GitLab

With the new configure option --with-vendor-error-message a packager or
a distribution can add a message if adcli returns with an error.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386

A new option was added to 'adcli update' toggle the ACCOUNTDISABLE flag
of AD's userAccountControl LDAP attribute to disable or enable the given
host account.

'adcli join' will automatically enable the host account.

Resolves: #21

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1906303

Add a random component to the default managed service account name to
avoid name collisions.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

Make it possible to find existing manages service account by the
fully-qualified name.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

Determine keytab name more early to catch errors more early.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

Make handling of random strings more flexible.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

Use proper account type in debug messages.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

Add new sub-command to create a managed service account in AD. This can
be used if LDAP access to AD is needed but the host is already joined to
a different domain.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

Add helpers to indicate a managed service account.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112

When using a restricted account with adcli some operations might fail
because the account might not have all required permissions. The man
page is extended and now explains which permissions are needed under
given circumstances.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1852080
Resolves: #20

If during a join or update an existing AD computer object does not have
the dNSHostName attribute set it will be set with the current hostname.
This is important for cases where the user doing the join or update only
has "Validated write to service principal name" for the computer object.
The validated write with fully-qualified names can only be successful if
dNSHostName is set, see [MS-ADTS] section 3.1.1.5.3.1.1.4 "Validated
Writes - servicePrincipalName" for details.

Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1734764

When adding the use-ldaps option the update and testjoin sub-commands
were forgotten.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1883467

The optional Kerberos credential cache can only be used with the long
option name --login-ccache and not with the short version -C. To make
this more clear each option get its own entry.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611

MIT's libkrb5 checks available locator plugins first before checking the
config file. This might cause issues when the locator plugin returns a
different DC than the one used for the LDAP connection if some data must
be replicated.

This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
'true' to disable SSSD's locator plugin for adcli.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633

Reading the keytab is not required when deleting a host object in AD. It
is only needed in the case where the host was added with a manual set
NetBIOS name (--computer-name option) which does not match the short
hostname and no computer name was given at the delete-computer command
line.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752

Do not continue processing on closed connection.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258

In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.

But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420

Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.

The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420

This new option allows to set the description LDAP attribute for the AD
computer object.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342

The show-computer command prints the LDAP attributes of the related
computer object from AD.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342

Unfortunately the note about the password lifetime was added to the join
section. This patch move it to the update section where it belongs to.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
           https://bugzilla.redhat.com/show_bug.cgi?id=1745931
           https://bugzilla.redhat.com/show_bug.cgi?id=1774622

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573

Since the arcfour-hmac-md5 encryption types does not use salts it cannot
be used to discover the right salt.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745

Related to #3

Realted to #3

The new call does not only return the current encryption types set in AD
or a default list but filters them with the list of permitted encryption
types on the client. This makes sure the client can create and use the
keys.

Related to #3

Related to #3

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1588596

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1588596

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1588596

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1588596

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1588596