Bug 78448 - stdin-password dont seem to work.
Summary: stdin-password dont seem to work.
Status: RESOLVED FIXED
Alias: None
Product: realmd
Classification: Unclassified
Component: adcli (show other bugs)
Version: unspecified
Hardware: Other Linux (All)
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-08 17:12 UTC by steverweber
Modified: 2016-05-20 12:08 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
[PATCH] Remove \n from stdin password (669 bytes, patch)
2016-05-19 16:20 UTC, Sumit Bose
Details | Splinter Review
[PATCH] Remove \n or \r\n from stdin password (773 bytes, patch)
2016-05-20 09:24 UTC, Sumit Bose
Details | Splinter Review

Description steverweber 2014-05-08 17:12:20 UTC
stdin-password dont seem to work.

I'm preforming these commands on ubuntu 14.04
locate adcli
/var/cache/apt/archives/adcli_0.7.5-1_amd64.deb

shell: bash
password like: 678yuihjkbnmBNM


adcli preset-computer \
> --domain=matdc03.mathadtest.xxxxxx.ca \
> --domain-realm=MATHADTEST.XXXXXX.CA \
> --domain-controller=matdc03.mathadtest.xxxxxx.ca \
> --login-user=s8weber \
> --os-name=linux-gnu \
> --stdin-password \
> --verbose \
> debian-auth.salt.math.xxxxxx.ca <<< "PASSWPRD"
 * Using domain name: matdc03.mathadtest.xxxxxx.ca
 * Calculated computer account name from fqdn: MBP
 * Using domain realm: matdc03.mathadtest.xxxxxx.ca
 * Sending netlogon pings to domain controller: cldap://10.27.4.22
 * Received NetLogon info from: MATDC03.mathadtest.xxxxxx.ca
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-y1KfHr/krb5.d/adcli-krb5-conf-pVyVyt
 ! Couldn't authenticate as: s8weber@MATHADTEST.XXXXXX.CA: Preauthentication failed
adcli: couldn't connect to matdc03.mathadtest.xxxxxx.ca domain: Couldn't authenticate as: s8weber@MATHADTEST.XXXXXX.CA: Preauthentication failed





echo PASSWPRD | adcli preset-computer \
> --domain=matdc03.mathadtest.xxxxxx.ca \
> --domain-realm=MATHADTEST.XXXXXX.CA \
> --domain-controller=matdc03.mathadtest.xxxxxx.ca \
> --login-user=s8weber \
> --os-name=linux-gnu \
> --stdin-password \
> --verbose \
> debian-auth.salt.math.xxxxxx.ca
 * Using domain name: matdc03.mathadtest.xxxxxx.ca
 * Calculated computer account name from fqdn: MBP
 * Using domain realm: matdc03.mathadtest.xxxxxx.ca
 * Sending netlogon pings to domain controller: cldap://10.27.4.22
 * Received NetLogon info from: MATDC03.mathadtest.xxxxxx.ca
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-7qpIcI/krb5.d/adcli-krb5-conf-kfZ5qZ
 ! Couldn't authenticate as: s8weber@MATHADTEST.XXXXXX.CA: Preauthentication failed
adcli: couldn't connect to matdc03.mathadtest.xxxxxx.ca domain: Couldn't authenticate as: s8weber@MATHADTEST.XXXXXX.CA: Preauthentication failed



entering my password manually is success 

adcli preset-computer \172
> --domain=matdc03.mathadtest.xxxxxx.ca \
> --domain-realm=MATHADTEST.XXXXXX.CA \
> --domain-controller=matdc03.mathadtest.xxxxxx.ca \
> --login-user=s8weber \
> --os-name=linux-gnu \
> --verbose \
> debian-auth.salt.math.xxxxxx.ca
 * Using domain name: matdc03.mathadtest.xxxxxx.ca
 * Calculated computer account name from fqdn: MBP
 * Using domain realm: matdc03.mathadtest.xxxxxx.ca
 * Sending netlogon pings to domain controller: cldap://10.27.4.22
 * Received NetLogon info from: MATDC03.mathadtest.xxxxxx.ca
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-L2JsKj/krb5.d/adcli-krb5-conf-OY5qHO
Password for s8weber@MATHADTEST.XXXXXX.CA: 
 * Authenticated as user: s8weber@MATHADTEST.XXXXXX.CA
 * Looked up short domain name: MATHADTEST
 * Using fully qualified name: mbp
 * Using domain name: matdc03.mathadtest.xxxxxx.ca
 * Using computer account name: MBP
 * Using domain realm: matdc03.mathadtest.xxxxxx.ca
 * Using fully qualified name: debian-auth.salt.math.xxxxxx.ca
 * Calculated computer account name from fqdn: DEBIAN-AUTH
 * Using default reset computer password
 * Using fully qualified name: mbp
 * Using domain name: matdc03.mathadtest.xxxxxx.ca
 * Using computer account name: MBP
 * Using domain realm: matdc03.mathadtest.xxxxxx.ca
 * Looked up short domain name: MATHADTEST
 * Found computer account for DEBIAN-AUTH$ at: CN=DEBIAN-AUTH,CN=Computers,DC=mathadtest,DC=xxxxxx,DC=ca
 ! The computer account DEBIAN-AUTH already exists
adcli: presetting debian-auth.salt.math.xxxxxx.ca in matdc03.mathadtest.xxxxxx.ca domain failed: The computer account DEBIAN-AUTH already exists



Am I missing something fundamental or is adcli at fault? 
Thanks.
Comment 1 Stef Walter 2014-09-01 09:02:08 UTC
You need to use 'echo -n | ....'
Comment 2 Sumit Bose 2016-05-19 16:20:55 UTC
Created attachment 123916 [details] [review]
[PATCH] Remove \n from stdin password

This patch removes a trailing new-line character from the password given via stdin, this should fix all typical command-libe use-case.
Comment 3 Stef Walter 2016-05-19 18:11:53 UTC
Comment on attachment 123916 [details] [review]
[PATCH] Remove \n from stdin password

Review of attachment 123916 [details] [review]:
-----------------------------------------------------------------

Are there no cases where \n is in a valid AD password? If so, this patch has no tradeoffs. Just double checking.

::: tools/tools.c
@@ +250,5 @@
>  
>  		} else if (res == 0) {
>  			buffer[offset] = '\0';
> +			/* remove new line character */
> +			if (offset > 0 && buffer[offset - 1] == '\n') {

Should this remove \r\n?
Comment 4 Sumit Bose 2016-05-20 07:19:06 UTC
(In reply to Stef Walter from comment #3)
> Comment on attachment 123916 [details] [review] [review]
> [PATCH] Remove \n from stdin password
> 
> Review of attachment 123916 [details] [review] [review]:
> -----------------------------------------------------------------
> 
> Are there no cases where \n is in a valid AD password? If so, this patch has
> no tradeoffs. Just double checking.

According to https://msdn.microsoft.com/en-us/library/bb726984.aspx "Valid characters for passwords are letters, numbers, and symbols."

> 
> ::: tools/tools.c
> @@ +250,5 @@
> >  
> >  		} else if (res == 0) {
> >  			buffer[offset] = '\0';
> > +			/* remove new line character */
> > +			if (offset > 0 && buffer[offset - 1] == '\n') {
> 
> Should this remove \r\n?

I'll add a check for \r\n as well although I doubt that we see this often with Unix/Linux shell usage. But if the password is stored in a file with \r\n linebreaks this will help.
Comment 5 Sumit Bose 2016-05-20 09:24:15 UTC
Created attachment 123942 [details] [review]
[PATCH] Remove \n or \r\n from stdin password

New version which can remove \r\n as well.
Comment 6 Stef Walter 2016-05-20 12:08:17 UTC
Wonderful. Merged into master.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.