I noticed that adcli gets the kvno from AD when joining but does not increase it for the new enroll This might be a wrong place to fix it but saved my day ---- diff --git a/library/adenroll.c b/library/adenroll.c index e81eaf2..c500232 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -988,10 +988,12 @@ retrieve_computer_account (adcli_enroll *enroll) res = ADCLI_ERR_DIRECTORY; } else { - enroll->kvno = kvno; + /* should increase here??? */ + enroll->kvno = kvno+1; _adcli_info ("Retrieved kvno '%s' for computer account in directory: %s", value, enroll->computer_dn); + } free (value);
Created attachment 120342 [details] [review] Increment kvno after password change Please consider this patch as a fix for the issue
(In reply to Eero Torri from comment #0) > I noticed that adcli gets the kvno from AD when joining but does not > increase it for the new enroll > > This might be a wrong place to fix it but saved my day > Please have a look at the attached patch, I think is is better to increment the kvno only after the password is changes on the server-side, i.e. after the kvno is incremented on the server-side. > ---- > > diff --git a/library/adenroll.c b/library/adenroll.c > index e81eaf2..c500232 100644 > --- a/library/adenroll.c > +++ b/library/adenroll.c > @@ -988,10 +988,12 @@ retrieve_computer_account (adcli_enroll *enroll) > res = ADCLI_ERR_DIRECTORY; > > } else { > - enroll->kvno = kvno; > + /* should increase here??? */ > + enroll->kvno = kvno+1; > > _adcli_info ("Retrieved kvno '%s' for > computer account in directory: %s", > value, enroll->computer_dn); > + > } > > free (value);
(In reply to Sumit Bose from comment #2) > (In reply to Eero Torri from comment #0) > > I noticed that adcli gets the kvno from AD when joining but does not > > increase it for the new enroll > > > > This might be a wrong place to fix it but saved my day > > > > Please have a look at the attached patch, I think is is better to increment > the kvno only after the password is changes on the server-side, i.e. after > the kvno is incremented on the server-side. Is it guaranteed that the kvno is incremented by one server side, or should we retrieve it again to be sure?
(In reply to Stef Walter from comment #3) > (In reply to Sumit Bose from comment #2) > > (In reply to Eero Torri from comment #0) > > > I noticed that adcli gets the kvno from AD when joining but does not > > > increase it for the new enroll > > > > > > This might be a wrong place to fix it but saved my day > > > > > > > Please have a look at the attached patch, I think is is better to increment > > the kvno only after the password is changes on the server-side, i.e. after > > the kvno is incremented on the server-side. > > Is it guaranteed that the kvno is incremented by one server side, or should > we retrieve it again to be sure? If the password change is successful, the KVNO will be increased by one for sure. KVNO is the sequential key/password version number after all. If you are reading it back from the server then it must be the same server because other servers will still be at the old version for about 15-20 minutes.
Attachment 120342 [details] pushed as e56592b - Increment kvno after password change OK. Thanks! Merged into git master.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.