
f441eb |
@@ -1651,6 +1673,15 @@ enroll_join_or_update_tasks (adcli_enroll *enroll,
|
|
|
f441eb |
return res;
|
|
|
f441eb |
}
|
|
|
f441eb |
|
|
|
f441eb |
+ /* Handle kvno changes for read-only domain controllers (RODC) */
|
|
|
f441eb |
+ if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 &&
|
|
|
f441eb |
+ adcli_enroll_get_kvno (enroll) != 0 &&
|
|
|
f441eb |
+ adcli_enroll_get_kvno (enroll) == old_kvno) {
|
|
|
f441eb |
+ enroll->kvno++;
|
|
|
f441eb |
+ _adcli_info ("No kvno change detected on read-only DC, kvno "
|
|
|
f441eb |
+ "will be incremented by 1 to '%d'", enroll->kvno);
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+
|
|
|
f441eb |
/* We ignore failures of setting these fields */
|
|
|
f441eb |
update_and_calculate_enctypes (enroll);
|
|
|
f441eb |
update_computer_account (enroll);
|
|
|
f441eb |
--
|
|
|
f441eb |
2.14.4
|
|
|
f441eb |
|