is a program for interoperability with Active Directory.
| msktutil.cpp (msktutil-1.1.tar.bz2) | : | msktutil.cpp (msktutil-1.2.1) |
|---|
| | |
| skipping to change at line 101 | | skipping to change at line 101 |
|---|
| remove_files_at_exit(); | | remove_files_at_exit(); |
| exit(1); | | exit(1); |
| } | | } |
| | |
| void set_supportedEncryptionTypes(msktutil_flags *flags, char * value) | | void set_supportedEncryptionTypes(msktutil_flags *flags, char * value) |
| { | | { |
| flags->enctypes = VALUE_ON; | | flags->enctypes = VALUE_ON; |
| flags->supportedEncryptionTypes = strtol(value, NULL, 0); | | flags->supportedEncryptionTypes = strtol(value, NULL, 0); |
| } | | } |
| | |
|
| void set_cleanup_enctype(msktutil_flags *flags, char * value) | | /* Parse string representation of enctype into numeric krb5 enctype |
| | * (not to be mistaken with the numeric AD enctype!) |
| | */ |
| | int parse_enctype(const std::string &value) |
| { | | { |
|
| int enctype = -1; | | int enctype; |
| if (sform(value).compare(sform("des-cbc-crc")) == 0) { | | |
| | if ("des-cbc-crc" == value) |
| enctype = 1; | | enctype = 1; |
|
| } else if (sform(value).compare(sform("des-cbc-md5")) == 0) { | | else if ("des-cbc-md5" == value) |
| enctype = 3; | | enctype = 3; |
|
| } else if ((sform(value).compare(sform("arcfour-hmac-md5")) == 0) || | | else if ("arcfour-hmac-md5" == value || |
| (sform(value).compare(sform("arcfour-hmac")) == 0) || | | "arcfour-hmac" == value || |
| (sform(value).compare(sform("arcfour")) == 0) || | | "arcfour" == value || |
| (sform(value).compare(sform("rc4-hmac-md5")) == 0) || | | "rc4-hmac-md5" == value || |
| (sform(value).compare(sform("rc4-hmac")) == 0) || | | "rc4-hmac" == value || |
| (sform(value).compare(sform("rc4")) == 0)) { | | "rc4" == value) |
| enctype = 23; | | enctype = 23; |
|
| } else if ((sform(value).compare(sform("aes128-cts-hmac-sha1-96")) == 0) || | | else if ("aes128-cts-hmac-sha1-96" == value || |
| (sform(value).compare(sform("aes128-cts-hmac-sha1")) == 0) || | | "aes128-cts-hmac-sha1" == value || |
| (sform(value).compare(sform("aes128-cts-hmac")) == 0) || | | "aes128-cts-hmac" == value || |
| (sform(value).compare(sform("aes128-cts")) == 0) || | | "aes128-cts" == value || |
| (sform(value).compare(sform("aes128")) == 0)) { | | "aes128" == value) |
| enctype = 17; | | enctype = 17; |
|
| } else if ((sform(value).compare(sform("aes256-cts-hmac-sha1-96")) == 0) || | | else if ("aes256-cts-hmac-sha1-96" == value || |
| (sform(value).compare(sform("aes256-cts-hmac-sha1")) == 0) || | | "aes256-cts-hmac-sha1" == value || |
| (sform(value).compare(sform("aes256-cts-hmac")) == 0) || | | "aes256-cts-hmac" == value || |
| (sform(value).compare(sform("aes256-cts")) == 0) || | | "aes256-cts" == value || |
| (sform(value).compare(sform("aes256")) == 0)) { | | "aes256" == value) |
| enctype = 18; | | enctype = 18; |
|
| } else { | | else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: enctype = %s not supported. " | | "Error: enctype %s not supported. " |
| "Supported enctype strings are\n", value | | "Supported enctype strings are\n", value.c_str() |
| ); | | ); |
| fprintf(stderr, " des-cbc-crc\n"); | | fprintf(stderr, " des-cbc-crc\n"); |
| fprintf(stderr, " des-cbc-md5\n"); | | fprintf(stderr, " des-cbc-md5\n"); |
| fprintf(stderr, " arcfour\n"); | | fprintf(stderr, " arcfour\n"); |
| fprintf(stderr, " aes128\n"); | | fprintf(stderr, " aes128\n"); |
| fprintf(stderr, " aes256\n"); | | fprintf(stderr, " aes256\n"); |
| exit(1); | | exit(1); |
| } | | } |
|
| flags->cleanup_enctype = enctype; | | |
| | return enctype; |
| } | | } |
| | |
| void do_verbose() | | void do_verbose() |
| { | | { |
| g_verbose++; /* allow for ldap debuging */ | | g_verbose++; /* allow for ldap debuging */ |
| } | | } |
| | |
| void qualify_principal_vec(std::vector<std::string> &principals, | | void qualify_principal_vec(std::vector<std::string> &principals, |
|
| const std::string &hostname) | | msktutil_flags *flags) |
| { | | { |
|
| for(size_t i = 0; i < principals.size(); ++i) { | | std::string short_hostname; |
| /* If no hostname part, add it: */ | | std::string::size_type len = principals.size(); |
| if (principals[i].find('/') == std::string::npos) { | | |
| if (hostname.empty()) { | | if (!flags->hostname.empty()) { |
| fprintf(stderr, | | short_hostname = get_short_hostname(flags); |
| "Error: default hostname unspecified, " | | if (flags->hostname == short_hostname) |
| "and service argument missing hostname.\n" | | short_hostname = ""; |
| ); | | } |
| exit(1); | | |
| } | | for(size_t i = 0; i < len; ++i) { |
| principals[i].append("/").append(hostname); | | if (principals[i].find('/') != std::string::npos) { |
| | /* Nothing to do for principals that are already qualified */ |
| | continue; |
| } | | } |
|
| | |
| | if (flags->hostname.empty()) { |
| | fprintf(stderr, |
| | "Error: default hostname unspecified, " |
| | "and service argument missing hostname.\n" |
| | ); |
| | exit(1); |
| | } |
| | |
| | /* Modify unqualified entry in-place by appending (full) hostname |
| | * and add another entry to the back of the list qualified with |
| | * the short hostname (if different from long hostname) */ |
| | if (!short_hostname.empty()) |
| | principals.push_back(principals[i] + "/" + short_hostname); |
| | principals[i].append("/").append(flags->hostname); |
| } | | } |
| } | | } |
| | |
| int finalize_exec(msktutil_exec *exec, msktutil_flags *flags) | | int finalize_exec(msktutil_exec *exec, msktutil_flags *flags) |
| { | | { |
| int ret; | | int ret; |
| | |
| char *temp_realm; | | char *temp_realm; |
| if (flags->realm_name.empty()) { | | if (flags->realm_name.empty()) { |
| if (krb5_get_default_realm(g_context, &temp_realm)) { | | if (krb5_get_default_realm(g_context, &temp_realm)) { |
| | |
| skipping to change at line 270 | | skipping to change at line 292 |
|---|
| i<flags->sAMAccountName_uppercase.length(); | | i<flags->sAMAccountName_uppercase.length(); |
| ++i) { | | ++i) { |
| flags->sAMAccountName_uppercase[i] | | flags->sAMAccountName_uppercase[i] |
| = toupper(flags->sAMAccountName_uppercase[i]); | | = toupper(flags->sAMAccountName_uppercase[i]); |
| } | | } |
| | |
| /* The sAMAccountName will cause win 9x, NT problems if longer | | /* The sAMAccountName will cause win 9x, NT problems if longer |
| * than MAX_SAM_ACCOUNT_LEN characters */ | | * than MAX_SAM_ACCOUNT_LEN characters */ |
| if (flags->sAMAccountName.length() > MAX_SAM_ACCOUNT_LEN) { | | if (flags->sAMAccountName.length() > MAX_SAM_ACCOUNT_LEN) { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: The SAM name (%s) for this host is longer " | | "Error: The sAMAccountName %s for this host is longer " |
| "than the maximum of MAX_SAM_ACCOUNT_LEN characters\n", | | "than the maximum of MAX_SAM_ACCOUNT_LEN characters\n", |
| flags->sAMAccountName.c_str() | | flags->sAMAccountName.c_str() |
| ); | | ); |
| fprintf(stderr, | | fprintf(stderr, |
| "Error: You can specify a shorter name using " | | "Error: You can specify a shorter name using " |
| "--computer-name\n" | | "--computer-name\n" |
| ); | | ); |
| exit(1); | | exit(1); |
| } | | } |
|
| VERBOSE("SAM Account Name is: %s", flags->sAMAccountName.c_str()); | | VERBOSE("sAMAccountName: %s", flags->sAMAccountName.c_str()); |
| | |
| | if (exec->mode == MODE_CREATE && !flags->use_service_account) { |
| | exec->add_principals.push_back("host"); |
| | } |
| | |
| /* Qualify entries in the principals list */ | | /* Qualify entries in the principals list */ |
|
| qualify_principal_vec(exec->add_principals, flags->hostname); | | qualify_principal_vec(exec->add_principals, flags); |
| qualify_principal_vec(exec->remove_principals, flags->hostname); | | qualify_principal_vec(exec->remove_principals, flags); |
| | |
| /* Now, try to get kerberos credentials in order to connect to | | /* Now, try to get kerberos credentials in order to connect to |
| * LDAP. */ | | * LDAP. */ |
| flags->auth_type = find_working_creds(flags); | | flags->auth_type = find_working_creds(flags); |
| if (flags->auth_type == AUTH_NONE) { | | if (flags->auth_type == AUTH_NONE) { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: could not find any credentials to authenticate with. " | | "Error: Could not find any credentials to authenticate with. " |
| "Neither keytab,\n" | | "Neither keytab,\n" |
| "default machine password, nor calling user's tickets worked. " | | "default machine password, nor calling user's tickets worked. " |
| "Try\n\"kinit\"ing yourself some tickets with permission to " | | "Try\n\"kinit\"ing yourself some tickets with permission to " |
| "create computer\nobjects, or pre-creating the computer " | | "create computer\nobjects, or pre-creating the computer " |
| "object in AD and selecting\n'reset account'.\n" | | "object in AD and selecting\n'reset account'.\n" |
| ); | | ); |
| exit(1); | | exit(1); |
| } | | } |
| | |
| /* If we didn't get kerberos credentials because the old passord | | /* If we didn't get kerberos credentials because the old passord |
| | |
| skipping to change at line 319 | | skipping to change at line 345 |
|---|
| } | | } |
| if (!get_creds(flags)) { | | if (!get_creds(flags)) { |
| fprintf(stderr, "Error: failed to get kerberos credentials\n"); | | fprintf(stderr, "Error: failed to get kerberos credentials\n"); |
| exit(1); | | exit(1); |
| } | | } |
| } | | } |
| | |
| VERBOSE("Authenticated using method %d", flags->auth_type); | | VERBOSE("Authenticated using method %d", flags->auth_type); |
| | |
| flags->ldap = new LDAPConnection(flags->server, | | flags->ldap = new LDAPConnection(flags->server, |
|
| | flags->sasl_mechanisms, |
| flags->no_reverse_lookups); | | flags->no_reverse_lookups); |
| | |
| if (!flags->ldap->is_connected()) { | | if (!flags->ldap->is_connected()) { |
| fprintf(stderr, "Error: ldap_connect failed\n"); | | fprintf(stderr, "Error: ldap_connect failed\n"); |
| /* Print a hint as to the likely cause: */ | | /* Print a hint as to the likely cause: */ |
| if (flags->auth_type == AUTH_FROM_USER_CREDS) { | | if (flags->auth_type == AUTH_FROM_USER_CREDS) { |
| fprintf(stderr, "--> Is your kerberos ticket expired? " | | fprintf(stderr, "--> Is your kerberos ticket expired? " |
| "You might try re-\"kinit\"ing.\n" | | "You might try re-\"kinit\"ing.\n" |
| ); | | ); |
| } | | } |
| | |
| skipping to change at line 464 | | skipping to change at line 491 |
|---|
| fprintf(stdout, " -N, --no-reverse-lookups\n"); | | fprintf(stdout, " -N, --no-reverse-lookups\n"); |
| fprintf(stdout, " Don't reverse-lookup the domain co
ntroller.\n"); | | fprintf(stdout, " Don't reverse-lookup the domain co
ntroller.\n"); |
| fprintf(stdout, " -n, --no-canonical-name\n"); | | fprintf(stdout, " -n, --no-canonical-name\n"); |
| fprintf(stdout, " Do not attempt to canonicalize hos
tname while\n"); | | fprintf(stdout, " Do not attempt to canonicalize hos
tname while\n"); |
| fprintf(stdout, " creating Kerberos principal(s).\n"
); | | fprintf(stdout, " creating Kerberos principal(s).\n"
); |
| fprintf(stdout, " --user-creds-only Don't attempt to authenticate with
machine keytab:\n"); | | fprintf(stdout, " --user-creds-only Don't attempt to authenticate with
machine keytab:\n"); |
| fprintf(stdout, " only use user's credentials (from
e.g. kinit).\n"); | | fprintf(stdout, " only use user's credentials (from
e.g. kinit).\n"); |
| fprintf(stdout, " --auto-update-interval <days>\n"); | | fprintf(stdout, " --auto-update-interval <days>\n"); |
| fprintf(stdout, " Number of <days> when auto-update
will change the\n"); | | fprintf(stdout, " Number of <days> when auto-update
will change the\n"); |
| fprintf(stdout, " account password. Defaults to 30 d
ays.\n"); | | fprintf(stdout, " account password. Defaults to 30 d
ays.\n"); |
|
| | fprintf(stdout, " -m, --sasl-mechanisms <mechanisms list>\n"); |
| | fprintf(stdout, " Candidate SASL mechanisms to use w |
| | hen performing\n"); |
| | fprintf(stdout, " the LDAP bind. Defaults to \"GSS-S |
| | PNEGO GSSAPI\".\n"); |
| fprintf(stdout, "\n"); | | fprintf(stdout, "\n"); |
| fprintf(stdout, "Object type/attribute-setting options:\n"); | | fprintf(stdout, "Object type/attribute-setting options:\n"); |
| fprintf(stdout, " --use-service-account Create and maintain service accoun
t instead of\n"); | | fprintf(stdout, " --use-service-account Create and maintain service accoun
t instead of\n"); |
| fprintf(stdout, " machine account.\n"); | | fprintf(stdout, " machine account.\n"); |
| fprintf(stdout, " --enable Enable the account.\n"); | | fprintf(stdout, " --enable Enable the account.\n"); |
| fprintf(stdout, " --delegation Set the account to be trusted for
delegation.\n"); | | fprintf(stdout, " --delegation Set the account to be trusted for
delegation.\n"); |
| fprintf(stdout, " --disable-delegation Set the account to not be trusted
for\n"); | | fprintf(stdout, " --disable-delegation Set the account to not be trusted
for\n"); |
| fprintf(stdout, " delegation.\n"); | | fprintf(stdout, " delegation.\n"); |
| fprintf(stdout, " --description <text> Sets the description field on the
account.\n"); | | fprintf(stdout, " --description <text> Sets the description field on the
account.\n"); |
| fprintf(stdout, " --dont-expire-password Disables password expiration for t
he account.\n"); | | fprintf(stdout, " --dont-expire-password Disables password expiration for t
he account.\n"); |
| | |
| skipping to change at line 488 | | skipping to change at line 518 |
|---|
| fprintf(stdout, " (OR of: 0x1=des-cbc-crc 0x2=des-cb
c-md5\n"); | | fprintf(stdout, " (OR of: 0x1=des-cbc-crc 0x2=des-cb
c-md5\n"); |
| fprintf(stdout, " 0x4=rc4-hmac-md5 0x8=aes12
8-cts-hmac-sha1\n"); | | fprintf(stdout, " 0x4=rc4-hmac-md5 0x8=aes12
8-cts-hmac-sha1\n"); |
| fprintf(stdout, " 0x10=aes256-cts-hmac-sha1)
\n"); | | fprintf(stdout, " 0x10=aes256-cts-hmac-sha1)
\n"); |
| fprintf(stdout, " Sets des-only in userAccountContro
l if set to 0x3.\n"); | | fprintf(stdout, " Sets des-only in userAccountContro
l if set to 0x3.\n"); |
| fprintf(stdout, " --allow-weak-crypto Enables the usage of DES keys for
authentication\n"); | | fprintf(stdout, " --allow-weak-crypto Enables the usage of DES keys for
authentication\n"); |
| fprintf(stdout, " --no-pac Sets the service principal to not
include a PAC.\n"); | | fprintf(stdout, " --no-pac Sets the service principal to not
include a PAC.\n"); |
| fprintf(stdout, " --disable-no-pac Sets the service principal to incl
ude a PAC.\n"); | | fprintf(stdout, " --disable-no-pac Sets the service principal to incl
ude a PAC.\n"); |
| fprintf(stdout, " -s, --service <name> Adds the service <name> for the cu
rrent host or the\n"); | | fprintf(stdout, " -s, --service <name> Adds the service <name> for the cu
rrent host or the\n"); |
| fprintf(stdout, " given service account. The service
is of the form\n"); | | fprintf(stdout, " given service account. The service
is of the form\n"); |
| fprintf(stdout, " <service>/<hostname>.\n"); | | fprintf(stdout, " <service>/<hostname>.\n"); |
|
| fprintf(stdout, " If the hostname is omitted, assume | | fprintf(stdout, " If the hostname is omitted, assume |
| s current hostname.\n"); | | s current hostname,\n"); |
| | fprintf(stdout, " and adds the short and the full ho |
| | stname.\n"); |
| | fprintf(stdout, " Default for service accounts: None |
| | "); |
| fprintf(stdout, " --remove-service <name> Same, but removes instead of adds
.\n"); | | fprintf(stdout, " --remove-service <name> Same, but removes instead of adds
.\n"); |
| fprintf(stdout, " --upn <principal> Set the user principal name to be
<principal>.\n"); | | fprintf(stdout, " --upn <principal> Set the user principal name to be
<principal>.\n"); |
| fprintf(stdout, " The realm name will be appended to
this principal.\n"); | | fprintf(stdout, " The realm name will be appended to
this principal.\n"); |
| fprintf(stdout, " --set-samba-secret Use the net changesecretpw command
to locally set the\n"); | | fprintf(stdout, " --set-samba-secret Use the net changesecretpw command
to locally set the\n"); |
| fprintf(stdout, " machine account password in samba'
s secrets.tdb.\n"); | | fprintf(stdout, " machine account password in samba'
s secrets.tdb.\n"); |
| fprintf(stdout, " $PATH need to include Samba's net
command.\n"); | | fprintf(stdout, " $PATH need to include Samba's net
command.\n"); |
|
| | fprintf(stdout, " --use-samba-cmd <command> Use the supplied command instea |
| | d of samba\n"); |
| | fprintf(stdout, " net changesecretpw.\n"); |
| fprintf(stdout, " --check-replication Wait until password change is refl
ected in LDAP.\n"); | | fprintf(stdout, " --check-replication Wait until password change is refl
ected in LDAP.\n"); |
| fprintf(stdout, "\n"); | | fprintf(stdout, "\n"); |
| fprintf(stdout, "Cleanup options:\n"); | | fprintf(stdout, "Cleanup options:\n"); |
| fprintf(stdout, " --remove-old <number> Removes entries older than <number
> days\n"); | | fprintf(stdout, " --remove-old <number> Removes entries older than <number
> days\n"); |
| fprintf(stdout, " --remove-enctype <enctype>\n"); | | fprintf(stdout, " --remove-enctype <enctype>\n"); |
| fprintf(stdout, " Removes entries with given <enctyp
e>. Supported enctype\n"); | | fprintf(stdout, " Removes entries with given <enctyp
e>. Supported enctype\n"); |
| fprintf(stdout, " strings are: des-cbc-crc,des-cbc-m
d5, arcfour, aes128\n"); | | fprintf(stdout, " strings are: des-cbc-crc,des-cbc-m
d5, arcfour, aes128\n"); |
| fprintf(stdout, " and aes256\n"); | | fprintf(stdout, " and aes256\n"); |
| } | | } |
| | |
| | |
| skipping to change at line 567 | | skipping to change at line 601 |
|---|
| } | | } |
| ret = finalize_exec(exec, flags); | | ret = finalize_exec(exec, flags); |
| | |
| if (ret) { | | if (ret) { |
| fprintf(stderr, "Error: finalize_exec failed\n"); | | fprintf(stderr, "Error: finalize_exec failed\n"); |
| exit(ret); | | exit(ret); |
| } | | } |
| if (exec->mode == MODE_FLUSH) { | | if (exec->mode == MODE_FLUSH) { |
| if (flags->use_service_account) { | | if (flags->use_service_account) { |
| fprintf(stdout, | | fprintf(stdout, |
|
| "Flushing all entries for service account %s from the keytab
%s\n", | | "Flushing all entries for service account %s from keytab %s\
n", |
| flags->sAMAccountName.c_str(), | | flags->sAMAccountName.c_str(), |
| flags->keytab_writename.c_str()); | | flags->keytab_writename.c_str()); |
| } else { | | } else { |
| fprintf(stdout, | | fprintf(stdout, |
|
| "Flushing all entries for %s from the keytab %s\n", | | "Flushing all entries for %s from keytab %s\n", |
| flags->hostname.c_str(), | | flags->hostname.c_str(), |
| flags->keytab_writename.c_str()); | | flags->keytab_writename.c_str()); |
| } | | } |
| ret = flush_keytab(flags); | | ret = flush_keytab(flags); |
| return ret; | | return ret; |
|
| | } else if (exec->mode == MODE_DELETE) { |
| | ret = ldap_delete_account(flags); |
| | return ret; |
| } else if (exec->mode == MODE_CREATE || | | } else if (exec->mode == MODE_CREATE || |
| exec->mode == MODE_UPDATE || | | exec->mode == MODE_UPDATE || |
| exec->mode == MODE_AUTO_UPDATE) { | | exec->mode == MODE_AUTO_UPDATE) { |
| if (exec->mode == MODE_AUTO_UPDATE) { | | if (exec->mode == MODE_AUTO_UPDATE) { |
| if (flags->auth_type == AUTH_FROM_SAM_KEYTAB || | | if (flags->auth_type == AUTH_FROM_SAM_KEYTAB || |
| flags->auth_type == AUTH_FROM_SAM_UPPERCASE_KEYTAB || | | flags->auth_type == AUTH_FROM_SAM_UPPERCASE_KEYTAB || |
| flags->auth_type == AUTH_FROM_EXPLICIT_KEYTAB) { | | flags->auth_type == AUTH_FROM_EXPLICIT_KEYTAB) { |
| std::string pwdLastSet = ldap_get_pwdLastSet(flags); | | std::string pwdLastSet = ldap_get_pwdLastSet(flags); |
| /* Windows timestamp is in | | /* Windows timestamp is in |
| * 100-nanoseconds-since-1601. (or, tenths of | | * 100-nanoseconds-since-1601. (or, tenths of |
| | |
| skipping to change at line 618 | | skipping to change at line 655 |
|---|
| return 0; | | return 0; |
| } | | } |
| } | | } |
| } | | } |
| | |
| /* Check if computer account exists, update if so, create if | | /* Check if computer account exists, update if so, create if |
| * not. */ | | * not. */ |
| if (! ldap_check_account(flags)) { | | if (! ldap_check_account(flags)) { |
| if (flags->password.empty()) { | | if (flags->password.empty()) { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: a new AD account needs to be created " | | "Error: A new AD account needs to be created " |
| "but there is no password."); | | "but there is no password."); |
| if (flags->dont_change_password) { | | if (flags->dont_change_password) { |
| fprintf(stderr, | | fprintf(stderr, |
| " Please provide a password with " | | " Please provide a password with " |
| "--old-account-password <password>"); | | "--old-account-password <password>"); |
| } | | } |
| fprintf(stderr, "\n"); | | fprintf(stderr, "\n"); |
| exit(1); | | exit(1); |
| } else { | | } else { |
| ldap_create_account(flags); | | ldap_create_account(flags); |
| | |
| skipping to change at line 680 | | skipping to change at line 717 |
|---|
| } | | } |
| } | | } |
| | |
| /* Add and remove principals to servicePrincipalName in LDAP.*/ | | /* Add and remove principals to servicePrincipalName in LDAP.*/ |
| add_and_remove_principals(exec); | | add_and_remove_principals(exec); |
| | |
| remove_keytab_entries(flags, exec->remove_principals); | | remove_keytab_entries(flags, exec->remove_principals); |
| | |
| /* update keytab */ | | /* update keytab */ |
| if (flags->use_service_account) { | | if (flags->use_service_account) { |
|
| VERBOSE("Updating all entries for service account %s in the keytab %
s", | | VERBOSE("Updating all entries for service account %s in keytab %s", |
| flags->sAMAccountName.c_str(), | | flags->sAMAccountName.c_str(), |
| flags->keytab_writename.c_str()); | | flags->keytab_writename.c_str()); |
| } else { | | } else { |
|
| VERBOSE("Updating all entries for computer account %s in the keytab
%s", | | VERBOSE("Updating all entries for computer account %s in keytab %s", |
| flags->sAMAccountName.c_str(), | | flags->sAMAccountName.c_str(), |
| flags->keytab_writename.c_str()); | | flags->keytab_writename.c_str()); |
| } | | } |
| update_keytab(flags); | | update_keytab(flags); |
| | |
| add_keytab_entries(flags); | | add_keytab_entries(flags); |
| | |
| wait_for_new_kvno(flags); | | wait_for_new_kvno(flags); |
| return ret; | | return ret; |
| } else if (exec->mode == MODE_PRECREATE) { | | } else if (exec->mode == MODE_PRECREATE) { |
| | |
| skipping to change at line 716 | | skipping to change at line 753 |
|---|
| if (ret) { | | if (ret) { |
| fprintf(stderr, "Error: set_password failed\n"); | | fprintf(stderr, "Error: set_password failed\n"); |
| return ret; | | return ret; |
| } | | } |
| | |
| /* And add and remove principals to servicePrincipalName in | | /* And add and remove principals to servicePrincipalName in |
| * LDAP. */ | | * LDAP. */ |
| add_and_remove_principals(exec); | | add_and_remove_principals(exec); |
| wait_for_new_kvno(flags); | | wait_for_new_kvno(flags); |
| return ret; | | return ret; |
|
| | } else if (exec->mode == MODE_RESET) { |
| | /* reset mode will only work for machine accounts:*/ |
| | if (flags->use_service_account) { |
| | fprintf(stderr, "Error: \"reset\" mode and " |
| | "\"--use-service-account\" are " |
| | "mutually exclusive\n"); |
| | return 1; |
| | } |
| | |
| | /* Change account password to default value: */ |
| | flags->password = create_default_machine_password( |
| | flags->sAMAccountName); |
| | |
| | /* Check if computer account exists, update if so, error if |
| | * not. */ |
| | if (!ldap_check_account(flags)) { |
| | fprintf(stderr, "Error: The account %s does " |
| | "not exist and cannot be " |
| | "reset\n", flags->sAMAccountName.c_str()); |
| | return 1; |
| | } |
| | |
| | /* Set the password. */ |
| | ret = set_password(flags); |
| | if (ret) { |
| | fprintf(stderr, "Error: set_password failed\n"); |
| | return ret; |
| | } |
| | wait_for_new_kvno(flags); |
| | return ret; |
| } else if (exec->mode == MODE_CLEANUP) { | | } else if (exec->mode == MODE_CLEANUP) { |
|
| fprintf(stdout, "Cleaning keytab %s\n", | | fprintf(stdout, "Cleaning keytab: %s\n", |
| flags->keytab_writename.c_str()); | | flags->keytab_writename.c_str()); |
| cleanup_keytab(flags); | | cleanup_keytab(flags); |
| return 0; | | return 0; |
| } | | } |
| | |
| return 0; | | return 0; |
| } | | } |
| | |
| void msktutil_exec::set_mode(msktutil_mode mode) { | | void msktutil_exec::set_mode(msktutil_mode mode) { |
| if (this->mode != MODE_NONE) { | | if (this->mode != MODE_NONE) { |
|
| fprintf(stderr, "Error: only one mode argument may be provided.\n"); | | fprintf(stderr, "Error: Only one mode argument may be provided.\n"); |
| fprintf(stderr, "\nFor help, try running %s --help\n\n", PACKAGE_NAME); | | fprintf(stderr, "\nFor help, try running %s --help\n\n", PACKAGE_NAME); |
| exit(1); | | exit(1); |
| } | | } |
| this->mode = mode; | | this->mode = mode; |
| } | | } |
| | |
| Globals *Globals::instance; | | Globals *Globals::instance; |
| | |
| int main(int argc, char *argv []) | | int main(int argc, char *argv []) |
| { | | { |
| | |
| skipping to change at line 765 | | skipping to change at line 832 |
|---|
| } else if (!strcmp(argv[1], "auto-update")) { | | } else if (!strcmp(argv[1], "auto-update")) { |
| exec->set_mode(MODE_AUTO_UPDATE); | | exec->set_mode(MODE_AUTO_UPDATE); |
| } else if (!strcmp(argv[1], "pre-create")) { | | } else if (!strcmp(argv[1], "pre-create")) { |
| exec->set_mode(MODE_PRECREATE); | | exec->set_mode(MODE_PRECREATE); |
| } else if (!strcmp(argv[1], "flush")) { | | } else if (!strcmp(argv[1], "flush")) { |
| exec->set_mode(MODE_FLUSH); | | exec->set_mode(MODE_FLUSH); |
| } else if (!strcmp(argv[1], "cleanup")) { | | } else if (!strcmp(argv[1], "cleanup")) { |
| exec->set_mode(MODE_CLEANUP); | | exec->set_mode(MODE_CLEANUP); |
| } else if (!strcmp(argv[1], "delete")) { | | } else if (!strcmp(argv[1], "delete")) { |
| exec->set_mode(MODE_DELETE); | | exec->set_mode(MODE_DELETE); |
|
| | } else if (!strcmp(argv[1], "reset")) { |
| | exec->set_mode(MODE_RESET); |
| } | | } |
| } | | } |
| | |
| if (exec->mode == MODE_NONE) { | | if (exec->mode == MODE_NONE) { |
| /* compatibility for old command line syntax (e.g. "--create" | | /* compatibility for old command line syntax (e.g. "--create" |
| * or "-c" instead of "create") */ | | * or "-c" instead of "create") */ |
| start_i = 1; | | start_i = 1; |
| } | | } |
| | |
| for (i = start_i; i < argc; i++) { | | for (i = start_i; i < argc; i++) { |
| | |
| skipping to change at line 825 | | skipping to change at line 894 |
|---|
| flags->user_creds_only = true; | | flags->user_creds_only = true; |
| continue; | | continue; |
| } | | } |
| | |
| /* Service Principal Name */ | | /* Service Principal Name */ |
| if (!strcmp(argv[i], "--service") || !strcmp(argv[i], "-s")) { | | if (!strcmp(argv[i], "--service") || !strcmp(argv[i], "-s")) { |
| if (++i < argc) { | | if (++i < argc) { |
| exec->add_principals.push_back(argv[i]); | | exec->add_principals.push_back(argv[i]); |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No service principal given after '%s'\n", | | "Error: no service principal given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| if (!strcmp(argv[i], "--remove-service")) { | | if (!strcmp(argv[i], "--remove-service")) { |
| if (++i < argc) { | | if (++i < argc) { |
| exec->remove_principals.push_back(argv[i]); | | exec->remove_principals.push_back(argv[i]); |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No service principal given after '%s'\n", | | "Error: no service principal given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* Host name */ | | /* Host name */ |
| if (!strcmp(argv[i], "--host") || | | if (!strcmp(argv[i], "--host") || |
| !strcmp(argv[i], "--hostname") || | | !strcmp(argv[i], "--hostname") || |
| !strcmp(argv[i], "-h")) { | | !strcmp(argv[i], "-h")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->hostname = argv[i]; | | flags->hostname = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No name given after '%s'\n", | | "Error: no name given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* no canonical name */ | | /* no canonical name */ |
| if (!strcmp(argv[i], "--no-canonical-name") || | | if (!strcmp(argv[i], "--no-canonical-name") || |
| !strcmp(argv[i], "-n")) { | | !strcmp(argv[i], "-n")) { |
| flags->no_canonical_name = true; | | flags->no_canonical_name = true; |
| continue; | | continue; |
| } | | } |
| | |
| /* computer password */ | | /* computer password */ |
| if (!strcmp(argv[i], "--old-account-password")) { | | if (!strcmp(argv[i], "--old-account-password")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->old_account_password = argv[i]; | | flags->old_account_password = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No password given after '%s'\n", | | "Error: no password given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| if (!strcmp(argv[i], "--password")) { | | if (!strcmp(argv[i], "--password")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->password_from_cmdline = true; | | flags->password_from_cmdline = true; |
| flags->password = argv[i]; | | flags->password = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No password given after '%s'\n", | | "Error: no password given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* do not change the password */ | | /* do not change the password */ |
| if (!strcmp(argv[i], "--dont-change-password")) { | | if (!strcmp(argv[i], "--dont-change-password")) { |
| flags->dont_change_password = true; | | flags->dont_change_password = true; |
| continue; | | continue; |
| } | | } |
| | |
| /* site */ | | /* site */ |
| if (!strcmp(argv[i], "--site")) { | | if (!strcmp(argv[i], "--site")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->site = argv[i]; | | flags->site = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No site given after '%s'\n", | | "Error: no site given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* W2008 msDs-supportedEncryptionTypes */ | | /* W2008 msDs-supportedEncryptionTypes */ |
| if (!strcmp(argv[i], "--enctypes")) { | | if (!strcmp(argv[i], "--enctypes")) { |
| if (++i < argc) { | | if (++i < argc) { |
| set_supportedEncryptionTypes(flags, argv[i]); | | set_supportedEncryptionTypes(flags, argv[i]); |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No enctype after '%s'\n", | | "Error: no enctype after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* Re-activate DES encryption in fake krb5.conf */ | | /* Re-activate DES encryption in fake krb5.conf */ |
| if (!strcmp(argv[i], "--allow-weak-crypto")) { | | if (!strcmp(argv[i], "--allow-weak-crypto")) { |
| flags->allow_weak_crypto = true; | | flags->allow_weak_crypto = true; |
| | |
| skipping to change at line 992 | | skipping to change at line 1061 |
|---|
| continue; | | continue; |
| } | | } |
| | |
| /* Use a certain sam account name */ | | /* Use a certain sam account name */ |
| if (!strcmp(argv[i], "--computer-name") || | | if (!strcmp(argv[i], "--computer-name") || |
| !strcmp(argv[i], "--account-name")) { | | !strcmp(argv[i], "--account-name")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->sAMAccountName = argv[i]; | | flags->sAMAccountName = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No name given after '%s'\n", | | "Error: no name given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| if (!strcmp(argv[i], "--upn")) { | | if (!strcmp(argv[i], "--upn")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->set_userPrincipalName = true; | | flags->set_userPrincipalName = true; |
| flags->userPrincipalName = argv[i]; | | flags->userPrincipalName = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No principal given after '%s'\n", | | "Error: no principal given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* Use certain keytab file */ | | /* Use certain keytab file */ |
| if (!strcmp(argv[i], "--keytab") || !strcmp(argv[i], "-k")) { | | if (!strcmp(argv[i], "--keytab") || !strcmp(argv[i], "-k")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->keytab_file = argv[i]; | | flags->keytab_file = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No file given after '%s'\n", | | "Error: no file given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* Use a certain LDAP base OU ? */ | | /* Use a certain LDAP base OU ? */ |
| if (!strcmp(argv[i], "--base") || !strcmp(argv[i], "-b")) { | | if (!strcmp(argv[i], "--base") || !strcmp(argv[i], "-b")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->ldap_ou = argv[i]; | | flags->ldap_ou = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No base given after '%s'\n", | | "Error: no base given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* Set the description on the computer account */ | | /* Set the description on the computer account */ |
| if (!strcmp(argv[i], "--description")) { | | if (!strcmp(argv[i], "--description")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->description = argv[i]; | | flags->description = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No description given after '%s'\n", | | "Error: no description given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* Use a certain LDAP server */ | | /* Use a certain LDAP server */ |
| if (!strcmp(argv[i], "--server")) { | | if (!strcmp(argv[i], "--server")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->server = argv[i]; | | flags->server = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No server given after '%s'\n", | | "Error: no server given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* ignore server IP validation error caused by NAT */ | | /* ignore server IP validation error caused by NAT */ |
| if (!strcmp(argv[i], "--server-behind-nat")) { | | if (!strcmp(argv[i], "--server-behind-nat")) { |
| flags->server_behind_nat = true; | | flags->server_behind_nat = true; |
| continue; | | continue; |
| } | | } |
| | |
| /* Use a certain realm */ | | /* Use a certain realm */ |
| if (!strcmp(argv[i], "--realm")) { | | if (!strcmp(argv[i], "--realm")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->realm_name = argv[i]; | | flags->realm_name = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No realm given after '%s'\n", | | "Error: no realm given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* do not reverse lookup server names */ | | /* do not reverse lookup server names */ |
| if (!strcmp(argv[i], "--no-reverse-lookups") || | | if (!strcmp(argv[i], "--no-reverse-lookups") || |
| !strcmp(argv[i], "-N")) { | | !strcmp(argv[i], "-N")) { |
| flags->no_reverse_lookups = true; | | flags->no_reverse_lookups = true; |
| continue; | | continue; |
| } | | } |
| | |
| /* synchronize machine password with samba */ | | /* synchronize machine password with samba */ |
| if (!strcmp(argv[i], "--set-samba-secret")) { | | if (!strcmp(argv[i], "--set-samba-secret")) { |
| flags->set_samba_secret = true; | | flags->set_samba_secret = true; |
| continue; | | continue; |
| } | | } |
| | |
|
| | /* use supplied command instead of samba net */ |
| | if (!strcmp(argv[i], "--use-samba-cmd")) { |
| | if (++i < argc) { |
| | flags->samba_cmd = argv[i]; |
| | } else { |
| | fprintf(stderr, |
| | "Error: no command given after '%s'\n", |
| | argv[i -1] |
| | ); |
| | goto error; |
| | } |
| | continue; |
| | } |
| | |
| /* Use user kerberos credentials only */ | | /* Use user kerberos credentials only */ |
| if (!strcmp(argv[i], "--user-creds-only")) { | | if (!strcmp(argv[i], "--user-creds-only")) { |
| flags->user_creds_only = true; | | flags->user_creds_only = true; |
| continue; | | continue; |
| } | | } |
| | |
| if (!strcmp(argv[i], "--keytab-auth-as")) { | | if (!strcmp(argv[i], "--keytab-auth-as")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->keytab_auth_princ = argv[i]; | | flags->keytab_auth_princ = argv[i]; |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No principal given after '%s'\n", | | "Error: no principal given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| if (!strcmp(argv[i], "--auto-update-interval")) { | | if (!strcmp(argv[i], "--auto-update-interval")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->auto_update_interval = atoi(argv[i]); | | flags->auto_update_interval = atoi(argv[i]); |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No number given after '%s'\n", | | "Error: no number given after '%s'\n", |
| | argv[i - 1] |
| | ); |
| | goto error; |
| | } |
| | continue; |
| | } |
| | |
| | if (!strcmp(argv[i], "--sasl-mechanisms") || !strcmp(argv[i], "-m")) { |
| | if (++i < argc) { |
| | flags->sasl_mechanisms = argv[i]; |
| | } else { |
| | fprintf(stderr, |
| | "Error: no SASL candidate mechanisms list given after '% |
| | s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| if (!strcmp(argv[i], "--remove-old")) { | | if (!strcmp(argv[i], "--remove-old")) { |
| if (++i < argc) { | | if (++i < argc) { |
| flags->cleanup_days = atoi(argv[i]); | | flags->cleanup_days = atoi(argv[i]); |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No number given after '%s'\n", | | "Error: no number given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| if (!strcmp(argv[i], "--remove-enctype")) { | | if (!strcmp(argv[i], "--remove-enctype")) { |
| if (++i < argc) { | | if (++i < argc) { |
|
| set_cleanup_enctype(flags, argv[i]); | | flags->cleanup_enctype = parse_enctype(argv[i]); |
| } else { | | } else { |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: No number given after '%s'\n", | | "Error: no number given after '%s'\n", |
| argv[i - 1] | | argv[i - 1] |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| continue; | | continue; |
| } | | } |
| | |
| /* wait for LDAP replication */ | | /* wait for LDAP replication */ |
| if (!strcmp(argv[i], "--check-replication")) { | | if (!strcmp(argv[i], "--check-replication")) { |
| flags->check_replication = true; | | flags->check_replication = true; |
| continue; | | continue; |
| } | | } |
| | |
| /* Display Verbose Messages */ | | /* Display Verbose Messages */ |
| if (!strcmp(argv[i], "--verbose")) { | | if (!strcmp(argv[i], "--verbose")) { |
| do_verbose(); | | do_verbose(); |
| continue; | | continue; |
| } | | } |
| | |
| /* Unrecognized */ | | /* Unrecognized */ |
|
| fprintf(stderr, "Error: Unknown parameter (%s)\n", argv[i]); | | fprintf(stderr, "Error: unknown parameter: %s\n", argv[i]); |
| goto error; | | goto error; |
| } | | } |
| | |
| /* make --old-account-password and --user-creds-only mutually | | /* make --old-account-password and --user-creds-only mutually |
| * exclusive: */ | | * exclusive: */ |
| if (strlen(flags->old_account_password.c_str()) && | | if (strlen(flags->old_account_password.c_str()) && |
| flags->user_creds_only) { | | flags->user_creds_only) { |
| fprintf(stderr, | | fprintf(stderr, |
| "Error: --old-account-password and --user-creds-only " | | "Error: --old-account-password and --user-creds-only " |
| "are mutually exclusive\n"); | | "are mutually exclusive\n"); |
| goto error; | | goto error; |
| } | | } |
| | |
|
| | if (strcmp(flags->samba_cmd.c_str(),DEFAULT_SAMBA_CMD) && |
| | !flags->set_samba_secret) { |
| | fprintf(stderr, |
| | "Error: --use-samba-cmd (or MSKTUTIL_SAMBA_CMD " |
| | "environment variable) can only be used with " |
| | "--set-samba-secret\n"); |
| | goto error; |
| | } |
| | |
| /* allow --dont-change-password only in update mode or when create | | /* allow --dont-change-password only in update mode or when create |
| * mode is called with --old-account-password */ | | * mode is called with --old-account-password */ |
| if (flags->dont_change_password && | | if (flags->dont_change_password && |
| !(exec->mode == MODE_UPDATE || exec->mode == MODE_CREATE) | | !(exec->mode == MODE_UPDATE || exec->mode == MODE_CREATE) |
| ) { | | ) { |
| fprintf(stderr, | | fprintf(stderr, |
| "Error: --dont-change-password can only be used in update or cre
ate mode\n" | | "Error: --dont-change-password can only be used in update or cre
ate mode\n" |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| | |
| skipping to change at line 1224 | | skipping to change at line 1329 |
|---|
| | |
| /* allow --remove-old only in cleanup mode */ | | /* allow --remove-old only in cleanup mode */ |
| if (exec->mode != MODE_CLEANUP && flags->cleanup_days != -1) { | | if (exec->mode != MODE_CLEANUP && flags->cleanup_days != -1) { |
| fprintf(stderr, | | fprintf(stderr, |
| "Error: --remove-old can only be used in cleanup mode\n" | | "Error: --remove-old can only be used in cleanup mode\n" |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| | |
| if (flags->enctypes == VALUE_ON) { | | if (flags->enctypes == VALUE_ON) { |
|
| unsigned known= MS_KERB_ENCTYPE_DES_CBC_CRC | | | if ((flags->supportedEncryptionTypes | ALL_MS_KERB_ENCTYPES) != ALL_MS_K |
| MS_KERB_ENCTYPE_DES_CBC_MD5 | | | ERB_ENCTYPES) { |
| MS_KERB_ENCTYPE_RC4_HMAC_MD5 | | | |
| MS_KERB_ENCTYPE_AES128_CTC_HMAC_SHA1_96 | | | |
| MS_KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; | | |
| | | |
| if ((flags->supportedEncryptionTypes|known) != known) { | | |
| fprintf(stderr, | | fprintf(stderr, |
|
| "Error: Unsupported --enctypes must be integer that " | | "Error: unsupported --enctypes must be integer that " |
| "fits mask=0x%x\n", | | "fits mask=0x%x\n", |
|
| known | | ALL_MS_KERB_ENCTYPES |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| if (flags->supportedEncryptionTypes == 0) { | | if (flags->supportedEncryptionTypes == 0) { |
| fprintf(stderr, "Error: --enctypes must not be zero\n"); | | fprintf(stderr, "Error: --enctypes must not be zero\n"); |
| goto error; | | goto error; |
| } | | } |
| } | | } |
| | |
|
| if (exec->mode == MODE_CREATE && !flags->use_service_account) { | | |
| exec->add_principals.push_back("host"); | | |
| } | | |
| | | |
| if (exec->mode == MODE_NONE && !exec->add_principals.empty()) { | | if (exec->mode == MODE_NONE && !exec->add_principals.empty()) { |
| exec->set_mode(MODE_UPDATE); | | exec->set_mode(MODE_UPDATE); |
| } | | } |
| | |
| if (exec->mode == MODE_CLEANUP && | | if (exec->mode == MODE_CLEANUP && |
| flags->cleanup_days == -1 && | | flags->cleanup_days == -1 && |
| flags->cleanup_enctype == VALUE_IGNORE) { | | flags->cleanup_enctype == VALUE_IGNORE) { |
| fprintf(stderr, | | fprintf(stderr, |
| "Error: cleanup mode needs --remove-old or " | | "Error: cleanup mode needs --remove-old or " |
| "--remove-enctype\n" | | "--remove-enctype\n" |
| ); | | ); |
| goto error; | | goto error; |
| } | | } |
| | |
| if (exec->mode == MODE_NONE) { | | if (exec->mode == MODE_NONE) { |
| /* Default, no options present */ | | /* Default, no options present */ |
|
| fprintf(stderr, "Error: No command given\n"); | | fprintf(stderr, "Error: no command given\n"); |
| goto error; | | goto error; |
| } | | } |
| | |
|
| | /* delete mode will only work with admin credentials */ |
| | if (exec->mode == MODE_DELETE) { |
| | flags->user_creds_only = true; |
| | } |
| | |
| | /* reset mode will only work with admin credentials */ |
| | if (exec->mode == MODE_RESET) { |
| | flags->user_creds_only = true; |
| | } |
| | |
| try { | | try { |
| return execute(exec, flags); | | return execute(exec, flags); |
| } catch (Exception &e) { | | } catch (Exception &e) { |
| fprintf(stderr, "%s\n", e.what()); | | fprintf(stderr, "%s\n", e.what()); |
| exit(1); | | exit(1); |
| } | | } |
| | |
| error: | | error: |
| fprintf(stderr, "\nFor help, try running %s --help\n\n", PACKAGE_NAME); | | fprintf(stderr, "\nFor help, try running %s --help\n\n", PACKAGE_NAME); |
| return 1; | | return 1; |
| | |
| skipping to change at line 1306 | | skipping to change at line 1411 |
|---|
| | |
| msktutil_flags::msktutil_flags() : | | msktutil_flags::msktutil_flags() : |
| password(), | | password(), |
| password_from_cmdline(false), | | password_from_cmdline(false), |
| ldap(NULL), | | ldap(NULL), |
| set_userPrincipalName(false), | | set_userPrincipalName(false), |
| no_reverse_lookups(false), | | no_reverse_lookups(false), |
| no_canonical_name(false), | | no_canonical_name(false), |
| server_behind_nat(false), | | server_behind_nat(false), |
| set_samba_secret(false), | | set_samba_secret(false), |
|
| | samba_cmd(DEFAULT_SAMBA_CMD), |
| check_replication(false), | | check_replication(false), |
| dont_change_password(false), | | dont_change_password(false), |
| dont_expire_password(VALUE_IGNORE), | | dont_expire_password(VALUE_IGNORE), |
| dont_update_dnshostname(VALUE_OFF), | | dont_update_dnshostname(VALUE_OFF), |
| disable_account(VALUE_IGNORE), | | disable_account(VALUE_IGNORE), |
| no_pac(VALUE_IGNORE), | | no_pac(VALUE_IGNORE), |
| delegate(VALUE_IGNORE), | | delegate(VALUE_IGNORE), |
| ad_userAccountControl(0), | | ad_userAccountControl(0), |
| ad_enctypes(VALUE_IGNORE), | | ad_enctypes(VALUE_IGNORE), |
| ad_supportedEncryptionTypes(0), | | ad_supportedEncryptionTypes(0), |
| enctypes(VALUE_IGNORE), | | enctypes(VALUE_IGNORE), |
| /* default values we *want* to support */ | | /* default values we *want* to support */ |
|
| supportedEncryptionTypes(MS_KERB_ENCTYPE_RC4_HMAC_MD5 | | | supportedEncryptionTypes(DEFAULT_MS_KERB_ENCTYPES), |
| MS_KERB_ENCTYPE_AES128_CTC_HMAC_SHA1_96 | | | |
| MS_KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96), | | |
| auth_type(0), | | auth_type(0), |
| user_creds_only(false), | | user_creds_only(false), |
| use_service_account(false), | | use_service_account(false), |
| allow_weak_crypto(false), | | allow_weak_crypto(false), |
| password_expired(false), | | password_expired(false), |
| auto_update_interval(30), | | auto_update_interval(30), |
|
| | sasl_mechanisms(DEFAULT_SASL_MECHANISMS), |
| kvno(0), | | kvno(0), |
| cleanup_days(-1), | | cleanup_days(-1), |
| cleanup_enctype(VALUE_IGNORE) | | cleanup_enctype(VALUE_IGNORE) |
| { | | { |
| /* Check for environment variables as well. These variables will | | /* Check for environment variables as well. These variables will |
| * be overriden by command line arguments. */ | | * be overriden by command line arguments. */ |
| if (getenv("MSKTUTIL_KEYTAB")) { | | if (getenv("MSKTUTIL_KEYTAB")) { |
| keytab_file = getenv("MSKTUTIL_KEYTAB"); | | keytab_file = getenv("MSKTUTIL_KEYTAB"); |
| } | | } |
| if (getenv("MSKTUTIL_NO_PAC")) { | | if (getenv("MSKTUTIL_NO_PAC")) { |
| | |
| skipping to change at line 1348 | | skipping to change at line 1453 |
|---|
| } | | } |
| if (getenv("MSKTUTIL_DELEGATION")) { | | if (getenv("MSKTUTIL_DELEGATION")) { |
| delegate = VALUE_ON; | | delegate = VALUE_ON; |
| } | | } |
| if (getenv("MSKTUTIL_LDAP_BASE")) { | | if (getenv("MSKTUTIL_LDAP_BASE")) { |
| ldap_ou = getenv("MSKTUTIL_LDAP_BASE"); | | ldap_ou = getenv("MSKTUTIL_LDAP_BASE"); |
| } | | } |
| if (getenv("MSKTUTIL_SERVER")) { | | if (getenv("MSKTUTIL_SERVER")) { |
| server = getenv("MSKTUTIL_SERVER"); | | server = getenv("MSKTUTIL_SERVER"); |
| } | | } |
|
| | if (getenv("MSKTUTIL_SAMBA_CMD")) { |
| | samba_cmd = getenv("MSKTUTIL_SAMBA_CMD"); |
| | } |
| } | | } |
| | |
| msktutil_flags::~msktutil_flags() | | msktutil_flags::~msktutil_flags() |
| { | | { |
| ldap_cleanup(this); | | ldap_cleanup(this); |
| init_password(this); | | init_password(this); |
| } | | } |
| | |
| msktutil_exec::msktutil_exec() : | | msktutil_exec::msktutil_exec() : |
| mode(MODE_NONE) | | mode(MODE_NONE) |
| | | |
| End of changes. 62 change blocks. |
|---|
| 87 lines changed or deleted | | 202 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 