Blame SOURCES/0007-service-account-add-random-suffix-to-account-name.patch

541bac
From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001
541bac
From: Sumit Bose <sbose@redhat.com>
541bac
Date: Tue, 27 Oct 2020 15:23:04 +0100
541bac
Subject: [PATCH 7/7] service-account: add random suffix to account name
541bac
541bac
Add a random component to the default managed service account name to
541bac
avoid name collisions.
541bac
541bac
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
541bac
---
541bac
 library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++
541bac
 1 file changed, 79 insertions(+)
541bac
541bac
diff --git a/library/adenroll.c b/library/adenroll.c
541bac
index 98cd5fa..f693e58 100644
541bac
--- a/library/adenroll.c
541bac
+++ b/library/adenroll.c
541bac
@@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll,
541bac
 	return ADCLI_SUCCESS;
541bac
 }
541bac
 
541bac
+static adcli_result
541bac
+refresh_service_account_name_sam_and_princ (adcli_enroll *enroll,
541bac
+                                            const char *name)
541bac
+{
541bac
+	adcli_result res;
541bac
+
541bac
+	adcli_enroll_set_computer_name (enroll, name);
541bac
+	res = ensure_computer_sam (ADCLI_SUCCESS, enroll);
541bac
+	res = ensure_keytab_principals (res, enroll);
541bac
+
541bac
+	return res;
541bac
+}
541bac
+
541bac
+static adcli_result
541bac
+calculate_random_service_account_name (adcli_enroll *enroll)
541bac
+{
541bac
+	char *suffix;
541bac
+	char *new_name;
541bac
+	int ret;
541bac
+	adcli_result res;
541bac
+
541bac
+	suffix = generate_host_password (enroll, 3, filter_sam_chars);
541bac
+	return_unexpected_if_fail (suffix != NULL);
541bac
+
541bac
+	ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix);
541bac
+	free (suffix);
541bac
+	return_unexpected_if_fail (ret > 0);
541bac
+
541bac
+	res = refresh_service_account_name_sam_and_princ (enroll, new_name);
541bac
+	free (new_name);
541bac
+
541bac
+	return res;
541bac
+}
541bac
+
541bac
+static adcli_result
541bac
+get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results)
541bac
+{
541bac
+	LDAP *ldap;
541bac
+	char *cn;
541bac
+	adcli_result res;
541bac
+
541bac
+	ldap = adcli_conn_get_ldap_connection (enroll->conn);
541bac
+	assert (ldap != NULL);
541bac
+
541bac
+	cn = _adcli_ldap_parse_value (ldap, results, "CN");
541bac
+	return_unexpected_if_fail (cn != NULL);
541bac
+
541bac
+	res = refresh_service_account_name_sam_and_princ (enroll, cn);
541bac
+	free (cn);
541bac
+
541bac
+	return res;
541bac
+}
541bac
+
541bac
 static adcli_result
541bac
 locate_or_create_computer_account (adcli_enroll *enroll,
541bac
                                    int allow_overwrite)
541bac
@@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll,
541bac
 		searched = 1;
541bac
 	}
541bac
 
541bac
+	/* Try with fqdn for service accounts */
541bac
+	if (!enroll->computer_dn && enroll->is_service
541bac
+	                && enroll->host_fqdn != NULL) {
541bac
+		res = locate_computer_account (enroll, ldap, true,
541bac
+		                               &results, &entry);
541bac
+		if (res != ADCLI_SUCCESS)
541bac
+			return res;
541bac
+		searched = 1;
541bac
+
541bac
+		if (results != NULL) {
541bac
+			res = get_service_account_name_from_ldap (enroll,
541bac
+			                                          results);
541bac
+			if (res != ADCLI_SUCCESS) {
541bac
+				return res;
541bac
+			}
541bac
+		}
541bac
+	}
541bac
+
541bac
 	/* Next try and come up with where we think it should be */
541bac
 	if (enroll->computer_dn == NULL) {
541bac
+		if (enroll->is_service && !enroll->computer_name_explicit) {
541bac
+			res = calculate_random_service_account_name (enroll);
541bac
+			if (res != ADCLI_SUCCESS) {
541bac
+				return res;
541bac
+			}
541bac
+		}
541bac
 		res = calculate_computer_account (enroll, ldap);
541bac
 		if (res != ADCLI_SUCCESS)
541bac
 			return res;
541bac
@@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll,
541bac
 
541bac
 	if (enroll->is_service) {
541bac
 		/* Ensure basic params for service accounts */
541bac
+		res = ensure_host_fqdn (res, enroll);
541bac
+		res = ensure_computer_name (res, enroll);
541bac
 		res = ensure_computer_sam (res, enroll);
541bac
 		res = ensure_computer_password (res, enroll);
541bac
 		res = ensure_host_keytab (res, enroll);
541bac
-- 
541bac
2.28.0
541bac