Blob Blame History Raw
From 74b52a30c2b142118b7f26f78c014e7bee825e84 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 2 Jun 2021 17:24:07 +0200
Subject: [PATCH 2/2] Add dont-expire-password option

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1769644
---
 doc/adcli.xml      | 28 ++++++++++++++++++++++
 library/adenroll.c | 58 +++++++++++++++++++++++++++++++++++++++++-----
 library/adenroll.h |  4 ++++
 tools/computer.c   | 12 ++++++++++
 4 files changed, 96 insertions(+), 6 deletions(-)

diff --git a/doc/adcli.xml b/doc/adcli.xml
index a64687a..7c2e126 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -347,6 +347,20 @@ Password for Administrator:
 			not allow that Kerberos tickets can be forwarded to the
 			host.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--dont-expire-password=<parameter>yes|no|true|false</parameter></option></term>
+			<listitem><para>Set or unset the DONT_EXPIRE_PASSWORD
+			flag in the userAccountControl attribute to indicate if
+			the machine account password should expire or not. By
+			default adcli will set this flag while joining the
+			domain which corresponds to the default behavior of
+			Windows clients.</para>
+			<para>Please note that if the password will expire
+			(--dont-expire-password=false) a renewal mechanism has
+			to be enabled on the client to not loose the
+			connectivity to AD if the password expires.</para>
+			</listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
 			<listitem><para>Add a service principal name. In
@@ -491,6 +505,20 @@ $ adcli update --login-ccache=/tmp/krbcc_123
 			not allow that Kerberos tickets can be forwarded to the
 			host.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--dont-expire-password=<parameter>yes|no|true|false</parameter></option></term>
+			<listitem><para>Set or unset the DONT_EXPIRE_PASSWORD
+			flag in the userAccountControl attribute to indicate if
+			the machine account password should expire or not. By
+			default adcli will set this flag while joining the
+			domain which corresponds to the default behavior of
+			Windows clients.</para>
+			<para>Please note that if the password will expire
+			(--dont-expire-password=false) a renewal mechanism has
+			to be enabled on the client to not loose the
+			connectivity to AD if the password expires.</para>
+			</listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
 			<listitem><para>Add a service principal name. In
diff --git a/library/adenroll.c b/library/adenroll.c
index c726093..01f149c 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -152,6 +152,8 @@ struct _adcli_enroll {
 	char *samba_data_tool;
 	bool trusted_for_delegation;
 	int trusted_for_delegation_explicit;
+	bool dont_expire_password;
+	int dont_expire_password_explicit;
 	char *description;
 };
 
@@ -829,6 +831,8 @@ create_computer_account (adcli_enroll *enroll,
 	int ret;
 	size_t c;
 	size_t m;
+	uint32_t uac = UAC_WORKSTATION_TRUST_ACCOUNT | UAC_DONT_EXPIRE_PASSWORD ;
+	char *uac_str = NULL;
 
 	LDAPMod *all_mods[] = {
 		&objectClass,
@@ -849,11 +853,21 @@ create_computer_account (adcli_enroll *enroll,
 	LDAPMod *mods[mods_count];
 
 	if (adcli_enroll_get_trusted_for_delegation (enroll)) {
-		vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */
+		uac |= UAC_TRUSTED_FOR_DELEGATION;
+	}
+
+	if (!adcli_enroll_get_dont_expire_password (enroll)) {
+		uac &= ~(UAC_DONT_EXPIRE_PASSWORD);
+	}
+
+	if (asprintf (&uac_str, "%d", uac) < 0) {
+		return_val_if_reached (ADCLI_ERR_UNEXPECTED);
 	}
+	vals_userAccountControl[0] = uac_str;
 
 	ret = calculate_enctypes (enroll, &val);
 	if (ret != ADCLI_SUCCESS) {
+		free (uac_str);
 		return ret;
 	}
 	vals_supportedEncryptionTypes[0] = val;
@@ -868,6 +882,7 @@ create_computer_account (adcli_enroll *enroll,
 	mods[m] = NULL;
 
 	ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
+	free (uac_str);
 	free (val);
 
 	/*
@@ -1566,10 +1581,20 @@ static char *get_user_account_control (adcli_enroll *enroll)
 		uac = UAC_WORKSTATION_TRUST_ACCOUNT | UAC_DONT_EXPIRE_PASSWORD;
 	}
 
-	if (adcli_enroll_get_trusted_for_delegation (enroll)) {
-		uac |= UAC_TRUSTED_FOR_DELEGATION;
-	} else {
-		uac &= ~(UAC_TRUSTED_FOR_DELEGATION);
+	if (enroll->trusted_for_delegation_explicit) {
+		if (adcli_enroll_get_trusted_for_delegation (enroll)) {
+			uac |= UAC_TRUSTED_FOR_DELEGATION;
+		} else {
+			uac &= ~(UAC_TRUSTED_FOR_DELEGATION);
+		}
+	}
+
+	if (enroll->dont_expire_password_explicit) {
+		if (adcli_enroll_get_dont_expire_password (enroll)) {
+			uac |= UAC_DONT_EXPIRE_PASSWORD;
+		} else {
+			uac &= ~(UAC_DONT_EXPIRE_PASSWORD);
+		}
 	}
 
 	if (asprintf (&uac_str, "%d", uac) < 0) {
@@ -1613,7 +1640,8 @@ update_computer_account (adcli_enroll *enroll)
 	}
 	free (value);
 
-	if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
+	if (res == ADCLI_SUCCESS && (enroll->trusted_for_delegation_explicit ||
+	                             enroll->dont_expire_password_explicit)) {
 		char *vals_userAccountControl[] = { NULL , NULL };
 		LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
 		LDAPMod *mods[] = { &userAccountControl, NULL };
@@ -3194,6 +3222,24 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
 	enroll->trusted_for_delegation_explicit = 1;
 }
 
+bool
+adcli_enroll_get_dont_expire_password (adcli_enroll *enroll)
+{
+	return_val_if_fail (enroll != NULL, false);
+
+	return enroll->dont_expire_password;
+}
+
+void
+adcli_enroll_set_dont_expire_password (adcli_enroll *enroll,
+                                       bool value)
+{
+	return_if_fail (enroll != NULL);
+
+	enroll->dont_expire_password = value;
+	enroll->dont_expire_password_explicit = 1;
+}
+
 void
 adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
 {
diff --git a/library/adenroll.h b/library/adenroll.h
index 11a30c8..5190eb6 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -126,6 +126,10 @@ bool               adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
 void               adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
                                                             bool value);
 
+bool               adcli_enroll_get_dont_expire_password (adcli_enroll *enroll);
+void               adcli_enroll_set_dont_expire_password (adcli_enroll *enroll,
+                                                          bool value);
+
 const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
 void               adcli_enroll_set_description         (adcli_enroll *enroll,
                                                          const char *value);
diff --git a/tools/computer.c b/tools/computer.c
index 98a0472..954066a 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -110,6 +110,7 @@ typedef enum {
 	opt_add_samba_data,
 	opt_samba_data_tool,
 	opt_trusted_for_delegation,
+	opt_dont_expire_password,
 	opt_add_service_principal,
 	opt_remove_service_principal,
 	opt_description,
@@ -143,6 +144,8 @@ static adcli_tool_desc common_usages[] = {
 	{ opt_computer_password_lifetime, "lifetime of the host accounts password in days", },
 	{ opt_trusted_for_delegation, "set/unset the TRUSTED_FOR_DELEGATION flag\n"
 	                              "in the userAccountControl attribute", },
+	{ opt_dont_expire_password, "set/unset the DONT_EXPIRE_PASSWORD flag\n"
+	                            "in the userAccountControl attribute", },
 	{ opt_add_service_principal, "add the given service principal to the account\n" },
 	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
 	{ opt_description, "add a description to the account\n" },
@@ -304,6 +307,13 @@ parse_option (Option opt,
 			adcli_enroll_set_trusted_for_delegation (enroll, false);
 		}
 		return ADCLI_SUCCESS;
+	case opt_dont_expire_password:
+		if (strcasecmp (optarg, "true") == 0 || strcasecmp (optarg, "yes") == 0) {
+			adcli_enroll_set_dont_expire_password (enroll, true);
+		} else {
+			adcli_enroll_set_dont_expire_password (enroll, false);
+		}
+		return ADCLI_SUCCESS;
 	case opt_add_service_principal:
 		adcli_enroll_add_service_principal_to_add (enroll, optarg);
 		return ADCLI_SUCCESS;
@@ -383,6 +393,7 @@ adcli_tool_computer_join (adcli_conn *conn,
 		{ "description", optional_argument, NULL, opt_description },
 		{ "user-principal", optional_argument, NULL, opt_user_principal },
 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+		{ "dont-expire-password", required_argument, NULL, opt_dont_expire_password },
 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
 		{ "show-details", no_argument, NULL, opt_show_details },
 		{ "show-password", no_argument, NULL, opt_show_password },
@@ -504,6 +515,7 @@ adcli_tool_computer_update (adcli_conn *conn,
 		{ "user-principal", optional_argument, NULL, opt_user_principal },
 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+		{ "dont-expire-password", required_argument, NULL, opt_dont_expire_password },
 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
 		{ "remove-service-principal", required_argument, NULL, opt_remove_service_principal },
 		{ "show-details", no_argument, NULL, opt_show_details },
-- 
2.31.1