|
|
541bac |
From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001
|
|
|
541bac |
From: Sumit Bose <sbose@redhat.com>
|
|
|
541bac |
Date: Tue, 27 Oct 2020 15:23:04 +0100
|
|
|
541bac |
Subject: [PATCH 7/7] service-account: add random suffix to account name
|
|
|
541bac |
|
|
|
541bac |
Add a random component to the default managed service account name to
|
|
|
541bac |
avoid name collisions.
|
|
|
541bac |
|
|
|
541bac |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
|
|
|
541bac |
---
|
|
|
541bac |
library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
541bac |
1 file changed, 79 insertions(+)
|
|
|
541bac |
|
|
|
541bac |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
541bac |
index 98cd5fa..f693e58 100644
|
|
|
541bac |
--- a/library/adenroll.c
|
|
|
541bac |
+++ b/library/adenroll.c
|
|
|
541bac |
@@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll,
|
|
|
541bac |
return ADCLI_SUCCESS;
|
|
|
541bac |
}
|
|
|
541bac |
|
|
|
541bac |
+static adcli_result
|
|
|
541bac |
+refresh_service_account_name_sam_and_princ (adcli_enroll *enroll,
|
|
|
541bac |
+ const char *name)
|
|
|
541bac |
+{
|
|
|
541bac |
+ adcli_result res;
|
|
|
541bac |
+
|
|
|
541bac |
+ adcli_enroll_set_computer_name (enroll, name);
|
|
|
541bac |
+ res = ensure_computer_sam (ADCLI_SUCCESS, enroll);
|
|
|
541bac |
+ res = ensure_keytab_principals (res, enroll);
|
|
|
541bac |
+
|
|
|
541bac |
+ return res;
|
|
|
541bac |
+}
|
|
|
541bac |
+
|
|
|
541bac |
+static adcli_result
|
|
|
541bac |
+calculate_random_service_account_name (adcli_enroll *enroll)
|
|
|
541bac |
+{
|
|
|
541bac |
+ char *suffix;
|
|
|
541bac |
+ char *new_name;
|
|
|
541bac |
+ int ret;
|
|
|
541bac |
+ adcli_result res;
|
|
|
541bac |
+
|
|
|
541bac |
+ suffix = generate_host_password (enroll, 3, filter_sam_chars);
|
|
|
541bac |
+ return_unexpected_if_fail (suffix != NULL);
|
|
|
541bac |
+
|
|
|
541bac |
+ ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix);
|
|
|
541bac |
+ free (suffix);
|
|
|
541bac |
+ return_unexpected_if_fail (ret > 0);
|
|
|
541bac |
+
|
|
|
541bac |
+ res = refresh_service_account_name_sam_and_princ (enroll, new_name);
|
|
|
541bac |
+ free (new_name);
|
|
|
541bac |
+
|
|
|
541bac |
+ return res;
|
|
|
541bac |
+}
|
|
|
541bac |
+
|
|
|
541bac |
+static adcli_result
|
|
|
541bac |
+get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results)
|
|
|
541bac |
+{
|
|
|
541bac |
+ LDAP *ldap;
|
|
|
541bac |
+ char *cn;
|
|
|
541bac |
+ adcli_result res;
|
|
|
541bac |
+
|
|
|
541bac |
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
|
|
541bac |
+ assert (ldap != NULL);
|
|
|
541bac |
+
|
|
|
541bac |
+ cn = _adcli_ldap_parse_value (ldap, results, "CN");
|
|
|
541bac |
+ return_unexpected_if_fail (cn != NULL);
|
|
|
541bac |
+
|
|
|
541bac |
+ res = refresh_service_account_name_sam_and_princ (enroll, cn);
|
|
|
541bac |
+ free (cn);
|
|
|
541bac |
+
|
|
|
541bac |
+ return res;
|
|
|
541bac |
+}
|
|
|
541bac |
+
|
|
|
541bac |
static adcli_result
|
|
|
541bac |
locate_or_create_computer_account (adcli_enroll *enroll,
|
|
|
541bac |
int allow_overwrite)
|
|
|
541bac |
@@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll,
|
|
|
541bac |
searched = 1;
|
|
|
541bac |
}
|
|
|
541bac |
|
|
|
541bac |
+ /* Try with fqdn for service accounts */
|
|
|
541bac |
+ if (!enroll->computer_dn && enroll->is_service
|
|
|
541bac |
+ && enroll->host_fqdn != NULL) {
|
|
|
541bac |
+ res = locate_computer_account (enroll, ldap, true,
|
|
|
541bac |
+ &results, &entry);
|
|
|
541bac |
+ if (res != ADCLI_SUCCESS)
|
|
|
541bac |
+ return res;
|
|
|
541bac |
+ searched = 1;
|
|
|
541bac |
+
|
|
|
541bac |
+ if (results != NULL) {
|
|
|
541bac |
+ res = get_service_account_name_from_ldap (enroll,
|
|
|
541bac |
+ results);
|
|
|
541bac |
+ if (res != ADCLI_SUCCESS) {
|
|
|
541bac |
+ return res;
|
|
|
541bac |
+ }
|
|
|
541bac |
+ }
|
|
|
541bac |
+ }
|
|
|
541bac |
+
|
|
|
541bac |
/* Next try and come up with where we think it should be */
|
|
|
541bac |
if (enroll->computer_dn == NULL) {
|
|
|
541bac |
+ if (enroll->is_service && !enroll->computer_name_explicit) {
|
|
|
541bac |
+ res = calculate_random_service_account_name (enroll);
|
|
|
541bac |
+ if (res != ADCLI_SUCCESS) {
|
|
|
541bac |
+ return res;
|
|
|
541bac |
+ }
|
|
|
541bac |
+ }
|
|
|
541bac |
res = calculate_computer_account (enroll, ldap);
|
|
|
541bac |
if (res != ADCLI_SUCCESS)
|
|
|
541bac |
return res;
|
|
|
541bac |
@@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll,
|
|
|
541bac |
|
|
|
541bac |
if (enroll->is_service) {
|
|
|
541bac |
/* Ensure basic params for service accounts */
|
|
|
541bac |
+ res = ensure_host_fqdn (res, enroll);
|
|
|
541bac |
+ res = ensure_computer_name (res, enroll);
|
|
|
541bac |
res = ensure_computer_sam (res, enroll);
|
|
|
541bac |
res = ensure_computer_password (res, enroll);
|
|
|
541bac |
res = ensure_host_keytab (res, enroll);
|
|
|
541bac |
--
|
|
|
541bac |
2.28.0
|
|
|
541bac |
|