|
|
48b328 |
From 9ad1164405e7b4decb7c4ad96fe5ab27d6e53366 Mon Sep 17 00:00:00 2001
|
|
|
48b328 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
48b328 |
Date: Wed, 6 Jun 2018 16:31:32 +0200
|
|
|
48b328 |
Subject: [PATCH 19/23] Calculate enctypes in a separate function
|
|
|
48b328 |
|
|
|
48b328 |
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
|
|
|
48b328 |
---
|
|
|
48b328 |
library/adenroll.c | 137 +++++++++++++++++++++++++++++++----------------------
|
|
|
48b328 |
1 file changed, 81 insertions(+), 56 deletions(-)
|
|
|
48b328 |
|
|
|
48b328 |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
48b328 |
index 6fdc773..75ac1e4 100644
|
|
|
48b328 |
--- a/library/adenroll.c
|
|
|
48b328 |
+++ b/library/adenroll.c
|
|
|
48b328 |
@@ -542,6 +542,83 @@ calculate_computer_account (adcli_enroll *enroll,
|
|
|
48b328 |
return ADCLI_SUCCESS;
|
|
|
48b328 |
}
|
|
|
48b328 |
|
|
|
48b328 |
+static adcli_result
|
|
|
48b328 |
+calculate_enctypes (adcli_enroll *enroll, char **enctype)
|
|
|
48b328 |
+{
|
|
|
48b328 |
+ char *value = NULL;
|
|
|
48b328 |
+ krb5_enctype *read_enctypes;
|
|
|
48b328 |
+ char *new_value = NULL;
|
|
|
48b328 |
+ int is_2008_or_later;
|
|
|
48b328 |
+ LDAP *ldap;
|
|
|
48b328 |
+
|
|
|
48b328 |
+ *enctype = NULL;
|
|
|
48b328 |
+ /*
|
|
|
48b328 |
+ * Because we're using a keytab we want the server to be aware of the
|
|
|
48b328 |
+ * encryption types supported on the client, because we can't dynamically
|
|
|
48b328 |
+ * use a new one that's thrown at us.
|
|
|
48b328 |
+ *
|
|
|
48b328 |
+ * If the encryption types are not explicitly set by the caller of this
|
|
|
48b328 |
+ * library, then see if the account already has some encryption types
|
|
|
48b328 |
+ * marked on it.
|
|
|
48b328 |
+ *
|
|
|
48b328 |
+ * If not, write our default set to the account.
|
|
|
48b328 |
+ *
|
|
|
48b328 |
+ * Note that Windows 2003 and earlier have a standard set of encryption
|
|
|
48b328 |
+ * types, and no msDS-supportedEncryptionTypes attribute.
|
|
|
48b328 |
+ */
|
|
|
48b328 |
+
|
|
|
48b328 |
+ ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
|
|
48b328 |
+ return_unexpected_if_fail (ldap != NULL);
|
|
|
48b328 |
+
|
|
|
48b328 |
+ is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
|
|
|
48b328 |
+
|
|
|
48b328 |
+ /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
|
|
|
48b328 |
+ if (is_2008_or_later) {
|
|
|
48b328 |
+ value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
|
|
|
48b328 |
+ "msDS-supportedEncryptionTypes");
|
|
|
48b328 |
+
|
|
|
48b328 |
+ if (!enroll->keytab_enctypes_explicit && value != NULL) {
|
|
|
48b328 |
+ read_enctypes = _adcli_krb5_parse_enctypes (value);
|
|
|
48b328 |
+ if (read_enctypes == NULL) {
|
|
|
48b328 |
+ _adcli_warn ("Invalid or unsupported encryption types are set on "
|
|
|
48b328 |
+ "the computer account (%s).", value);
|
|
|
48b328 |
+ } else {
|
|
|
48b328 |
+ free (enroll->keytab_enctypes);
|
|
|
48b328 |
+ enroll->keytab_enctypes = read_enctypes;
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+
|
|
|
48b328 |
+ /* In 2003 or earlier, standard set of enc types */
|
|
|
48b328 |
+ } else {
|
|
|
48b328 |
+ value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+
|
|
|
48b328 |
+ new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
|
|
|
48b328 |
+ if (new_value == NULL) {
|
|
|
48b328 |
+ free (value);
|
|
|
48b328 |
+ _adcli_warn ("The encryption types desired are not available in active directory");
|
|
|
48b328 |
+ return ADCLI_ERR_CONFIG;
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+
|
|
|
48b328 |
+ /* If we already have this value, then don't need to update */
|
|
|
48b328 |
+ if (value && strcmp (new_value, value) == 0) {
|
|
|
48b328 |
+ free (value);
|
|
|
48b328 |
+ free (new_value);
|
|
|
48b328 |
+ return ADCLI_SUCCESS;
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+ free (value);
|
|
|
48b328 |
+
|
|
|
48b328 |
+ if (!is_2008_or_later) {
|
|
|
48b328 |
+ free (new_value);
|
|
|
48b328 |
+ _adcli_warn ("Server does not support setting encryption types");
|
|
|
48b328 |
+ return ADCLI_SUCCESS;
|
|
|
48b328 |
+ }
|
|
|
48b328 |
+
|
|
|
48b328 |
+ *enctype = new_value;
|
|
|
48b328 |
+ return ADCLI_SUCCESS;
|
|
|
48b328 |
+}
|
|
|
48b328 |
+
|
|
|
48b328 |
+
|
|
|
48b328 |
static adcli_result
|
|
|
48b328 |
create_computer_account (adcli_enroll *enroll,
|
|
|
48b328 |
LDAP *ldap)
|
|
|
48b328 |
@@ -1053,75 +1130,23 @@ retrieve_computer_account (adcli_enroll *enroll)
|
|
|
48b328 |
static adcli_result
|
|
|
48b328 |
update_and_calculate_enctypes (adcli_enroll *enroll)
|
|
|
48b328 |
{
|
|
|
48b328 |
- char *value = NULL;
|
|
|
48b328 |
- krb5_enctype *read_enctypes;
|
|
|
48b328 |
char *vals_supportedEncryptionTypes[] = { NULL, NULL };
|
|
|
48b328 |
LDAPMod mod = { LDAP_MOD_REPLACE, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
|
|
|
48b328 |
LDAPMod *mods[2] = { &mod, NULL };
|
|
|
48b328 |
- int is_2008_or_later;
|
|
|
48b328 |
char *new_value;
|
|
|
48b328 |
LDAP *ldap;
|
|
|
48b328 |
int ret;
|
|
|
48b328 |
|
|
|
48b328 |
- /*
|
|
|
48b328 |
- * Because we're using a keytab we want the server to be aware of the
|
|
|
48b328 |
- * encryption types supported on the client, because we can't dynamically
|
|
|
48b328 |
- * use a new one that's thrown at us.
|
|
|
48b328 |
- *
|
|
|
48b328 |
- * If the encryption types are not explicitly set by the caller of this
|
|
|
48b328 |
- * library, then see if the account already has some encryption types
|
|
|
48b328 |
- * marked on it.
|
|
|
48b328 |
- *
|
|
|
48b328 |
- * If not, write our default set to the account.
|
|
|
48b328 |
- *
|
|
|
48b328 |
- * Note that Windows 2003 and earlier have a standard set of encryption
|
|
|
48b328 |
- * types, and no msDS-supportedEncryptionTypes attribute.
|
|
|
48b328 |
- */
|
|
|
48b328 |
-
|
|
|
48b328 |
ldap = adcli_conn_get_ldap_connection (enroll->conn);
|
|
|
48b328 |
return_unexpected_if_fail (ldap != NULL);
|
|
|
48b328 |
|
|
|
48b328 |
- is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
|
|
|
48b328 |
-
|
|
|
48b328 |
- /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
|
|
|
48b328 |
- if (is_2008_or_later) {
|
|
|
48b328 |
- value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
|
|
|
48b328 |
- "msDS-supportedEncryptionTypes");
|
|
|
48b328 |
-
|
|
|
48b328 |
- if (!enroll->keytab_enctypes_explicit && value != NULL) {
|
|
|
48b328 |
- read_enctypes = _adcli_krb5_parse_enctypes (value);
|
|
|
48b328 |
- if (read_enctypes == NULL) {
|
|
|
48b328 |
- _adcli_warn ("Invalid or unsupported encryption types are set on "
|
|
|
48b328 |
- "the computer account (%s).", value);
|
|
|
48b328 |
- } else {
|
|
|
48b328 |
- free (enroll->keytab_enctypes);
|
|
|
48b328 |
- enroll->keytab_enctypes = read_enctypes;
|
|
|
48b328 |
- }
|
|
|
48b328 |
- }
|
|
|
48b328 |
-
|
|
|
48b328 |
- /* In 2003 or earlier, standard set of enc types */
|
|
|
48b328 |
- } else {
|
|
|
48b328 |
- value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
|
|
|
48b328 |
- }
|
|
|
48b328 |
-
|
|
|
48b328 |
- new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
|
|
|
48b328 |
- if (new_value == NULL) {
|
|
|
48b328 |
- free (value);
|
|
|
48b328 |
- _adcli_warn ("The encryption types desired are not available in active directory");
|
|
|
48b328 |
- return ADCLI_ERR_CONFIG;
|
|
|
48b328 |
- }
|
|
|
48b328 |
-
|
|
|
48b328 |
- /* If we already have this value, then don't need to update */
|
|
|
48b328 |
- if (value && strcmp (new_value, value) == 0) {
|
|
|
48b328 |
- free (value);
|
|
|
48b328 |
+ ret = calculate_enctypes (enroll, &new_value);
|
|
|
48b328 |
+ if (ret != ADCLI_SUCCESS) {
|
|
|
48b328 |
free (new_value);
|
|
|
48b328 |
- return ADCLI_SUCCESS;
|
|
|
48b328 |
+ return ret;
|
|
|
48b328 |
}
|
|
|
48b328 |
- free (value);
|
|
|
48b328 |
|
|
|
48b328 |
- if (!is_2008_or_later) {
|
|
|
48b328 |
- free (new_value);
|
|
|
48b328 |
- _adcli_warn ("Server does not support setting encryption types");
|
|
|
48b328 |
+ if (new_value == NULL) {
|
|
|
48b328 |
return ADCLI_SUCCESS;
|
|
|
48b328 |
}
|
|
|
48b328 |
|
|
|
48b328 |
--
|
|
|
48b328 |
2.14.4
|
|
|
48b328 |
|