rpms/realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import realmd-0.16.3-19.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:53:57 -05:00 committed by Andrew Lukoshko
parent cccc2cf2c2
commit 274ea072a2
3 changed files with 213 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch Normal file
View File

@ -0,0 +1,166 @@
From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 12 Aug 2020 12:58:27 +0200
Subject: [PATCH] service: use 'additional dns hostnames' with net ads join
With newer versions of Samba the net ads join does not add services
principals with the configured host name anymore but added the new
option 'additional dns hostnames' for this.
realmd will try to figure out a fully-qualified host name and use it
with the new option if it is from a different domain.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912
---
service/realm-disco.c | 1 +
service/realm-disco.h | 1 +
service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++-
service/realm-samba.c | 6 ++++
4 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/service/realm-disco.c b/service/realm-disco.c
index ab06939..a12be50 100644
--- a/service/realm-disco.c
+++ b/service/realm-disco.c
@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data)
g_free (disco->explicit_netbios);
g_free (disco->kerberos_realm);
g_free (disco->workgroup);
+ g_free (disco->dns_fqdn);
if (disco->server_address)
g_object_unref (disco->server_address);
g_free (disco);
diff --git a/service/realm-disco.h b/service/realm-disco.h
index 5f3e5e9..35532d2 100644
--- a/service/realm-disco.h
+++ b/service/realm-disco.h
@@ -30,6 +30,7 @@ typedef struct {
gchar *explicit_server;
gchar *explicit_netbios;
GSocketAddress *server_address;
+ gchar *dns_fqdn;
} RealmDisco;
#define REALM_TYPE_DISCO (realm_disco_get_type ())
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 3f86c51..5624a08 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -33,6 +33,9 @@
#include <errno.h>
#include <fcntl.h>
#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
typedef struct {
GDBusMethodInvocation *invocation;
@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm)
return g_utf8_strup (realm, pos - realm);
}
+static char *
+try_to_get_fqdn (void)
+{
+ char hostname[HOST_NAME_MAX + 1];
+ gchar *fqdn = NULL;
+ int ret;
+ struct addrinfo *res;
+ struct addrinfo hints;
+
+ ret = gethostname (hostname, sizeof (hostname));
+ if (ret < 0) {
+ return NULL;
+ }
+
+ if (strchr (hostname, '.') == NULL) {
+ memset (&hints, 0, sizeof (struct addrinfo));
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_CANONNAME;
+
+ ret = getaddrinfo (hostname, NULL, &hints, &res);
+ if (ret != 0) {
+ return NULL;
+ }
+
+ /* Only use a fully-qualified name */
+ if (strchr (res->ai_canonname, '.') != NULL) {
+ fqdn = g_strdup (res->ai_canonname);
+ }
+
+ freeaddrinfo (res);
+
+ } else {
+ fqdn = g_strdup (hostname);
+ }
+
+ return fqdn;
+}
+
static JoinClosure *
join_closure_init (GTask *task,
RealmDisco *disco,
@@ -95,5 +136,7 @@ join_closure_init (GTask *task,
const gchar *explicit_computer_name = NULL;
const gchar *authid = NULL;
+ gchar *fqdn = NULL;
+ gchar *fqdn_dom = NULL;
join = g_new0 (JoinClosure, 1);
join->disco = realm_disco_ref (disco);
@@ -124,7 +167,7 @@ join_closure_init (GTask *task,
"netbios name", authid,
NULL);
- /*
+ /*
* Samba complains if we don't set a 'workgroup' setting for the realm we're
* going to join. If we didn't yet manage to lookup the workgroup, then go ahead
* and assume that the first domain component is the workgroup name.
@@ -144,6 +187,18 @@ join_closure_init (GTask *task,
g_free (workgroup);
}
+ /* Add the fully-qualified DNS hostname as additional name if it is from
+ * a different domain. */
+ fqdn = try_to_get_fqdn ();
+ if (fqdn != NULL && join->disco->domain_name != NULL
+ && (fqdn_dom = strchr (fqdn, '.')) != NULL
+ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) {
+ disco->dns_fqdn = g_strdup (fqdn);
+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
+ "additional dns hostnames", disco->dns_fqdn, NULL);
+ }
+ g_free (fqdn);
+
/* Write out the config file for use by various net commands */
join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL);
temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR);
diff --git a/service/realm-samba.c b/service/realm-samba.c
index 4940b38..fe33600 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source,
NULL);
}
+ if (error == NULL && enroll->disco->dns_fqdn != NULL) {
+ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
+ "additional dns hostnames", enroll->disco->dns_fqdn,
+ NULL);
+ }
if (error == NULL) {
name = realm_kerberos_get_name (REALM_KERBEROS (self));
@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self,
if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
"workgroup", NULL,
"realm", NULL,
+ "additional dns hostnames", NULL,
"security", "user",
NULL)) {
g_task_return_error (task, error);
--
2.26.2

32
SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch Normal file
View File

@ -0,0 +1,32 @@
From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 Aug 2020 11:18:17 +0200
Subject: [PATCH] service: use net ads join with -k for user join as well
The NTLM authentication used by 'net ads join' does only support crypto
algorithms which e.g. are not allowed by FIPS. It would be better to
tell 'net ads join' to try Kerberos first before falling back to NTLM by
adding the '-k' option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
---
service/realm-samba-enroll.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index f5edca3..3f86c51 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -372,7 +372,8 @@ begin_join (GTask *task,
} else if (join->user_name) {
begin_net_process (join, join->password_input,
on_join_do_keytab, g_object_ref (task),
- "-U", join->user_name, "ads", "join", join->disco->domain_name,
+ "-U", join->user_name,
+ "-k", "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
--
2.26.2

16
SPECS/realmd.spec
View File

@ -1,6 +1,6 @@
Name: realmd
Version: 0.16.3
Release: 18%{?dist}
Release: 19%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/realmd/
@ -40,6 +40,13 @@ Patch20: 0001-doc-extend-description-of-config-handling.patch
# rhbz#1801195
Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch
# rhbz#1859503 - Realm join fails with error 'Failed to join domain: failed to
# lookup DC info ...'
Patch22: 0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
# rhbz#1867912 - realm command to use option like dnshostname=fqdn
Patch23: 0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
@ -107,6 +114,13 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- Realm join fails with error 'Failed to join domain: failed to lookup
DC info ...'
Resolves: rhbz#1859503
- realm command to use option like dnshostname=fqdn
Resolves: rhbz#1867912
* Fri Feb 21 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-18
- Fix kerberos method
Resolves: rhbz#1801195