rpms
/
realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import realmd-0.17.1-1.el8

This commit is contained in:
CentOS Sources 2022-11-18 04:12:44 +00:00 committed by Stepan Oksanichenko
parent 75a8fce85b
commit 43ff262f3c
43 changed files with 40 additions and 5727 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/realmd-0.16.3.tar.gz
SOURCES/realmd-0.17.1.tar.gz

2
.realmd.metadata
View File

@ -1 +1 @@
0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz
681f7f532daa62a08f2f2d6c9d4a1a04c4c793a3 SOURCES/realmd-0.17.1.tar.gz

113
SOURCES/0001-Change-qualified-names-default-for-IPA.patch
View File

@ -1,113 +0,0 @@
From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 16:44:39 +0200
Subject: [PATCH] Change qualified names default for IPA
In a FreeIPA domain it is typically expected that the IPA accounts use
sort names while accounts from trusted domains have fully qualified
names. This is automatically done by SSSD's IPA provider so there is no
need to force fully qualified names in the SSSD configuration.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
---
service/realm-options.c | 9 +++++----
service/realm-options.h | 3 ++-
service/realm-samba-winbind.c | 2 +-
service/realm-sssd-ad.c | 2 +-
service/realm-sssd-ipa.c | 2 +-
5 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/service/realm-options.c b/service/realm-options.c
index bd804ea..34a209f 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
if (realm_name && !option) {
section = g_utf8_casefold (realm_name, -1);
- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
g_free (section);
}
@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
gboolean mapping;
section = g_utf8_casefold (realm_name, -1);
- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
+ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
g_free (section);
return mapping;
}
gboolean
-realm_options_qualify_names (const gchar *realm_name)
+realm_options_qualify_names (const gchar *realm_name,
+ gboolean def)
{
gchar *section;
gboolean qualify;
section = g_utf8_casefold (realm_name, -1);
- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
+ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
g_free (section);
return qualify;
diff --git a/service/realm-options.h b/service/realm-options.h
index 7a1355e..b71d219 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
gboolean realm_options_automatic_mapping (GVariant *options,
const gchar *realm_name);
-gboolean realm_options_qualify_names (const gchar *realm_name);
+gboolean realm_options_qualify_names (const gchar *realm_name,
+ gboolean def);
gboolean realm_options_check_domain_name (const gchar *domain_name);
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index 9335e26..61988eb 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
"winbind enum groups", "no",
"winbind offline logon", "yes",
"winbind refresh tickets", "yes",
- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
"template shell", realm_settings_string ("users", "default-shell"),
NULL);
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 8543ca8..de7ce30 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
gchar *home;
home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
- qualify = realm_options_qualify_names (disco->domain_name);
+ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
shell = realm_settings_string ("users", "default-shell");
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
realmd_tags = g_string_new ("");
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index ff1dc8a..5029f6b 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
realm_sssd_config_update_domain (config, domain, &error,
"cache_credentials", "True",
- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
"krb5_store_password_if_offline", "True",
"default_shell", shell,
"fallback_homedir", home,
--
2.17.1

150
SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
View File

@ -1,150 +0,0 @@
From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 31 May 2018 16:16:08 +0200
Subject: [PATCH] Find NetBIOS name in keytab while leaving
If realmd is used with Samba as membership software, i.e. Samba's net
utility, the NetBIOS name must be known when leaving a domain. The most
reliable way to find it is by searching the keytab for NAME$@REALM type
entries and use the NAME as the NetBIOS name.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
---
service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
service/realm-kerberos.h | 2 ++
service/realm-samba-enroll.c | 13 ++++++---
3 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 54d1ed7..d6d109f 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
return ret;
}
+
+gchar *
+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
+{
+ krb5_error_code code;
+ krb5_keytab keytab = NULL;
+ krb5_context ctx;
+ krb5_kt_cursor cursor = NULL;
+ krb5_keytab_entry entry;
+ krb5_principal realm_princ = NULL;
+ gchar *princ_name = NULL;
+ gchar *netbios_name = NULL;
+ krb5_data *name_data;
+
+ code = krb5_init_context (&ctx);
+ if (code != 0) {
+ return NULL;
+ }
+
+ princ_name = g_strdup_printf ("user@%s", realm_name);
+ code = krb5_parse_name (ctx, princ_name, &realm_princ);
+ g_free (princ_name);
+
+ if (code == 0) {
+ code = krb5_kt_default (ctx, &keytab);
+ }
+
+ if (code == 0) {
+ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
+ }
+
+ if (code == 0) {
+ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
+ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
+ name_data = krb5_princ_component (ctx, entry.principal, 0);
+ if (name_data != NULL
+ && name_data->length > 0
+ && name_data->data[name_data->length - 1] == '$') {
+ netbios_name = g_strndup (name_data->data, name_data->length - 1);
+ if (netbios_name == NULL) {
+ code = krb5_kt_free_entry (ctx, &entry);
+ warn_if_krb5_failed (ctx, code);
+ break;
+ }
+ }
+ }
+ code = krb5_kt_free_entry (ctx, &entry);
+ warn_if_krb5_failed (ctx, code);
+ }
+ }
+
+ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
+ warn_if_krb5_failed (ctx, code);
+
+ code = krb5_kt_close (ctx, keytab);
+ warn_if_krb5_failed (ctx, code);
+
+ krb5_free_principal (ctx, realm_princ);
+
+ krb5_free_context (ctx);
+
+ return netbios_name;
+
+}
diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
index 0447e4d..58cfe07 100644
--- a/service/realm-kerberos.h
+++ b/service/realm-kerberos.h
@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
GError **error);
+gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
+
const gchar * realm_kerberos_get_name (RealmKerberos *self);
const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 76e7b79..03f56d0 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -85,7 +85,8 @@ static JoinClosure *
join_closure_init (GTask *task,
RealmDisco *disco,
GVariant *options,
- GDBusMethodInvocation *invocation)
+ GDBusMethodInvocation *invocation,
+ gboolean do_join)
{
JoinClosure *join;
gchar *workgroup;
@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
else if (disco->explicit_netbios)
authid = disco->explicit_netbios;
+ /* try to get the NetBIOS name from the keytab as last option while
+ * leaving the domain */
+ if (authid == NULL && !do_join) {
+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
+ }
+
join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
"security", "ads",
@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
g_return_if_fail (cred != NULL);
task = g_task_new (NULL, NULL, callback, user_data);
- join = join_closure_init (task, disco, options, invocation);
+ join = join_closure_init (task, disco, options, invocation, TRUE);
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
if (explicit_computer_name != NULL) {
realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
JoinClosure *join;
task = g_task_new (NULL, NULL, callback, user_data);
- join = join_closure_init (task, disco, options, invocation);
+ join = join_closure_init (task, disco, options, invocation, FALSE);
switch (cred->type) {
case REALM_CREDENTIAL_PASSWORD:
--
2.14.4

42
SOURCES/0001-Fix-issues-found-by-Coverity.patch
View File

@ -1,42 +0,0 @@
From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 14:09:48 +0200
Subject: [PATCH] Fix issues found by Coverity
---
service/realm-kerberos.c | 5 ++++-
service/realm-packages.c | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index d6d109f..252e256 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
if (name == NULL)
break;
value = va_arg (va, const gchar *);
- g_return_if_fail (value != NULL);
+ if (value == NULL) {
+ va_end (va);
+ g_return_if_reached ();
+ }
values[0] = g_variant_new_string (name);
values[1] = g_variant_new_string (value);
diff --git a/service/realm-packages.c b/service/realm-packages.c
index 9a6984c..5976439 100644
--- a/service/realm-packages.c
+++ b/service/realm-packages.c
@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
g_ptr_array_add (packages, NULL);
*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
} else {
- g_ptr_array_free (files, TRUE);
+ g_ptr_array_free (packages, TRUE);
}
if (result_files) {
--
2.17.1

24
SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch
View File

@ -1,24 +0,0 @@
From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Jul 2016 19:06:29 +0200
Subject: [PATCH] Fix man page reference in systemd service file
---
dbus/realmd.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
index b3bcf7a..64c1090 100644
--- a/dbus/realmd.service.in
+++ b/dbus/realmd.service.in
@@ -1,6 +1,6 @@
[Unit]
Description=Realm and Domain Configuration
-Documentation=man:realmd(8)
+Documentation=man:realm(8)
[Service]
Type=dbus
--
2.7.4

62
SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch
View File

@ -1,62 +0,0 @@
From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Sep 2018 13:04:47 +0200
Subject: [PATCH] IPA: do not call sssd-enable-logins
It is expected that ipa-client-install will do all PAM and NSS
configuration. To avoid changing IPA default realmd will not try to
update the related configuration.
---
service/realm-sssd-ipa.c | 24 +-----------------------
1 file changed, 1 insertion(+), 23 deletions(-)
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index 5029f6b..70f8b0e 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
g_free (enroll);
}
-static void
-on_enable_nss_done (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
-{
- GTask *task = G_TASK (user_data);
- GError *error = NULL;
- gint status;
-
- status = realm_command_run_finish (result, NULL, &error);
- if (error == NULL && status != 0)
- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
- _("Enabling SSSD in nsswitch.conf and PAM failed."));
- if (error != NULL)
- g_task_return_error (task, error);
- else
- g_task_return_boolean (task, TRUE);
- g_object_unref (task);
-}
-
static void
on_restart_done (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
GTask *task = G_TASK (user_data);
- EnrollClosure *enroll = g_task_get_task_data (task);
RealmSssd *sssd = g_task_get_source_object (task);
GError *error = NULL;
realm_service_enable_and_restart_finish (result, &error);
if (error == NULL) {
realm_sssd_update_properties (sssd);
- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
- on_enable_nss_done, g_object_ref (task));
+ g_task_return_boolean (task, TRUE);
} else {
g_task_return_error (task, error);
}
--
2.17.1

392
SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
View File

@ -1,392 +0,0 @@
From 2fa90caf4ad38541615446b80dbeaccd0d0e6a6f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 28 Oct 2020 13:40:03 +0100
Subject: [PATCH] Kerberos: add default_domain and udp_preference_limit
When joining an Active Directory domain realmd will set the
default_domain and udp_preference_limit in the Kerberos configuration to
avoid errors and make Kerberos handling in the AD domain more easy.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791016
---
doc/manual/realmd.conf.xml | 69 +++++++++++++++++++
service/Makefile.am | 2 +
service/realm-kerberos-config.c | 116 ++++++++++++++++++++++++++++++++
service/realm-kerberos-config.h | 35 ++++++++++
service/realm-samba.c | 12 ++++
service/realm-sssd-ad.c | 12 ++++
service/realmd-debian.conf | 1 +
service/realmd-defaults.conf | 1 +
service/realmd-redhat.conf | 1 +
service/realmd-suse.conf | 1 +
10 files changed, 250 insertions(+)
create mode 100644 service/realm-kerberos-config.c
create mode 100644 service/realm-kerberos-config.h
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 9062252..97d2e8d 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -304,6 +304,75 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
</refsect1>
+<refsect1 id="realmd-conf-paths">
+ <title>paths</title>
+
+ <para>These options should go in an <option>[paths]</option>
+ section of the <filename>/etc/realmd.conf</filename> file. Only
+ specify the settings you wish to override.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>krb5.conf</option></term>
+ <listitem>
+ <para>Path to the Kerberos configuration file, typically
+ <filename>/etc/krb5.conf</filename>. It can also be the path of
+ a file included by <filename>/etc/krb5.conf</filename>, e.g.
+ <filename>/etc/krb5.conf.d/realmd_settings</filename>, if the
+ file does not exist if will be created.</para>
+
+ <informalexample>
+<programlisting language="js">
+[paths]
+krb5.conf = /etc/krb5.conf.d/realmd_settings
+
+</programlisting>
+ </informalexample>
+
+ <para>When joining an Active Directory domain
+ <command>realmd</command> will set the
+ <option>default_realm</option> and
+ <option>udp_preference_limit</option> options in the Kerberos
+ configuration:</para>
+
+ <informalexample>
+<programlisting language="js">
+default_realm = DOMAIN.EXAMPLE.COM
+udp_preference_limit = 0
+
+</programlisting>
+ </informalexample>
+
+ <para>The <option>default_realm</option> option is e.g. needed
+ when trying to resolve enterprise principals and makes it more
+ convenient to request Kerberos tickets for users of the default
+ realm. Instead of specifying the whole principal just
+ <command>kinit username</command> can be used.</para>
+
+ <para>With <option>udp_preference_limit = 0</option> always TCP
+ will be used to send Kerberos request to domain controller. This
+ is useful in Active Directory environments because Kerberos will
+ typically switch to TCP after initially starting with UDP
+ because AD Kerberos tickets are often larger than UDP can handle.
+ Using TCP by default will avoid those extra UDP round trips.
+ Additionally it helps to avoid issues with password changes when
+ the DC does not reply soon enough and the client will send a
+ second UDP request. The DC might reply with a reply error to the
+ second request although the original password change request was
+ successful and the client will no know if the request was
+ successful or not. When using TCP this cannot happen because the
+ client will never send a second request but waits on the
+ connection until the server replies.</para>
+
+ <para>Please note that <command>realmd</command> will not remove
+ those options while leaving the domain since they are useful in
+ general. When joining a new domain <command>realmd</command>
+ will of course overwrite <option>default_realm</option>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id="realmd-conf-specific-settings">
<title>Realm specific settings</title>
<para>These options should go in an section with the same name
diff --git a/service/Makefile.am b/service/Makefile.am
index 88ee780..031cd1d 100644
--- a/service/Makefile.am
+++ b/service/Makefile.am
@@ -57,6 +57,8 @@ realmd_SOURCES = \
service/realm-invocation.h \
service/realm-kerberos.c \
service/realm-kerberos.h \
+ service/realm-kerberos-config.c \
+ service/realm-kerberos-config.h \
service/realm-kerberos-membership.c \
service/realm-kerberos-membership.h \
service/realm-kerberos-provider.c \
diff --git a/service/realm-kerberos-config.c b/service/realm-kerberos-config.c
new file mode 100644
index 0000000..447a452
--- /dev/null
+++ b/service/realm-kerberos-config.c
@@ -0,0 +1,116 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2020 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#include "realm-ini-config.h"
+#include "realm-kerberos-config.h"
+#include "realm-settings.h"
+
+#include <string.h>
+
+RealmIniConfig *
+realm_kerberos_config_new_with_flags (RealmIniFlags flags,
+ GError **error)
+{
+ RealmIniConfig *config;
+ const gchar *filename;
+ GError *err = NULL;
+
+ config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS | flags);
+
+ filename = realm_settings_path ("krb5.conf");
+
+ realm_ini_config_read_file (config, filename, &err);
+
+ if (err != NULL) {
+ /* If the caller wants errors, then don't return an invalid samba config */
+ if (error) {
+ g_propagate_error (error, err);
+ g_object_unref (config);
+ config = NULL;
+
+ /* If the caller doesn't care, then warn but continue */
+ } else {
+ g_warning ("Couldn't load config file: %s: %s", filename,
+ err->message);
+ g_error_free (err);
+ }
+ }
+
+ return config;
+}
+
+RealmIniConfig *
+realm_kerberos_config_new (GError **error)
+{
+ return realm_kerberos_config_new_with_flags (REALM_INI_NONE, error);
+}
+
+gboolean
+configure_krb5_conf_for_domain (const gchar *realm, GError **error )
+{
+ RealmIniConfig *config;
+ gboolean res;
+ GFile *gfile;
+ GFileInfo *file_info = NULL;
+
+ config = realm_kerberos_config_new (error);
+ if (config == NULL) {
+ return FALSE;
+ }
+
+ /* When writing to a file glib will replace the original file with a
+ * new one. To make sure permissions and other attributes like e.g.
+ * SELinux labels stay the same this information is saved before the
+ * change and applied to the new file afterwards. */
+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
+ file_info = g_file_query_info (gfile, "*", 0, NULL, error);
+ g_object_unref (gfile);
+ if (*error != NULL) {
+ g_warning ("Couldn't load file attributes, "
+ "will continue without: %s: %s",
+ realm_ini_config_get_filename (config),
+ (*error)->message);
+ g_clear_error (error);
+ }
+
+ if (!realm_ini_config_begin_change (config, error)) {
+ g_object_unref (config);
+ return FALSE;
+ }
+
+ realm_ini_config_set (config, "libdefaults",
+ "default_realm", realm,
+ "udp_preference_limit", "0",
+ NULL);
+
+ res = realm_ini_config_finish_change (config, error);
+
+ if (file_info != NULL) {
+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
+ if (!g_file_set_attributes_from_info (gfile, file_info,
+ 0, NULL, error)) {
+ g_warning ("Couldn't set file attributes: %s: %s",
+ realm_ini_config_get_filename (config),
+ (*error)->message);
+ }
+ g_object_unref (file_info);
+ g_object_unref (gfile);
+ }
+
+ g_object_unref (config);
+
+ return res;
+}
diff --git a/service/realm-kerberos-config.h b/service/realm-kerberos-config.h
new file mode 100644
index 0000000..791aa98
--- /dev/null
+++ b/service/realm-kerberos-config.h
@@ -0,0 +1,35 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2020 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#ifndef __REALM_KERBEROS_CONFIG_H__
+#define __REALM_KERBEROS_CONFIG_H__
+
+#include <gio/gio.h>
+
+#include "realm-ini-config.h"
+
+
+RealmIniConfig * realm_kerberos_config_new (GError **error);
+
+RealmIniConfig * realm_kerberos_config_new_with_flags (RealmIniFlags flags,
+ GError **error);
+
+gboolean configure_krb5_conf_for_domain (const gchar *realm,
+ GError **error );
+
+G_END_DECLS
+
+#endif /* __REALM_KERBEROS_CONFIG_H__ */
diff --git a/service/realm-samba.c b/service/realm-samba.c
index fe33600..e7b80a0 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -21,6 +21,7 @@
#include "realm-disco.h"
#include "realm-errors.h"
#include "realm-kerberos.h"
+#include "realm-kerberos-config.h"
#include "realm-kerberos-membership.h"
#include "realm-options.h"
#include "realm-packages.h"
@@ -210,6 +211,17 @@ on_join_do_winbind (GObject *source,
NULL);
}
+ if (error == NULL) {
+ configure_krb5_conf_for_domain (enroll->disco->kerberos_realm, &error);
+ if (error != NULL) {
+ realm_diagnostics_error (enroll->invocation, error,
+ "Failed to update Kerberos "
+ "configuration, not fatal, "
+ "please check manually");
+ g_clear_error (&error);
+ }
+ }
+
if (error == NULL) {
name = realm_kerberos_get_name (REALM_KERBEROS (self));
realm_samba_winbind_configure_async (self->config, name, enroll->options,
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index de7ce30..6b2f9f8 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -19,6 +19,7 @@
#include "realm-dbus-constants.h"
#include "realm-diagnostics.h"
#include "realm-errors.h"
+#include "realm-kerberos-config.h"
#include "realm-kerberos-membership.h"
#include "realm-options.h"
#include "realm-packages.h"
@@ -256,6 +257,17 @@ on_join_do_sssd (GObject *source,
join->options, join->use_adcli, &error);
}
+ if (error == NULL) {
+ configure_krb5_conf_for_domain (join->disco->kerberos_realm, &error);
+ if (error != NULL) {
+ realm_diagnostics_error (join->invocation, error,
+ "Failed to update Kerberos "
+ "configuration, not fatal, "
+ "please check manually");
+ g_clear_error (&error);
+ }
+ }
+
if (error == NULL) {
realm_service_enable_and_restart ("sssd", join->invocation,
on_sssd_enable_nss, g_object_ref (task));
diff --git a/service/realmd-debian.conf b/service/realmd-debian.conf
index 3e93d60..6cfdcef 100644
--- a/service/realmd-debian.conf
+++ b/service/realmd-debian.conf
@@ -1,6 +1,7 @@
# Distro specific overrides for debian
[paths]
smb.conf = /etc/samba/smb.conf
+krb5.conf = /etc/krb5.conf
#
# Normally in these packages sections we can specify a file
diff --git a/service/realmd-defaults.conf b/service/realmd-defaults.conf
index 6d7ccf8..ac4b436 100644
--- a/service/realmd-defaults.conf
+++ b/service/realmd-defaults.conf
@@ -11,6 +11,7 @@ sssd.conf = /etc/sssd/sssd.conf
adcli = /usr/sbin/adcli
ipa-client-install = /usr/sbin/ipa-client-install
pam_winbind.conf = /etc/security/pam_winbind.conf
+krb5.conf = /etc/krb5.conf
[active-directory]
default-client = sssd
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index e39fad5..46e61b1 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -1,6 +1,7 @@
# Distro specific overrides for redhat
[paths]
smb.conf = /etc/samba/smb.conf
+krb5.conf = /etc/krb5.conf
[samba-packages]
samba-common-tools = /usr/bin/net
diff --git a/service/realmd-suse.conf b/service/realmd-suse.conf
index 052b4dc..3165efa 100644
--- a/service/realmd-suse.conf
+++ b/service/realmd-suse.conf
@@ -1,6 +1,7 @@
# Distro specific overrides for SuSE
[paths]
smb.conf = /etc/samba/smb.conf
+krb5.conf = /etc/krb5.conf
[samba-packages]
samba-client = /usr/bin/net
--
2.26.2

112
SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
View File

@ -1,112 +0,0 @@
From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Dec 2016 18:25:44 +0100
Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
---
service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
index 2b3a0f8..1477ae8 100644
--- a/service/realm-kerberos-provider.c
+++ b/service/realm-kerberos-provider.c
@@ -19,6 +19,7 @@
#include "realm-kerberos-provider.h"
#include <errno.h>
+#include <string.h>
struct _RealmKerberosProvider {
RealmProvider parent;
@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
}
+typedef struct {
+ gchar *name;
+ const char *prot;
+} NameProtPair;
+
+static void
+name_prot_pair_free (gpointer data)
+{
+ NameProtPair *name_prot_pair = data;
+ g_free (name_prot_pair->name);
+ g_free (name_prot_pair);
+}
+
static void
on_kerberos_discover (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
GTask *task = G_TASK (user_data);
- const gchar *domain = g_task_get_task_data (task);
+ NameProtPair *name_prot_pair = g_task_get_task_data (task);
GError *error = NULL;
RealmDisco *disco;
GList *targets;
+ GResolver *resolver;
targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
if (targets) {
g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
- disco = realm_disco_new (domain);
- disco->kerberos_realm = g_ascii_strup (domain, -1);
+ disco = realm_disco_new (name_prot_pair->name);
+ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
g_task_return_pointer (task, disco, realm_disco_unref);
} else if (error) {
- g_debug ("Resolving %s failed: %s", domain, error->message);
+ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
g_error_free (error);
- g_task_return_pointer (task, NULL, NULL);
+
+ if (strcmp (name_prot_pair->prot, "tcp") == 0) {
+ g_task_return_pointer (task, NULL, NULL);
+ } else {
+ /* Try tcp */
+ name_prot_pair->prot = "tcp";
+ resolver = g_resolver_get_default ();
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
+ name_prot_pair->name,
+ g_task_get_cancellable (task),
+ on_kerberos_discover, g_object_ref (task));
+ g_object_unref (resolver);
+ }
}
g_object_unref (task);
@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
GTask *task;
const gchar *software;
GResolver *resolver;
- gchar *name;
+ NameProtPair *name_prot_pair;
task = g_task_new (provider, NULL, callback, user_data);
@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- name = g_hostname_to_ascii (string);
+ name_prot_pair = g_new0 (NameProtPair, 1);
+ name_prot_pair->name = g_hostname_to_ascii (string);
+ name_prot_pair->prot = "udp";
resolver = g_resolver_get_default ();
- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
+ name_prot_pair->name,
realm_invocation_get_cancellable (invocation),
on_kerberos_discover, g_object_ref (task));
- g_task_set_task_data (task, name, g_free);
+ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
g_object_unref (resolver);
}
--
2.9.3

41
SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch
View File

@ -1,41 +0,0 @@
From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 25 Nov 2016 17:35:11 +0100
Subject: [PATCH] LDAP: don't close LDAP socket twice
ldap_destroy() will call close() on the LDAP socket so with an explicit
close() before the file descriptor will be closed twice. Even worse,
since the file descriptor can be reused after the explicit call of
close() by any other thread the close() called from ldap_destroy() might
close a file descriptor used by a different thread as seen e.g. in
https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
Additionally the patch makes sure that the closed connection cannot be
used again.
https://bugzilla.redhat.com/show_bug.cgi?id=1398522
---
service/realm-ldap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 061ed61..59817fb 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
{
LdapSource *ls = (LdapSource *)source;
- /* Yeah, this is pretty rough, but we don't want blocking here */
- close (ls->sock);
ldap_destroy (ls->ldap);
+ ls->sock = -1;
+ ls->ldap = NULL;
+
if (ls->cancellable) {
g_cancellable_release_fd (ls->cancellable);
g_object_unref (ls->cancellable);
--
2.9.3

185
SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
View File

@ -1,185 +0,0 @@
From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 30 May 2018 13:10:57 +0200
Subject: [PATCH] Use current idmap options for smb.conf
Samba change some time ago the way how to configure id-mapping. With
this patch realmd will use the current supported options when creating
smb.conf.
A new option --legacy-samba-config is added to use the old options if
realmd is used with Samba 3.5 or earlier.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
---
dbus/realm-dbus-constants.h | 1 +
doc/manual/realmd.conf.xml | 17 ++++++++++++
service/realm-samba-enroll.c | 2 +-
service/realm-samba-enroll.h | 3 +++
service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
5 files changed, 72 insertions(+), 14 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index 9cd30ef..40ffa2d 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -69,6 +69,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
#define REALM_DBUS_OPTION_OS_NAME "os-name"
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
+#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 7853230..a2b577c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -192,6 +192,23 @@ automatic-install = no
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>legacy-samba-config</option></term>
+ <listitem>
+ <para>Set this to <parameter>yes</parameter> to create a Samba
+ configuration file with id-mapping options used by Samba-3.5
+ and earlier version.</para>
+
+ <informalexample>
+<programlisting language="js">
+[service]
+legacy-samba-config = no
+# legacy-samba-config = yes
+</programlisting>
+ </informalexample>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index c81aed2..76e7b79 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
g_free (join);
}
-static gchar *
+gchar *
fallback_workgroup (const gchar *realm)
{
const gchar *pos;
diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
index 84e8b2f..310ec65 100644
--- a/service/realm-samba-enroll.h
+++ b/service/realm-samba-enroll.h
@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
GError **error);
+gchar *
+fallback_workgroup (const gchar *realm);
+
G_END_DECLS
#endif /* __REALM_SAMBA_ENROLL_H__ */
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index a7ddec3..9335e26 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -21,8 +21,10 @@
#include "realm-options.h"
#include "realm-samba-config.h"
#include "realm-samba-winbind.h"
+#include "realm-samba-enroll.h"
#include "realm-settings.h"
#include "realm-service.h"
+#include "dbus/realm-dbus-constants.h"
#include <glib/gstdio.h>
@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
RealmIniConfig *pwc;
GTask *task;
GError *error = NULL;
+ gchar *workgroup = NULL;
+ gchar *idmap_config_backend = NULL;
+ gchar *idmap_config_range = NULL;
+ gchar *idmap_config_schema_mode = NULL;
g_return_if_fail (config != NULL);
g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
"template shell", realm_settings_string ("users", "default-shell"),
NULL);
- if (realm_options_automatic_mapping (options, domain_name)) {
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
- "idmap uid", "10000-2000000",
- "idmap gid", "10000-2000000",
- "idmap backend", "tdb",
- "idmap schema", NULL,
- NULL);
+ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
+ if (realm_options_automatic_mapping (options, domain_name)) {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap uid", "10000-2000000",
+ "idmap gid", "10000-2000000",
+ "idmap backend", "tdb",
+ "idmap schema", NULL,
+ NULL);
+ } else {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap uid", "500-4294967296",
+ "idmap gid", "500-4294967296",
+ "idmap backend", "ad",
+ "idmap schema", "rfc2307",
+ NULL);
+ }
} else {
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
- "idmap uid", "500-4294967296",
- "idmap gid", "500-4294967296",
- "idmap backend", "ad",
- "idmap schema", "rfc2307",
- NULL);
+ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
+ if (workgroup == NULL) {
+ workgroup = fallback_workgroup (domain_name);
+ }
+ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ g_free (workgroup);
+
+ if (realm_options_automatic_mapping (options, domain_name)) {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap config * : backend", "tdb",
+ "idmap config * : range", "10000-999999",
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
+ NULL);
+ } else {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap config * : backend", "tdb",
+ "idmap config * : range", "10000000-10999999",
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
+ NULL);
+ }
}
realm_ini_config_finish_change (config, &error);
+ g_free (idmap_config_backend);
+ g_free (idmap_config_range);
}
/* Setup pam_winbind.conf with decent defaults matching our expectations */
--
2.14.4

74
SOURCES/0001-Use-startTLS-with-FreeIPA.patch
View File

@ -1,74 +0,0 @@
From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 3 Jul 2020 17:18:27 +0200
Subject: [PATCH] Use startTLS with FreeIPA
FreeIPA is planning to required a minimal security strength factor (ssf)
in an upcoming version. This basically means that communication should
be encrypted. The most straight forward way is use TLS by doing a
StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
since the initial release we will call StartTLS unconditionally but try
without if it fails.
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
---
service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
service/realm-ldap.c | 4 +++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
index 3100650..7614071 100644
--- a/service/realm-disco-rootdse.c
+++ b/service/realm-disco-rootdse.c
@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
LDAP *ldap)
{
const char *attrs[] = { "info", "associatedDomain", NULL };
+ int ret;
+ int ldap_opt_val;
clo->request = NULL;
clo->result = result_domain_info;
+ /* Trying to setup a TLS tunnel in the case the IPA server requires an
+ * encrypted connected. Trying without in case of an error. Since we
+ * most probably do not have the IPA CA certificate we will not check
+ * the server certificate. */
+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
+ if (ret != LDAP_OPT_SUCCESS) {
+ g_debug ("Failed to disable certificate checking, trying without");
+ }
+
+ ldap_opt_val = 0;
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
+ if (ret != LDAP_OPT_SUCCESS) {
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
+ }
+
+ ret = ldap_start_tls_s (ldap, NULL, NULL);
+ if (ret != LDAP_SUCCESS) {
+ g_debug ("Failed to setup TLS tunnel, trying without");
+ }
+
return search_ldap (task, clo, ldap, clo->default_naming_context,
LDAP_SCOPE_BASE, NULL, attrs);
}
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 59817fb..7831b5b 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
+ url = g_strdup_printf ("ldap://%s:%d", addrname, port);
+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
+ g_free (url);
g_free (native);
--
2.26.2

61
SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch
View File

@ -1,61 +0,0 @@
From 4ef597d15df246f4121266aaf3e291e3f06f6f4a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Mar 2021 17:57:07 +0100
Subject: [PATCH] build: add --with-vendor-error-message configure option
With the new configure option --with-vendor-error-message a packager or
a distribution can add a message if realmd returns with an error.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386
---
configure.ac | 15 +++++++++++++++
tools/realm.c | 7 +++++++
2 files changed, 22 insertions(+)
diff --git a/configure.ac b/configure.ac
index ee067d9..05ec1bf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,6 +51,21 @@ fi
AC_SUBST(DISTRO)
+# -----------------------------------------------------------------------------
+# Vendor error message
+
+AC_ARG_WITH([vendor-error-message],
+ [AS_HELP_STRING([--with-vendor-error-message=ARG],
+ [Add a vendor specific error message shown if a realm command fails]
+ )],
+ [AS_IF([test "x$withval" != "x"],
+ [AC_DEFINE_UNQUOTED([VENDOR_MSG],
+ ["$withval"],
+ [Vendor specific error message])],
+ [AC_MSG_ERROR([--with-vendor-error-message requires an argument])]
+ )],
+ [])
+
# -----------------------------------------------------------------------------
# Basic tools
diff --git a/tools/realm.c b/tools/realm.c
index 1530f09..8fdca16 100644
--- a/tools/realm.c
+++ b/tools/realm.c
@@ -287,6 +287,13 @@ main (int argc,
ret = (realm_commands[i].function) (client, argc, argv);
g_object_unref (client);
+#ifdef VENDOR_MSG
+ if (ret != 0) {
+ g_printerr (VENDOR_MSG"\n");
+ }
+
+#endif
+
break;
}
}
--
2.31.1

32
SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
View File

@ -1,32 +0,0 @@
From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 28 Nov 2019 18:51:30 +0100
Subject: [PATCH] configure: do not inherit DISTRO from the environment
The argument of the --with-distro configure option is stored in the
variable DISTRO. If DISTRO is already set in the build environment it
should not be used hence DISTRO must be cleared by the configure script
if not set by --with-distro.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396
---
configure.ac | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e335247..a424a49 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,7 +31,8 @@ AC_ARG_WITH([distro],
[AS_HELP_STRING([--with-distro],
[Configure for a specific distribution (eg: redhat)]
)],
- [DISTRO=$withval])
+ [DISTRO=$withval],
+ [DISTRO=])
if test -z $DISTRO; then
AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"])
--
2.21.0

158
SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
View File

@ -1,158 +0,0 @@
From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 6 Feb 2017 12:25:52 +0100
Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual
page
And clean up the documentation for the various arguments.
---
doc/manual/realm.xml | 70 +++++++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 33 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 6724d80..9d9136a 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -60,7 +60,7 @@
<variablelist>
<varlistentry>
- <term><option>--install=/path</option></term>
+ <term><option>-i</option>, <option>--install=/path</option></term>
<listitem><para>Run in install mode. This makes realmd
chroot into the specified directory and place files in
appropriate locations for use during an installer. No
@@ -73,7 +73,7 @@
for input.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--verbose, -v</option></term>
+ <term><option>-v</option>, <option>--verbose</option></term>
<listitem><para>Display verbose diagnostics while doing
running commands.</para></listitem>
</varlistentry>
@@ -105,7 +105,7 @@ $ realm discover domain.example.com
<variablelist>
<varlistentry>
- <term><option>--all</option></term>
+ <term><option>-a</option>, <option>--all</option></term>
<listitem><para>Show all discovered realms (in various
configurations).</para></listitem>
</varlistentry>
@@ -116,6 +116,10 @@ $ realm discover domain.example.com
<replaceable>sssd</replaceable> or
<replaceable>winbind</replaceable>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-n</option>, <option>--name</option></term>
+ <listitem><para>Only show the names of the discovered realms.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--server-software=xxx</option></term>
<listitem><para>Only discover realms which run the
@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
in the domain already.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user=xxx</option></term>
- <listitem><para>The user name to be used to authenticate
- with when joining the machine to the realm. You will
- be prompted for a password.</para></listitem>
+ <term><option>--client-software=xxx</option></term>
+ <listitem><para>Only join realms for which we can
+ use the given client software. Possible values include
+ <replaceable>sssd</replaceable> or
+ <replaceable>winbind</replaceable>. Not all values are
+ supported for all realms. By default the client software
+ is automatically selected.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--computer-ou=OU=xxx</option></term>
@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
DSE portion of distinguished name. This is an Active
Directory specific option.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--membership-software=xxx</option></term>
+ <listitem><para>The software to use when joining to the
+ realm. Possible values include <replaceable>samba</replaceable> or
+ <replaceable>adcli</replaceable>. Not all values are
+ supported for all realms. By default the membership software
+ is automatically selected.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--no-password</option></term>
<listitem><para>Perform the join automatically without
@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
all types of realms.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--client-software=xxx</option></term>
- <listitem><para>Only join realms for which we can
- use the given client software. Possible values include
- <replaceable>sssd</replaceable> or
- <replaceable>winbind</replaceable>. Not all values are
- supported for all realms. By default the client software
- is automatically selected.</para></listitem>
+ <term><option>--os-name=xxx</option></term>
+ <listitem><para>The name of the operation system of the
+ client. When joining an AD domain the value is store in
+ the matching AD attribute.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--os-version=xxx</option></term>
+ <listitem><para>The version of the operation system of the
+ client. When joining an AD domain the value is store in
+ the matching AD attribute.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--server-software=xxx</option></term>
@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
<replaceable>ipa</replaceable>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--membership-software=xxx</option></term>
- <listitem><para>The software to use when joining to the
- realm. Possible values include <replaceable>samba</replaceable> or
- <replaceable>adcli</replaceable>. Not all values are
- supported for all realms. By default the membership software
- is automatically selected.</para></listitem>
+ <term><option>-U</option>, <option>--user=xxx</option></term>
+ <listitem><para>The user name to be used to authenticate
+ with when joining the machine to the realm. You will
+ be prompted for a password.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
the value for this option, then a principal will be set
in the form of <literal>host/shortname@REALM</literal></para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--os-name=xxx</option></term>
- <listitem><para>The name of the operation system of the
- client. When joining an AD domain the value is store in
- the matching AD attribute.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--os-version=xxx</option></term>
- <listitem><para>The version of the operation system of the
- client. When joining an AD domain the value is store in
- the matching AD attribute.</para></listitem>
- </varlistentry>
</variablelist>
</refsect1>
@@ -300,7 +304,7 @@ $ realm leave domain.example.com
for a pasword.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user</option></term>
+ <term><option>-U</option>, <option>--user</option></term>
<listitem><para>The user name to be used to authenticate
with when leaving the realm. You will be prompted for a
password. Implies <option>--remove</option>.</para></listitem>
--
2.21.0

36
SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch
View File

@ -1,36 +0,0 @@
From 05100771ea6bd775caae705bb53f76a0816f3b81 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 May 2021 11:13:06 +0200
Subject: [PATCH] doc: add computer-name to realm man page
---
doc/manual/realm.xml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 9160a8a..b4dc27c 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
supported for all realms. By default the membership software
is automatically selected.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--computer-name=xxx</option></term>
+ <listitem>
+ <para>This option only applies to Active
+ Directory realms. Specify this option to
+ override the default name used when creating
+ the computer account. The system's FQDN will
+ still be saved in the dNSHostName attribute.</para>
+ <para>Specify the name as a string of 15 or
+ fewer characters that is a valid NetBIOS
+ computer name.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>--no-password</option></term>
<listitem><para>Perform the join automatically without
--
2.31.1

104
SOURCES/0001-doc-extend-description-of-config-handling.patch
View File

@ -1,104 +0,0 @@
From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 21:57:02 +0100
Subject: [PATCH] doc: extend description of config handling
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005
---
doc/manual/Makefile.am | 8 ++++++++
doc/manual/realmd.conf.xml | 15 +++++++++++----
doc/privatedir.xml.in | 1 +
4 files changed, 21 insertions(+), 4 deletions(-)
create mode 100644 doc/privatedir.xml.in
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
index 8b33fdd..9812c45 100644
--- a/doc/manual/Makefile.am
+++ b/doc/manual/Makefile.am
@@ -1,14 +1,20 @@
+XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc
man8_MANS += \
doc/manual/realm.8
man5_MANS += \
doc/manual/realmd.conf.5
+$(man5_MANS): doc/privatedir.xml
+
MAN_IN_FILES = \
$(man8_MANS:.8=.xml) \
$(man5_MANS:.5=.xml) \
$(NULL)
+doc/privatedir.xml: doc/privatedir.xml.in
+ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@
+
MANUAL_DOCBOOK = doc/manual/realmd-docs.xml
MANUAL_INCLUDES = \
@@ -41,6 +47,7 @@ MANUAL_XSLT = \
$(NULL)
EXTRA_DIST += \
+ doc/privatedir.xml.in \
$(MANUAL_DOCBOOK) \
$(MANUAL_INCLUDES) \
$(MAN_IN_FILES) \
@@ -50,6 +57,7 @@ EXTRA_DIST += \
CLEANFILES += \
realmd-org.freedesktop.realmd.generated \
+ doc/privatedir.xml \
$(DBUS_DOC_GENERATED) \
$(DBUS_ESCAPED) \
$(man8_MANS) \
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 1592291..9062252 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -1,6 +1,9 @@
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+[
+<!ENTITY privatedir SYSTEM "privatedir.xml">
+]>
<refentry id="realmd-conf">
@@ -35,7 +38,9 @@
to act in specific ways. This is done by placing settings in a
<filename>/etc/realmd.conf</filename>. This file does not exist by
default. The syntax of this file is the same as an INI file or
- Desktop Entry file.</para>
+ Desktop Entry file. If the file is changed and
+ <command>realmd</command> is running <command>realmd</command> must be
+ restarted to read the new values.</para>
<para>In general, settings in this file only apply at the point of
joining a domain or realm. Once the realm has been setup the settings
@@ -46,8 +51,10 @@
<para>Only specify the settings you wish to override in the
<filename>/etc/realmd.conf</filename> file. Settings not specified will
- be loaded from their packaged defaults. Only override the settings
- below. You may find other settings if you look through the
+ be loaded from their packaged defaults which can be found in
+ <filename>&privatedir;/realmd-defaults.conf</filename> and
+ <filename>&privatedir;/realmd-distro.conf</filename>. Only override the
+ settings below. You may find other settings if you look through the
<command>realmd</command> source code. However these are not guaranteed
to remain stable.</para>
diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in
new file mode 100644
index 0000000..7f71afe
--- /dev/null
+++ b/doc/privatedir.xml.in
@@ -0,0 +1 @@
+@privatedir@
\ No newline at end of file
--
2.21.0

75
SOURCES/0001-doc-extend-user-principal-section.patch
View File

@ -1,75 +0,0 @@
From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:10:03 +0100
Subject: [PATCH] doc: extend user-principal section
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814
---
doc/manual/realm.xml | 21 +++++++++++++++++++--
doc/manual/realmd.conf.xml | 15 ++++++++++-----
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 7b73331..55a7640 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
</varlistentry>
<varlistentry>
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
- <listitem><para>Set the userPrincipalName field of the
+ <listitem><para>Set the
+ <option>userPrincipalName</option> field of the
computer account to this kerberos principal. If you omit
the value for this option, then a principal will be set
- in the form of <literal>host/shortname@REALM</literal></para></listitem>
+ based on the defaults of the membership software.</para>
+ <para>AD makes a distinction between user and service
+ principals. Only with user principals you can request a
+ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user
+ principals can be used with the <command>kinit</command>
+ command. By default the user principal and the canonical
+ principal name of an AD computer account is
+ <code>shortname$@AD.DOMAIN</code>, where shortname is
+ the NetBIOS name which is limited to 15 characters.</para>
+ <para>If there are applications which are not aware of
+ the AD default and are using a hard-coded default
+ principal the <option>--user-principal</option> can be
+ used to make AD aware of this principal. Please note
+ that <option>userPrincipalName</option> is a single
+ value LDAP attribute, i.e. only one alternative user
+ principal besides the AD default user principal can be
+ set.</para></listitem>
</varlistentry>
</variablelist>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index f0b0879..a26a60c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -365,12 +365,17 @@ computer-name = SERVER01
</listitem>
</varlistentry>
<varlistentry>
- <term><option>user-prinicpal</option></term>
+ <term><option>user-principal</option></term>
<listitem>
- <para>Set the <option>user-prinicpal</option> to <code>yes</code>
- to create <option>userPrincipalName</option> attributes for the
- computer account in the realm, in the form
- <code>host/computer@REALM</code></para>
+ <para>Set the <option>user-principal</option> to <code>yes</code>
+ to create <option>userPrincipalName</option> attribute for the
+ computer accounts in the realm. The exact value depends on the
+ defaults of the used membership software. To have full control
+ over the value please use the
+ <option>--user-principal</option> option of the
+ <command>realm</command> command, see
+ <citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> for details.</para>
<informalexample>
<programlisting language="js">
--
2.21.0

26
SOURCES/0001-doc-fix-discover-name-only.patch
View File

@ -1,26 +0,0 @@
From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:49:15 +0100
Subject: [PATCH 1/2] doc: fix discover name-only
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
---
doc/manual/realmd.conf.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index a26a60c..fc6a785 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
<informalexample>
<screen>
-$ <command>realm discover --name DOMAIN.example.com</command>
+$ <command>realm discover --name-only DOMAIN.example.com</command>
domain.example.com
...
</screen>
--
2.21.0

1500
SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch
View File

File diff suppressed because it is too large Load Diff

78
SOURCES/0001-ldap-add-socket-timeout.patch
View File

@ -1,78 +0,0 @@
From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 24 Nov 2021 17:25:18 +0100
Subject: [PATCH] ldap: add socket timeout
During the discovery phase realmd tries to open LDAP connections to
multiple DC addresses returned by DNS. When cleaning up we have to call
ldap_destroy() to release the resources allocated for the LDAP context.
ldap_destroy() tries to send a LDAP unbind request independent of the
connection state. If the related address is block by a firewall or a not
properly routed IPv6 address there might be no reply on the TCP level
and the request might be stuck for quite some tome in the kernel.
To avoid the unexpected long delays will block realmd this patch lowers
the timeout considerably to 5s. As multiple other timeouts this value is
currently hardcoded.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
---
service/realm-ldap.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index bdfb96c..f7b6d13 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -22,6 +22,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <netinet/tcp.h>
#include <errno.h>
@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
/* Not included in ldap.h but documented */
int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
+#define LDAP_SOCKET_TIMEOUT 5
GSource *
realm_ldap_connect_anonymous (GSocketAddress *address,
@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
int opt_rc;
int ldap_opt_val;
const char *errmsg = NULL;
+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
+ /* Lower the kernel defaults which might be minutes to hours */
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
+ &tv, sizeof (tv));
+ if (rc != 0) {
+ g_warning ("couldn't set SO_RCVTIMEO");
+ }
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
+ &tv, sizeof (tv));
+ if (rc != 0) {
+ g_warning ("couldn't set SO_SNDTIMEO");
+ }
+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
+ &milli, sizeof (milli));
+ if (rc != 0) {
+ g_warning ("couldn't set TCP_USER_TIMEOUT");
+ }
+
if (family == G_SOCKET_FAMILY_IPV4) {
url = g_strdup_printf ("%s://%s:%d",
use_ldaps ? "ldaps" : "ldap",
--
2.34.1

32
SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch
View File

@ -1,32 +0,0 @@
From e41de8344a09092ae4d973f495eef54a106a11ee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 26 Nov 2020 17:24:10 +0100
Subject: [PATCH] ldap: setup TLS when using ldaps
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-ldap.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 2076d1e..e07a299 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -263,6 +263,14 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
return NULL;
}
+ if (use_ldaps) {
+ rc = ldap_install_tls (ls->ldap);
+ if (rc != LDAP_SUCCESS) {
+ g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
+ return NULL;
+ }
+ }
+
break;
case G_SOCKET_PROTOCOL_UDP:
--
2.28.0

128
SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch
View File

@ -1,128 +0,0 @@
From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Dec 2021 15:32:32 +0100
Subject: [PATCH] samba: use new Samba-4.15 command line options
Samba-4.15 changed a couple of command line options of the net utility.
This patch adds a configure option to select the new or the old style.
If the option is not used configure tries to call the net utility to
check for the options. If this fails the old style is used.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
---
configure.ac | 34 ++++++++++++++++++++++++++++++++++
service/realm-samba-enroll.c | 18 +++++++++++++-----
2 files changed, 47 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index ea51f92..ddc25d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
+# -------------------------------------------------------------------
+# Samba
+
+AC_ARG_WITH(new-samba-cli-options,
+ AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
+ [Use new command line options introduced with Samba-4.15,
+ if not provided the output of 'net help' is checked or old
+ style options are used]))
+
+if test "$with_new_samba_cli_options" = "no"; then
+ AC_MSG_RESULT([Using old Samba command line options])
+elif test "$with_new_samba_cli_options" = "yes"; then
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
+ [Use new command line options introduced with Samba-4.15])
+ AC_MSG_RESULT([Using new Samba command line options])
+else
+ AC_PATH_PROG([SAMBA_NET], [net])
+ if test ! -x "$SAMBA_NET"; then
+ AC_MSG_NOTICE([Could not find Samba's net utility, ]
+ [assuming old style command line options, ]
+ [please install the net utility for proper detection.])
+ else
+ AC_MSG_CHECKING([for --debug-stdout option of net])
+ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
+ [Use new command line options introduced with Samba-4.15])
+ AC_MSG_RESULT([yes])
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+fi
+
+
# -------------------------------------------------------------------
# Directories
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 5624a08..8b2ee38 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -37,6 +37,14 @@
#include <sys/socket.h>
#include <netdb.h>
+#ifdef WITH_NEW_SAMBA_CLI_OPTS
+#define SMBCLI_KERBEROS "--use-kerberos=required"
+#define SMBCLI_CONF "--configfile"
+#else
+#define SMBCLI_KERBEROS "-k"
+#define SMBCLI_CONF "-s"
+#endif
+
typedef struct {
GDBusMethodInvocation *invocation;
gchar *join_args[8];
@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
/* Use our custom smb.conf */
g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
if (join->custom_smb_conf) {
- g_ptr_array_add (args, "-s");
+ g_ptr_array_add (args, SMBCLI_CONF);
g_ptr_array_add (args, join->custom_smb_conf);
}
@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
} else {
begin_net_process (join, NULL,
on_keytab_do_finish, g_object_ref (task),
- "-k", "ads", "keytab", "create", NULL);
+ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
}
g_object_unref (task);
@@ -428,7 +436,7 @@ begin_join (GTask *task,
begin_net_process (join, join->password_input,
on_join_do_keytab, g_object_ref (task),
"-U", join->user_name,
- "-k", "ads", "join", join->disco->domain_name,
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
@@ -437,7 +445,7 @@ begin_join (GTask *task,
} else {
begin_net_process (join, NULL,
on_join_do_keytab, g_object_ref (task),
- "-k", "ads", "join", join->disco->domain_name,
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
begin_net_process (join, NULL,
on_leave_complete, g_object_ref (task),
- "-k", "ads", "leave", NULL);
+ SMBCLI_KERBEROS, "ads", "leave", NULL);
break;
default:
g_return_if_reached ();
--
2.33.1

96
SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
View File

@ -1,96 +0,0 @@
From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 28 Oct 2016 20:27:48 +0200
Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
After adding a domain to sssd.conf add the nss and pam services
to the [sssd] block.
https://bugs.freedesktop.org/show_bug.cgi?id=98479
---
service/realm-sssd-ad.c | 3 +++
service/realm-sssd-config.c | 2 --
service/realm-sssd-ipa.c | 3 +++
tests/test-sssd-config.c | 4 ++--
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 5ed384d..5fa81ce 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
gboolean use_adcli,
GError **error)
{
+ const gchar *services[] = { "nss", "pam", NULL };
GString *realmd_tags;
const gchar *access_provider;
const gchar *shell;
@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
"ldap_sasl_authid", authid,
NULL);
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+
g_free (authid);
g_string_free (realmd_tags, TRUE);
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
index 2096afd..d4398b9 100644
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
g_strfreev (already);
/* Setup a default sssd section */
- if (!realm_ini_config_have (config, "section", "services"))
- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index b12136e..001870d 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
+ const gchar *services[] = { "nss", "pam", NULL };
GTask *task = G_TASK (user_data);
EnrollClosure *enroll = g_task_get_task_data (task);
RealmSssd *sssd = g_task_get_source_object (task);
@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
"realmd_tags", realmd_tags,
NULL);
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+
g_free (home);
}
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 59eab75..892b9d5 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -140,7 +140,7 @@ static void
test_add_domain_only (Test *test,
gconstpointer unused)
{
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
--
2.9.3

98
SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
View File

@ -1,98 +0,0 @@
From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 25 Apr 2017 07:20:17 +0200
Subject: [PATCH] service: Add "pam" and "nss" services in
realm_sssd_config_add_domain()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
realm_sssd_config_add_domain() must setup the services line in sssd.conf
otherwise SSSD won't be able to start any of its services.
It's a regression caused by 402cbab which leaves SSSD with no services
line when joining to an ad client doing "realm join ad.example".
https://bugs.freedesktop.org/show_bug.cgi?id=98479
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
---
service/realm-sssd-ad.c | 3 ++-
service/realm-sssd-config.c | 2 ++
service/realm-sssd-ipa.c | 3 ++-
tests/test-sssd-config.c | 4 ++--
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 5fa81ce..8543ca8 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
"ldap_sasl_authid", authid,
NULL);
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (ret)
+ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
g_free (authid);
g_string_free (realmd_tags, TRUE);
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
index d4398b9..140d7dc 100644
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
gchar **already;
gboolean ret;
gchar *section;
+ const gchar *services[] = { "nss", "pam", NULL };
va_list va;
gint i;
@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
g_strfreev (already);
/* Setup a default sssd section */
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index 001870d..ff1dc8a 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
"realmd_tags", realmd_tags,
NULL);
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (error == NULL)
+ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
g_free (home);
}
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 892b9d5..59eab75 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -140,7 +140,7 @@ static void
test_add_domain_only (Test *test,
gconstpointer unused)
{
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
--
2.9.3

69
SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
View File

@ -1,69 +0,0 @@
From cf40987b7f847be70ef3a5a0fa359116c0259477 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:19:09 +0100
Subject: [PATCH 1/6] service: add REALM_DBUS_OPTION_USE_LDAPS and
realm_get_use_ldaps
Add a new option to the realmd service to use ldaps where possible and
supported.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
dbus/realm-dbus-constants.h | 1 +
service/realm-options.c | 17 +++++++++++++++++
service/realm-options.h | 2 ++
3 files changed, 20 insertions(+)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index 40ffa2d..0bd7a5d 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -70,6 +70,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_OS_NAME "os-name"
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
+#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/service/realm-options.c b/service/realm-options.c
index 34a209f..d42eb7c 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -199,3 +199,20 @@ realm_options_ad_specific (GVariant *options,
return g_strdup (value);
}
+
+gboolean realm_option_use_ldaps (GVariant *options)
+{
+ gchar *use_ldaps_str;
+
+ use_ldaps_str = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_USE_LDAPS);
+ if (use_ldaps_str != NULL
+ && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
+ || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
+ g_free (use_ldaps_str);
+ return TRUE;
+ }
+ g_free (use_ldaps_str);
+
+ return FALSE;
+}
diff --git a/service/realm-options.h b/service/realm-options.h
index b71d219..bc13cd7 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -48,6 +48,8 @@ const gchar * realm_options_computer_name (GVariant *options,
const gchar * realm_options_ad_specific (GVariant *options,
const gchar *option_name);
+gboolean realm_option_use_ldaps (GVariant *options);
+
G_END_DECLS
#endif /* __REALM_OPTIONS_H__ */
--
2.26.2

61
SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
View File

@ -1,61 +0,0 @@
From ccf48aa7761065283483d667f3efaf33b5b2a728 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 1 Dec 2020 14:12:33 +0100
Subject: [PATCH 1/3] service: make sure use_ldaps is not only set for
automatic join
The check if ldaps is requested or not was only called if an automatic
join was enabled. With this patch it is checked in all cases.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-sssd-ad.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 00a9093..ea5f28c 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -349,19 +349,6 @@ parse_join_options (JoinClosure *join,
return FALSE;
}
- /*
- * Check if ldaps should be used and if membership software supports
- * it.
- */
- join->use_ldaps = realm_option_use_ldaps (options);
- if (join->use_ldaps &&
- g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
- realm_diagnostics_info (join->invocation,
- "Membership software %s does "
- "not support ldaps, trying "
- "without.", software);
- }
-
/*
* If we are enrolling with a user password, then we have to use samba,
* adcli only supports admin passwords.
@@ -393,6 +380,19 @@ parse_join_options (JoinClosure *join,
g_assert (software != NULL);
+ /*
+ * Check if ldaps should be used and if membership software supports
+ * it.
+ */
+ join->use_ldaps = realm_option_use_ldaps (options);
+ if (join->use_ldaps &&
+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
+ realm_diagnostics_info (join->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying "
+ "without.", software);
+ }
+
if (g_str_equal (software, REALM_DBUS_IDENTIFIER_ADCLI)) {
join->use_adcli = TRUE;
join->packages = ADCLI_PACKAGES;
--
2.28.0

166
SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
View File

@ -1,166 +0,0 @@
From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 12 Aug 2020 12:58:27 +0200
Subject: [PATCH] service: use 'additional dns hostnames' with net ads join
With newer versions of Samba the net ads join does not add services
principals with the configured host name anymore but added the new
option 'additional dns hostnames' for this.
realmd will try to figure out a fully-qualified host name and use it
with the new option if it is from a different domain.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912
---
service/realm-disco.c | 1 +
service/realm-disco.h | 1 +
service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++-
service/realm-samba.c | 6 ++++
4 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/service/realm-disco.c b/service/realm-disco.c
index ab06939..a12be50 100644
--- a/service/realm-disco.c
+++ b/service/realm-disco.c
@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data)
g_free (disco->explicit_netbios);
g_free (disco->kerberos_realm);
g_free (disco->workgroup);
+ g_free (disco->dns_fqdn);
if (disco->server_address)
g_object_unref (disco->server_address);
g_free (disco);
diff --git a/service/realm-disco.h b/service/realm-disco.h
index 5f3e5e9..35532d2 100644
--- a/service/realm-disco.h
+++ b/service/realm-disco.h
@@ -30,6 +30,7 @@ typedef struct {
gchar *explicit_server;
gchar *explicit_netbios;
GSocketAddress *server_address;
+ gchar *dns_fqdn;
} RealmDisco;
#define REALM_TYPE_DISCO (realm_disco_get_type ())
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 3f86c51..5624a08 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -33,6 +33,9 @@
#include <errno.h>
#include <fcntl.h>
#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
typedef struct {
GDBusMethodInvocation *invocation;
@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm)
return g_utf8_strup (realm, pos - realm);
}
+static char *
+try_to_get_fqdn (void)
+{
+ char hostname[HOST_NAME_MAX + 1];
+ gchar *fqdn = NULL;
+ int ret;
+ struct addrinfo *res;
+ struct addrinfo hints;
+
+ ret = gethostname (hostname, sizeof (hostname));
+ if (ret < 0) {
+ return NULL;
+ }
+
+ if (strchr (hostname, '.') == NULL) {
+ memset (&hints, 0, sizeof (struct addrinfo));
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_CANONNAME;
+
+ ret = getaddrinfo (hostname, NULL, &hints, &res);
+ if (ret != 0) {
+ return NULL;
+ }
+
+ /* Only use a fully-qualified name */
+ if (strchr (res->ai_canonname, '.') != NULL) {
+ fqdn = g_strdup (res->ai_canonname);
+ }
+
+ freeaddrinfo (res);
+
+ } else {
+ fqdn = g_strdup (hostname);
+ }
+
+ return fqdn;
+}
+
static JoinClosure *
join_closure_init (GTask *task,
RealmDisco *disco,
@@ -95,5 +136,7 @@ join_closure_init (GTask *task,
const gchar *explicit_computer_name = NULL;
const gchar *authid = NULL;
+ gchar *fqdn = NULL;
+ gchar *fqdn_dom = NULL;
join = g_new0 (JoinClosure, 1);
join->disco = realm_disco_ref (disco);
@@ -124,7 +167,7 @@ join_closure_init (GTask *task,
"netbios name", authid,
NULL);
- /*
+ /*
* Samba complains if we don't set a 'workgroup' setting for the realm we're
* going to join. If we didn't yet manage to lookup the workgroup, then go ahead
* and assume that the first domain component is the workgroup name.
@@ -144,6 +187,18 @@ join_closure_init (GTask *task,
g_free (workgroup);
}
+ /* Add the fully-qualified DNS hostname as additional name if it is from
+ * a different domain. */
+ fqdn = try_to_get_fqdn ();
+ if (fqdn != NULL && join->disco->domain_name != NULL
+ && (fqdn_dom = strchr (fqdn, '.')) != NULL
+ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) {
+ disco->dns_fqdn = g_strdup (fqdn);
+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
+ "additional dns hostnames", disco->dns_fqdn, NULL);
+ }
+ g_free (fqdn);
+
/* Write out the config file for use by various net commands */
join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL);
temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR);
diff --git a/service/realm-samba.c b/service/realm-samba.c
index 4940b38..fe33600 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source,
NULL);
}
+ if (error == NULL && enroll->disco->dns_fqdn != NULL) {
+ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
+ "additional dns hostnames", enroll->disco->dns_fqdn,
+ NULL);
+ }
if (error == NULL) {
name = realm_kerberos_get_name (REALM_KERBEROS (self));
@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self,
if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
"workgroup", NULL,
"realm", NULL,
+ "additional dns hostnames", NULL,
"security", "user",
NULL)) {
g_task_return_error (task, error);
--
2.26.2

30
SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch
View File

@ -1,30 +0,0 @@
From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 21 Feb 2020 14:06:16 +0100
Subject: [PATCH] service: use "kerberos method" "secrets and keytab"
When using Samba with Winbind the host password stored in secrets.tdb is
still important so the "secrets and keytab" should be the preferred
"kerberos method".
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195
---
service/realm-samba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/service/realm-samba.c b/service/realm-samba.c
index e2a3608..4940b38 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source,
"template shell", realm_settings_string ("users", "default-shell"),
"netbios name", computer_name,
"password server", enroll->disco->explicit_server,
- "kerberos method", "system keytab",
+ "kerberos method", "secrets and keytab",
NULL);
}
--
2.24.1

32
SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
View File

@ -1,32 +0,0 @@
From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 Aug 2020 11:18:17 +0200
Subject: [PATCH] service: use net ads join with -k for user join as well
The NTLM authentication used by 'net ads join' does only support crypto
algorithms which e.g. are not allowed by FIPS. It would be better to
tell 'net ads join' to try Kerberos first before falling back to NTLM by
adding the '-k' option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
---
service/realm-samba-enroll.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index f5edca3..3f86c51 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -372,7 +372,8 @@ begin_join (GTask *task,
} else if (join->user_name) {
begin_net_process (join, join->password_input,
on_join_do_keytab, g_object_ref (task),
- "-U", join->user_name, "ads", "join", join->disco->domain_name,
+ "-U", join->user_name,
+ "-k", "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
--
2.26.2

36
SOURCES/0001-switch-to-authselect.patch
View File

@ -1,36 +0,0 @@
From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 19 Feb 2018 11:51:06 +0100
Subject: [PATCH] switch to authselect
---
service/realmd-redhat.conf | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
freeipa-client = /usr/sbin/ipa-client-install
[commands]
-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
winbind-enable-service = /usr/bin/systemctl enable winbind.service
winbind-disable-service = /usr/bin/systemctl disable winbind.service
winbind-restart-service = /usr/bin/systemctl restart winbind.service
winbind-stop-service = /usr/bin/systemctl stop winbind.service
-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
sssd-enable-service = /usr/bin/systemctl enable sssd.service
sssd-disable-service = /usr/bin/systemctl disable sssd.service
sssd-restart-service = /usr/bin/systemctl restart sssd.service
--
2.9.3

38
SOURCES/0001-syslog-avoid-duplicate-log-messages.patch
View File

@ -1,38 +0,0 @@
From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 25 Nov 2021 14:36:10 +0100
Subject: [PATCH] syslog: avoid duplicate log messages
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
---
service/realm-diagnostics.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
index 850b2e3..6aa5288 100644
--- a/service/realm-diagnostics.c
+++ b/service/realm-diagnostics.c
@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
while ((ptr = memchr (at, '\n', length)) != NULL) {
*ptr = '\0';
if (line_buffer && line_buffer->len > 0) {
+#ifdef WITH_JOURNAL
+ /* Call realm_daemon_syslog directly to add
+ * REALMD_OPERATION to the jounrnal */
realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
+#else
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
+#endif
g_string_set_size (line_buffer, 0);
} else {
+#ifdef WITH_JOURNAL
realm_daemon_syslog (operation, log_level, "%s", at);
+#else
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
+#endif
}
*ptr = '\n';
--
2.33.1

374
SOURCES/0001-tests-run-tests-with-python3.patch
View File

@ -1,374 +0,0 @@
From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 4 Jul 2018 16:41:16 +0200
Subject: [PATCH] tests: run tests with python3
To allow the test to run with python3 build/tap-driver and
build/tap-gtester are updated to the latest version provided by the
cockpit project https://github.com/cockpit-project/cockpit.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
---
build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
build/tap-gtester | 59 ++++++++++++++++++++++---------
2 files changed, 125 insertions(+), 38 deletions(-)
diff --git a/build/tap-driver b/build/tap-driver
index 42f57c8..241fd50 100755
--- a/build/tap-driver
+++ b/build/tap-driver
@@ -1,4 +1,5 @@
-#!/usr/bin/python
+#!/usr/bin/python3
+# This can also be run with Python 2.
# Copyright (C) 2013 Red Hat, Inc.
#
@@ -29,20 +30,58 @@
#
import argparse
+import fcntl
import os
import select
+import struct
import subprocess
import sys
+import termios
+import errno
+
+_PY3 = sys.version[0] >= '3'
+_str = _PY3 and str or unicode
+
+def out(data, stream=None, flush=False):
+ if not isinstance(data, bytes):
+ data = data.encode("UTF-8")
+ if not stream:
+ stream = _PY3 and sys.stdout.buffer or sys.stdout
+ while True:
+ try:
+ if data:
+ stream.write(data)
+ data = None
+ if flush:
+ stream.flush()
+ flush = False
+ break
+ except IOError as e:
+ if e.errno == errno.EAGAIN:
+ continue
+ raise
+
+def terminal_width():
+ try:
+ h, w, hp, wp = struct.unpack('HHHH',
+ fcntl.ioctl(1, termios.TIOCGWINSZ,
+ struct.pack('HHHH', 0, 0, 0, 0)))
+ return w
+ except IOError as e:
+ if e.errno != errno.ENOTTY:
+ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
+ return sys.maxsize
class Driver:
def __init__(self, args):
self.argv = args.command
self.test_name = args.test_name
- self.log = open(args.log_file, "w")
- self.log.write("# %s\n" % " ".join(sys.argv))
+ self.log = open(args.log_file, "wb")
+ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
self.trs = open(args.trs_file, "w")
self.color_tests = args.color_tests
self.expect_failure = args.expect_failure
+ self.width = terminal_width() - 9
def report(self, code, *args):
CODES = {
@@ -57,17 +96,18 @@ class Driver:
# Print out to console
if self.color_tests:
if code in CODES:
- sys.stdout.write(CODES[code])
- sys.stdout.write(code)
+ out(CODES[code])
+ out(code)
if self.color_tests:
- sys.stdout.write('\x1b[m')
- sys.stdout.write(": ")
- sys.stdout.write(self.test_name)
- sys.stdout.write(" ")
- for arg in args:
- sys.stdout.write(str(arg))
- sys.stdout.write("\n")
- sys.stdout.flush()
+ out('\x1b[m')
+ out(": ")
+ msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
+ if code == "PASS" and len(msg) > self.width:
+ out(msg[:self.width])
+ out("...")
+ else:
+ out(msg)
+ out("\n", flush=True)
# Book keeping
if code in CODES:
@@ -100,12 +140,14 @@ class Driver:
def execute(self):
try:
proc = subprocess.Popen(self.argv, close_fds=True,
+ stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
- except OSError, ex:
+ except OSError as ex:
self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
return
+ proc.stdin.close()
outf = proc.stdout.fileno()
errf = proc.stderr.fileno()
rset = [outf, errf]
@@ -113,18 +155,25 @@ class Driver:
ret = select.select(rset, [], [], 10)
if outf in ret[0]:
data = os.read(outf, 1024)
- if data == "":
+ if data == b"":
rset.remove(outf)
self.log.write(data)
self.process(data)
if errf in ret[0]:
data = os.read(errf, 1024)
- if data == "":
+ if data == b"":
rset.remove(errf)
self.log.write(data)
- sys.stderr.write(data)
+ stream = _PY3 and sys.stderr.buffer or sys.stderr
+ out(data, stream=stream, flush=True)
proc.wait()
+
+ # Make sure the test didn't change blocking output
+ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+
return proc.returncode
@@ -137,6 +186,7 @@ class TapDriver(Driver):
self.late_plan = False
self.errored = False
self.bail_out = False
+ self.skip_all_reason = None
def report(self, code, num, *args):
if num:
@@ -170,13 +220,19 @@ class TapDriver(Driver):
else:
self.result_fail(num, description)
- def consume_test_plan(self, first, last):
+ def consume_test_plan(self, line):
# Only one test plan is supported
if self.test_plan:
self.report_error("Get a second TAP test plan")
return
+ if line.lower().startswith('1..0 # skip'):
+ self.skip_all_reason = line[5:].strip()
+ self.bail_out = True
+ return
+
try:
+ (first, unused, last) = line.partition("..")
first = int(first)
last = int(last)
except ValueError:
@@ -192,7 +248,7 @@ class TapDriver(Driver):
def process(self, output):
if output:
- self.output += output
+ self.output += output.decode("UTF-8")
elif self.output:
self.output += "\n"
(ready, unused, self.output) = self.output.rpartition("\n")
@@ -202,8 +258,7 @@ class TapDriver(Driver):
elif line.startswith("not ok "):
self.consume_test_line(False, line[7:])
elif line and line[0].isdigit() and ".." in line:
- (first, unused, last) = line.partition("..")
- self.consume_test_plan(first, last)
+ self.consume_test_plan(line)
elif line.lower().startswith("bail out!"):
self.consume_bail_out(line)
@@ -213,6 +268,13 @@ class TapDriver(Driver):
failed = False
skipped = True
+ if self.skip_all_reason is not None:
+ self.result_skip("skipping:", self.skip_all_reason)
+ self.trs.write(":global-test-result: SKIP\n")
+ self.trs.write(":test-global-result: SKIP\n")
+ self.trs.write(":recheck: no\n")
+ return 0
+
# Basic collation of results
for (num, code) in self.reported.items():
if code == "ERROR":
diff --git a/build/tap-gtester b/build/tap-gtester
index 7e667d4..bbda266 100755
--- a/build/tap-gtester
+++ b/build/tap-gtester
@@ -1,4 +1,5 @@
-#!/usr/bin/python
+#!/usr/bin/python3
+# This can also be run with Python 2.
# Copyright (C) 2014 Red Hat, Inc.
#
@@ -30,9 +31,19 @@
import argparse
import os
import select
+import signal
import subprocess
import sys
+# Yes, it's dumb, but strsignal is not exposed in python
+# In addition signal numbers varify heavily from arch to arch
+def strsignal(sig):
+ for name in dir(signal):
+ if name.startswith("SIG") and sig == getattr(signal, name):
+ return name
+ return str(sig)
+
+
class NullCompiler:
def __init__(self, command):
self.command = command
@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
elif cmd == "result":
if self.test_name:
if data == "OK":
- print "ok %d %s" % (self.test_num, self.test_name)
+ print("ok %d %s" % (self.test_num, self.test_name))
if data == "FAIL":
- print "not ok %d %s", (self.test_num, self.test_name)
+ print("not ok %d %s" % (self.test_num, self.test_name))
self.test_name = None
elif cmd == "skipping":
if "/subprocess" not in data:
- print "ok %d # skip -- %s" % (self.test_num, data)
+ print("ok %d # skip -- %s" % (self.test_num, data))
self.test_name = None
elif data:
- print "# %s: %s" % (cmd, data)
+ print("# %s: %s" % (cmd, data))
else:
- print "# %s" % cmd
+ print("# %s" % cmd)
elif line.startswith("(MSG: "):
- print "# %s" % line[6:-1]
+ print("# %s" % line[6:-1])
elif line:
- print "# %s" % line
+ print("# %s" % line)
sys.stdout.flush()
def run(self, proc, output=""):
@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
if line.startswith("/"):
self.test_remaining.append(line.strip())
if not self.test_remaining:
- print "Bail out! No tests found in GTest: %s" % self.command[0]
+ print("Bail out! No tests found in GTest: %s" % self.command[0])
return 0
- print "1..%d" % len(self.test_remaining)
+ print("1..%d" % len(self.test_remaining))
# First try to run all the tests in a batch
- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
+ stdout=subprocess.PIPE, universal_newlines=True)
result = self.process(proc)
if result == 0:
return 0
+ if result < 0:
+ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
+
# Now pick up any stragglers due to failures
while True:
# Assume that the last test failed
if self.test_name:
- print "not ok %d %s" % (self.test_num, self.test_name)
+ print("not ok %d %s" % (self.test_num, self.test_name))
self.test_name = None
# Run any tests which didn't get run
@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
break
proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
- close_fds=True, stdout=subprocess.PIPE)
+ close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
result = self.process(proc)
# The various exit codes and signals we continue for
@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
return result
def main(argv):
- parser = argparse.ArgumentParser(description='Automake TAP compiler')
+ parser = argparse.ArgumentParser(description='Automake TAP compiler',
+ usage="tap-gtester [--format FORMAT] command ...")
parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
default="auto", help='The input format to compile')
parser.add_argument('--verbose', action='store_true',
default=True, help='Verbose mode (ignored)')
- parser.add_argument('command', nargs='+', help="A test command to run")
+ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
args = parser.parse_args(argv[1:])
output = None
format = args.format
cmd = args.command
+ if not cmd:
+ sys.stderr.write("tap-gtester: specify a command to run\n")
+ return 2
+ if cmd[0] == '--':
+ cmd.pop(0)
+
proc = None
os.environ['HARNESS_ACTIVE'] = '1'
if format in ["auto", "gtest"]:
list_cmd = cmd + ["-l", "--verbose"]
- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
output = proc.stdout.readline()
# Smell whether we're dealing with GTest list output from first line
if "random seed" in output or "GTest" in output or output.startswith("/"):
@@ -164,7 +188,8 @@ def main(argv):
else:
format = "tap"
else:
- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
if format == "gtest":
compiler = GTestCompiler(cmd)
--
2.14.4

93
SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
View File

@ -1,93 +0,0 @@
From 3bdf6f25923c3a3bd8404f4a1228053d6a7551b2 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 6 Feb 2017 12:32:20 +0100
Subject: [PATCH] tools: Update the usage help text of the realm commands
Add better synopsis, sort arguments appropriately, and include
missing arguments.
---
tools/realm-discover.c | 4 ++--
tools/realm-join.c | 30 +++++++++++++++---------------
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
index cec3fd0..8dde4ed 100644
--- a/tools/realm-discover.c
+++ b/tools/realm-discover.c
@@ -186,7 +186,7 @@ realm_discover (RealmClient *client,
{ NULL, }
};
- context = g_option_context_new ("realm-or-domain");
+ context = g_option_context_new ("discover REALM-OR-DOMAIN");
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
g_option_context_add_main_entries (context, option_entries, NULL);
g_option_context_add_main_entries (context, realm_global_options, NULL);
@@ -274,7 +274,7 @@ realm_list (RealmClient *client,
{ NULL, }
};
- context = g_option_context_new ("realm");
+ context = g_option_context_new ("list");
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
g_option_context_add_main_entries (context, option_entries, NULL);
g_option_context_add_main_entries (context, realm_global_options, NULL);
diff --git a/tools/realm-join.c b/tools/realm-join.c
index 8e46c20..249f502 100644
--- a/tools/realm-join.c
+++ b/tools/realm-join.c
@@ -286,28 +286,28 @@ realm_join (RealmClient *client,
gint ret = 0;
GOptionEntry option_entries[] = {
- { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
- N_("User name to use for enrollment"), NULL },
- { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
- N_("Computer OU DN to join"), NULL },
- { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
- N_("Use specific computer name instead of hostname"), NULL },
- { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
- N_("Use specific operation system name"), NULL },
- { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
- N_("Use specific operation system version"), NULL },
+ { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
+ realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software,
N_("Use specific client software"), NULL },
- { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
- N_("Use specific server software"), NULL },
+ { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
+ N_("Use specific computer name instead of hostname"), NULL },
+ { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
+ N_("Computer OU DN to join"), NULL },
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software,
N_("Use specific membership software"), NULL },
{ "no-password", 0, 0, G_OPTION_ARG_NONE, &args.no_password,
N_("Join automatically without a password"), NULL },
{ "one-time-password", 0, 0, G_OPTION_ARG_STRING, &args.one_time_password,
N_("Join using a preset one time password"), NULL },
- { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
- realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
+ { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
+ N_("Use specific operation system name"), NULL },
+ { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
+ N_("Use specific operation system version"), NULL },
+ { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
+ N_("Use specific server software"), NULL },
+ { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
+ N_("User name to use for enrollment"), NULL },
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
N_("Set the user principal for the computer account"), NULL },
{ NULL, }
@@ -315,7 +315,7 @@ realm_join (RealmClient *client,
memset (&args, 0, sizeof (args));
- context = g_option_context_new ("realm");
+ context = g_option_context_new ("join REALM");
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
group = g_option_group_new (NULL, NULL, NULL, &args, realm_join_args_clear);
--
2.26.2

46
SOURCES/0002-doc-add-see-also-to-man-pages.patch
View File

@ -1,46 +0,0 @@
From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:49:51 +0100
Subject: [PATCH 2/2] doc: add see also to man pages
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
---
doc/manual/realm.xml | 7 +++++++
doc/manual/realmd.conf.xml | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 55a7640..e5d4608 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -440,4 +440,11 @@ $ realm deny --all
</refsect1>
+<refsect1 id='realm_see_also'>
+ <title>SEE ALSO</title>
+
+ <para><citerefentry><refentrytitle>realmd.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
+</refsect1>
+
</refentry>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index fc6a785..1592291 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -471,4 +471,11 @@ fully-qualified-names = no
</variablelist>
</refsect1>
+<refsect1 id='realmd_conf_see_also'>
+ <title>SEE ALSO</title>
+
+ <para><citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry></para>
+</refsect1>
+
</refentry>
--
2.21.0

271
SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
View File

@ -1,271 +0,0 @@
From 20adfff6c0db657d302bd96f986f2e79a8b2d791 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:20:46 +0100
Subject: [PATCH 2/6] service: allow to use ldaps for rootDSE lookup
Let the realmd service use ldaps for the rootDSE lookup when requested.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-disco-dns.c | 10 +++++++---
service/realm-disco-dns.h | 1 +
service/realm-disco-domain.c | 8 +++++++-
service/realm-disco-domain.h | 1 +
service/realm-disco-mscldap.c | 2 +-
service/realm-disco-rootdse.c | 3 ++-
service/realm-disco-rootdse.h | 1 +
service/realm-ldap.c | 5 ++++-
service/realm-ldap.h | 1 +
service/realm-samba-provider.c | 5 ++++-
service/realm-sssd-provider.c | 5 ++++-
11 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/service/realm-disco-dns.c b/service/realm-disco-dns.c
index 446010c..77d5034 100644
--- a/service/realm-disco-dns.c
+++ b/service/realm-disco-dns.c
@@ -32,6 +32,7 @@ typedef struct {
GQueue addresses;
GQueue targets;
gint current_port;
+ gboolean use_ldaps;
gint returned;
DiscoPhase phase;
GResolver *resolver;
@@ -180,7 +181,7 @@ return_or_resolve (RealmDiscoDns *self,
target = g_queue_pop_head (&self->targets);
if (target) {
- self->current_port = g_srv_target_get_port (target);
+ self->current_port = self->use_ldaps ? 636 : g_srv_target_get_port (target);
g_resolver_lookup_by_name_async (self->resolver, g_srv_target_get_hostname (target),
g_task_get_cancellable (task), on_name_resolved,
g_object_ref (task));
@@ -201,7 +202,7 @@ return_or_resolve (RealmDiscoDns *self,
g_resolver_lookup_by_name_async (self->resolver, self->name,
g_task_get_cancellable (task), on_name_resolved,
g_object_ref (task));
- self->current_port = 389;
+ self->current_port = self->use_ldaps ? 636 : 389;
self->phase = PHASE_HOST;
break;
case PHASE_HOST:
@@ -251,6 +252,7 @@ realm_disco_dns_class_init (RealmDiscoDnsClass *klass)
GSocketAddressEnumerator *
realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation)
{
RealmDiscoDns *self;
@@ -262,12 +264,14 @@ realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
self = g_object_new (REALM_TYPE_DISCO_DNS, NULL);
self->name = g_hostname_to_ascii (input);
+ self->use_ldaps = use_ldaps;
self->invocation = g_object_ref (invocation);
/* If is an IP, skip resolution */
if (g_hostname_is_ip_address (input)) {
inet = g_inet_address_new_from_string (input);
- g_queue_push_head (&self->addresses, g_inet_socket_address_new (inet, 389));
+ g_queue_push_head (&self->addresses,
+ g_inet_socket_address_new (inet, use_ldaps ? 636 : 389));
g_object_unref (inet);
self->phase = PHASE_HOST;
} else {
diff --git a/service/realm-disco-dns.h b/service/realm-disco-dns.h
index a51777f..5b20fe9 100644
--- a/service/realm-disco-dns.h
+++ b/service/realm-disco-dns.h
@@ -26,6 +26,7 @@ typedef enum {
G_BEGIN_DECLS
GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation);
RealmDiscoDnsHint realm_disco_dns_get_hint (GSocketAddressEnumerator *enumerator);
diff --git a/service/realm-disco-domain.c b/service/realm-disco-domain.c
index 3f0ccb5..fdda8f6 100644
--- a/service/realm-disco-domain.c
+++ b/service/realm-disco-domain.c
@@ -37,6 +37,7 @@ typedef struct _Callback {
typedef struct {
GObject parent;
gchar *input;
+ gboolean use_ldaps;
GCancellable *cancellable;
GDBusMethodInvocation *invocation;
GSocketAddressEnumerator *enumerator;
@@ -206,6 +207,7 @@ on_discover_next_address (GObject *source,
realm_diagnostics_info (self->invocation, "Performing LDAP DSE lookup on: %s", string);
realm_disco_rootdse_async (address, explicit_host,
+ self->use_ldaps,
self->invocation, self->cancellable,
on_discover_rootdse, g_object_ref (self));
self->outstanding++;
@@ -248,6 +250,7 @@ on_cancel_propagate (GCancellable *source,
void
realm_disco_domain_async (const gchar *string,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -267,8 +270,11 @@ realm_disco_domain_async (const gchar *string,
if (self == NULL) {
self = g_object_new (REALM_TYPE_DISCO_DOMAIN, NULL);
self->input = g_strdup (string);
+ self->use_ldaps = use_ldaps;
self->invocation = g_object_ref (invocation);
- self->enumerator = realm_disco_dns_enumerate_servers (string, invocation);
+ self->enumerator = realm_disco_dns_enumerate_servers (string,
+ use_ldaps,
+ invocation);
g_hash_table_insert (discover_cache, self->input, self);
g_assert (!self->completed);
diff --git a/service/realm-disco-domain.h b/service/realm-disco-domain.h
index 27dcc6c..02d4998 100644
--- a/service/realm-disco-domain.h
+++ b/service/realm-disco-domain.h
@@ -24,6 +24,7 @@
G_BEGIN_DECLS
void realm_disco_domain_async (const gchar *string,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
index d3d3c10..2504904 100644
--- a/service/realm-disco-mscldap.c
+++ b/service/realm-disco-mscldap.c
@@ -348,7 +348,7 @@ realm_disco_mscldap_async (GSocketAddress *address,
return;
}
- clo->source = realm_ldap_connect_anonymous (address, protocol, cancellable);
+ clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
g_object_ref (task), g_object_unref);
g_source_attach (clo->source, g_task_get_context (task));
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
index 7614071..4ed19e5 100644
--- a/service/realm-disco-rootdse.c
+++ b/service/realm-disco-rootdse.c
@@ -452,6 +452,7 @@ on_ldap_io (LDAP *ldap,
void
realm_disco_rootdse_async (GSocketAddress *address,
const gchar *explicit_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GCancellable *cancellable,
GAsyncReadyCallback callback,
@@ -473,7 +474,7 @@ realm_disco_rootdse_async (GSocketAddress *address,
g_task_set_task_data (task, clo, closure_free);
clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
- cancellable);
+ use_ldaps, cancellable);
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
g_object_ref (task), g_object_unref);
g_source_attach (clo->source, g_task_get_context (task));
diff --git a/service/realm-disco-rootdse.h b/service/realm-disco-rootdse.h
index e024c84..7b21960 100644
--- a/service/realm-disco-rootdse.h
+++ b/service/realm-disco-rootdse.h
@@ -21,6 +21,7 @@
void realm_disco_rootdse_async (GSocketAddress *address,
const gchar *explicit_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GCancellable *cancellable,
GAsyncReadyCallback callback,
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 7831b5b..28c5c8a 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -183,6 +183,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
GSource *
realm_ldap_connect_anonymous (GSocketAddress *address,
GSocketProtocol protocol,
+ gboolean use_ldaps,
GCancellable *cancellable)
{
GSource *source;
@@ -238,7 +239,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
- url = g_strdup_printf ("ldap://%s:%d", addrname, port);
+ url = g_strdup_printf ("%s://%s:%d",
+ use_ldaps ? "ldaps" : "ldap",
+ addrname, port);
rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
g_free (url);
diff --git a/service/realm-ldap.h b/service/realm-ldap.h
index 263f72a..0f9f40e 100644
--- a/service/realm-ldap.h
+++ b/service/realm-ldap.h
@@ -37,6 +37,7 @@ typedef GIOCondition (* RealmLdapCallback) (LDAP *ldap,
GSource * realm_ldap_connect_anonymous (GSocketAddress *address,
GSocketProtocol protocol,
+ gboolean use_ldaps,
GCancellable *cancellable);
void realm_ldap_set_condition (GSource *source,
diff --git a/service/realm-samba-provider.c b/service/realm-samba-provider.c
index 9b489ce..de9f5e6 100644
--- a/service/realm-samba-provider.c
+++ b/service/realm-samba-provider.c
@@ -27,6 +27,7 @@
#include "realm-samba-enroll.h"
#include "realm-samba-provider.h"
#include "realm-samba-winbind.h"
+#include "realm-options.h"
#include <glib/gstdio.h>
@@ -121,7 +122,9 @@ realm_samba_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- realm_disco_domain_async (string, invocation,
+ realm_disco_domain_async (string,
+ realm_option_use_ldaps (options),
+ invocation,
on_ad_discover, g_object_ref (task));
}
diff --git a/service/realm-sssd-provider.c b/service/realm-sssd-provider.c
index 7ac0645..db183c0 100644
--- a/service/realm-sssd-provider.c
+++ b/service/realm-sssd-provider.c
@@ -26,6 +26,7 @@
#include "realm-sssd-ipa.h"
#include "realm-sssd-provider.h"
#include "realm-sssd-config.h"
+#include "realm-options.h"
#include <glib/gstdio.h>
@@ -140,7 +141,9 @@ realm_sssd_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- realm_disco_domain_async (string, invocation, on_kerberos_discover,
+ realm_disco_domain_async (string,
+ realm_option_use_ldaps (options),
+ invocation, on_kerberos_discover,
g_object_ref (task));
}
--
2.26.2

68
SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch
View File

@ -1,68 +0,0 @@
From d7089129b966df83f083cb56ee90f6b906971cb6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 1 Dec 2020 16:09:10 +0100
Subject: [PATCH 2/3] service: avoid crash if LDAP connection fails
There was always a chance for a crash if the connection to LDAP failed.
In the ldaps case a failed connection became more likely e.g. due to
failed certificate checks.
This patch avoids the crash and returns an error to the client cleanly.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
po/POTFILES.in | 1 +
service/realm-disco-mscldap.c | 7 +++++++
service/realm-disco-rootdse.c | 6 ++++++
3 files changed, 14 insertions(+)
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 2de67c8..140ed4c 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -1,6 +1,7 @@
service/org.freedesktop.realmd.policy.in
service/realm-command.c
service/realm-disco-mscldap.c
+service/realm-disco-rootdse.c
service/realm-example.c
service/realm-ini-config.c
service/realm-invocation.c
diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
index 2504904..003bb66 100644
--- a/service/realm-disco-mscldap.c
+++ b/service/realm-disco-mscldap.c
@@ -349,6 +349,13 @@ realm_disco_mscldap_async (GSocketAddress *address,
}
clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
+ if (clo->source == NULL) {
+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
+ _("Failed to setup LDAP connection"));
+ g_object_unref (task);
+ return;
+ }
+
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
g_object_ref (task), g_object_unref);
g_source_attach (clo->source, g_task_get_context (task));
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
index 4ed19e5..d9b44b3 100644
--- a/service/realm-disco-rootdse.c
+++ b/service/realm-disco-rootdse.c
@@ -475,6 +475,12 @@ realm_disco_rootdse_async (GSocketAddress *address,
clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
use_ldaps, cancellable);
+ if (clo->source == NULL) {
+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
+ _("Failed to setup LDAP connection"));
+ g_object_unref (task);
+ return;
+ }
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
g_object_ref (task), g_object_unref);
g_source_attach (clo->source, g_task_get_context (task));
--
2.28.0

186
SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch
View File

@ -1,186 +0,0 @@
From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:28:52 +0100
Subject: [PATCH 3/6] service: add ldaps support when using adcli
Call adcli with the --use-ldaps option if the realmd service is
requested to do so.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-adcli-enroll.c | 10 ++++++++++
service/realm-adcli-enroll.h | 2 ++
service/realm-samba.c | 11 +++++++++--
service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++-
4 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index 05947fa..2731283 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -68,6 +68,7 @@ void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
g_ptr_array_add (args, "--domain-realm");
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
server_arg = g_inet_address_to_string (address);
@@ -218,6 +223,7 @@ void
realm_adcli_enroll_delete_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
g_ptr_array_add (args, "--domain-realm");
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
server_arg = g_inet_address_to_string (address);
diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
index 855b2f7..3f535d0 100644
--- a/service/realm-adcli-enroll.h
+++ b/service/realm-adcli-enroll.h
@@ -29,6 +29,7 @@ G_BEGIN_DECLS
void realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
@@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result,
void realm_adcli_enroll_delete_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
diff --git a/service/realm-samba.c b/service/realm-samba.c
index e7b80a0..7aa5416 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -257,7 +257,8 @@ on_install_do_join (GObject *source,
}
static gboolean
-validate_membership_options (GVariant *options,
+validate_membership_options (EnrollClosure *enroll,
+ GVariant *options,
GError **error)
{
const gchar *software;
@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options,
}
}
+ if (realm_option_use_ldaps (options)) {
+ realm_diagnostics_info (enroll->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying without.",
+ software);
+ }
return TRUE;
}
@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership,
g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED,
_("Already joined to a domain"));
- } else if (!validate_membership_options (options, &error)) {
+ } else if (!validate_membership_options (enroll, options, &error)) {
g_task_return_error (task, error);
} else {
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 6b2f9f8..00a9093 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -98,6 +98,7 @@ typedef struct {
GVariant *options;
RealmDisco *disco;
gboolean use_adcli;
+ gboolean use_ldaps;
const gchar **packages;
} JoinClosure;
@@ -294,6 +295,7 @@ on_install_do_join (GObject *source,
realm_adcli_enroll_join_async (join->disco,
join->cred,
join->options,
+ join->use_ldaps,
join->invocation,
on_join_do_sssd,
g_object_ref (task));
@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join,
return FALSE;
}
+ /*
+ * Check if ldaps should be used and if membership software supports
+ * it.
+ */
+ join->use_ldaps = realm_option_use_ldaps (options);
+ if (join->use_ldaps &&
+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
+ realm_diagnostics_info (join->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying "
+ "without.", software);
+ }
+
/*
* If we are enrolling with a user password, then we have to use samba,
* adcli only supports admin passwords.
@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
GTask *task;
LeaveClosure *leave;
gchar *tags;
+ gboolean use_ldaps = FALSE;
task = g_task_new (self, NULL, callback, user_data);
@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
leave->invocation = g_object_ref (invocation);
leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
g_task_set_task_data (task, leave, leave_closure_free);
+
+ use_ldaps = realm_option_use_ldaps (options);
if (leave->use_adcli) {
- realm_adcli_enroll_delete_async (disco, cred, options, invocation,
+ realm_adcli_enroll_delete_async (disco, cred, options,
+ use_ldaps, invocation,
on_leave_do_deconfigure, g_object_ref (task));
} else {
+ if (use_ldaps) {
+ realm_diagnostics_info (leave->invocation,
+ "Membership software does "
+ "not support ldaps, trying "
+ "without.");
+ }
realm_samba_enroll_leave_async (disco, cred, options, invocation,
on_leave_do_deconfigure, g_object_ref (task));
}
--
2.26.2

89
SOURCES/0003-service-make-TLS-check-more-releaxed.patch
View File

@ -1,89 +0,0 @@
From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 2 Dec 2020 10:10:37 +0100
Subject: [PATCH 3/3] service: make TLS check more releaxed
Since realmd is most often the first application called to discover a
domain we do not require a strict certificate check when using the ldaps
port to connect to a domain controller.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
doc/manual/realm.xml | 8 +++++++-
service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++-
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 01af62e..d7d8e5e 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
which offers a comparable level of security than ldaps.
This option is only needed if the standard LDAP port
(389/tcp) is blocked by a firewall and only the LDAPS
- port (636/tcp) is available.</para>
+ port (636/tcp) is available. Given that and to lower
+ the initial effort to discover a remote domain
+ <command>realmd</command> does not require a strict
+ certificate check. If the validation of the LDAP server
+ certificate fails <command>realmd</command> will
+ continue to setup the encrypted connection to the LDAP
+ server.</para>
<para>If this option is set to
<parameter>yes</parameter> <command>realmd</command>
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index e07a299..bdfb96c 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
gint port;
gchar *url;
int rc;
+ int opt_rc;
+ int ldap_opt_val;
+ const char *errmsg = NULL;
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
}
if (use_ldaps) {
+ /* Since we currently use the IP address in the URI
+ * the certificate check might fail because in most
+ * cases the IP address won't be listed in the SANs of
+ * the LDAP server certificate. We will try to
+ * continue in this case and not fail. */
+ ldap_opt_val = LDAP_OPT_X_TLS_ALLOW;
+ rc = ldap_set_option (ls->ldap,
+ LDAP_OPT_X_TLS_REQUIRE_CERT,
+ &ldap_opt_val);
+ if (rc != LDAP_OPT_SUCCESS) {
+ g_debug ("Failed to disable certificate checking, trying without");
+ }
+
+ ldap_opt_val = 0;
+ rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX,
+ &ldap_opt_val);
+ if (rc != LDAP_OPT_SUCCESS) {
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
+ }
+
rc = ldap_install_tls (ls->ldap);
if (rc != LDAP_SUCCESS) {
- g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
+ opt_rc = ldap_get_option (ls->ldap,
+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
+ (void *) &errmsg);
+ if (opt_rc != LDAP_SUCCESS) {
+ errmsg = "- no details -";
+ }
+ g_warning ("ldap_start_tls_s() failed [%s]: %s",
+ ldap_err2string (rc), errmsg);
return NULL;
}
}
--
2.28.0

88
SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
View File

@ -1,88 +0,0 @@
From 7daf5993995baad0f5c7f7ae3822dae37eb9f46f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 16:44:23 +0100
Subject: [PATCH 4/6] service: do not copy option values to avoid memory leaks
---
service/realm-adcli-enroll.c | 15 ++++++++-------
service/realm-options.c | 8 +++-----
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index 2731283..e0d752b 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -80,7 +80,8 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
GBytes *input = NULL;
const gchar *upn;
GPtrArray *args;
- const gchar *os;
+ const gchar *os_n = NULL;
+ const gchar *os_v = NULL;
gchar *ccache_arg = NULL;
gchar *upn_arg = NULL;
gchar *server_arg = NULL;
@@ -144,16 +145,16 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
g_ptr_array_add (args, (gpointer)computer_ou);
}
- os = realm_options_ad_specific (options, "os-name");
- if (os != NULL && !g_str_equal (os, "")) {
+ os_n = realm_options_ad_specific (options, "os-name");
+ if (os_n != NULL && !g_str_equal (os_n, "")) {
g_ptr_array_add (args, "--os-name");
- g_ptr_array_add (args, (gpointer)os);
+ g_ptr_array_add (args, (gpointer)os_n);
}
- os = realm_options_ad_specific (options, "os-version");
- if (os != NULL && !g_str_equal (os, "")) {
+ os_v = realm_options_ad_specific (options, "os-version");
+ if (os_v != NULL && !g_str_equal (os_v, "")) {
g_ptr_array_add (args, "--os-version");
- g_ptr_array_add (args, (gpointer)os);
+ g_ptr_array_add (args, (gpointer)os_v);
}
switch (cred->type) {
diff --git a/service/realm-options.c b/service/realm-options.c
index d42eb7c..4ebd6c0 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -179,7 +179,7 @@ realm_options_computer_name (GVariant *options,
g_free (section);
}
- return g_strdup (computer_name);
+ return computer_name;
}
const gchar *
@@ -197,22 +197,20 @@ realm_options_ad_specific (GVariant *options,
value = realm_settings_value ("active-directory", option_name);
}
- return g_strdup (value);
+ return value;
}
gboolean realm_option_use_ldaps (GVariant *options)
{
- gchar *use_ldaps_str;
+ const gchar *use_ldaps_str;
use_ldaps_str = realm_options_ad_specific (options,
REALM_DBUS_OPTION_USE_LDAPS);
if (use_ldaps_str != NULL
&& ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
|| g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
- g_free (use_ldaps_str);
return TRUE;
}
- g_free (use_ldaps_str);
return FALSE;
}
--
2.26.2

305
SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
View File

@ -1,305 +0,0 @@
From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 17:22:13 +0100
Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and
leave
Add --use-ldaps option to the realm command to be able to ask the realmd
service to use ldaps where possible.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++
doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
tools/realm-client.c | 2 ++
tools/realm-client.h | 1 +
tools/realm-discover.c | 7 ++++++-
tools/realm-join.c | 6 +++++-
tools/realm-leave.c | 15 +++++++++++----
7 files changed, 80 insertions(+), 6 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index e5d4608..01af62e 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -134,6 +134,11 @@ $ realm discover domain.example.com
Possible values include <replaceable>samba</replaceable> or
<replaceable>adcli</replaceable>. </para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
principal besides the AD default user principal can be
set.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>Use the ldaps port when connecting to AD
+ where possible. In general this option is not needed
+ because <command>realmd</command> itself only read
+ public information from the Active Directory domain
+ controller which is available anonymously. The
+ supported membership software products will use
+ encrypted connections protected with GSS-SPNEGO/GSSAPI
+ which offers a comparable level of security than ldaps.
+ This option is only needed if the standard LDAP port
+ (389/tcp) is blocked by a firewall and only the LDAPS
+ port (636/tcp) is available.</para>
+
+ <para>If this option is set to
+ <parameter>yes</parameter> <command>realmd</command>
+ will use the ldaps port when reading the rootDSE and
+ call the <command>adcli</command> membership software
+ with the option <option>--use-ldaps</option>. The Samba
+ base membership currently offers only deprecated ways
+ to enable ldaps. Support will be added in
+ <command>realmd</command> when a new way is available.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -326,6 +355,11 @@ $ realm leave domain.example.com
with when leaving the realm. You will be prompted for a
password. Implies <option>--remove</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 97d2e8d..72b706c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -141,6 +141,27 @@ domain.example.com
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>use-ldaps</option></term>
+ <listitem><para>Use the ldaps port when connecting to AD where possible.
+ In general this option is not needed because <command>realmd</command>
+ itself only read public information from the Active Directory domain
+ controller which is available anonymously. The supported membership
+ software products will use encrypted connections protected with
+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than
+ ldaps. This option is only needed if the standard LDAP port (389/tcp)
+ is blocked by a firewall and only the LDAPS port (636/tcp) is
+ available.</para>
+
+ <para>If this option is set to <parameter>yes</parameter>
+ <command>realmd</command> will use the ldaps port when reading the
+ rootDSE and call the <command>adcli</command> membership software with
+ the option <option>--use-ldaps</option>. The Samba base membership
+ currently offers only deprecated ways to enable ldaps. Support will be
+ added in <command>realmd</command> when a new way is available.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>os-name</option></term>
<listitem><para>(see below)</para></listitem>
diff --git a/tools/realm-client.c b/tools/realm-client.c
index 2f102db..c386e64 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
GList *
realm_client_discover (RealmClient *self,
const gchar *string,
+ gboolean use_ldaps,
const gchar *client_software,
const gchar *server_software,
const gchar *membership_software,
@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
NULL);
/* Start actual operation */
diff --git a/tools/realm-client.h b/tools/realm-client.h
index 5ecf2de..e9e50cd 100644
--- a/tools/realm-client.h
+++ b/tools/realm-client.h
@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien
GList * realm_client_discover (RealmClient *self,
const gchar *string,
+ gboolean use_ldaps,
const gchar *client_software,
const gchar *server_software,
const gchar *membership_software,
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
index 8dde4ed..c0acd79 100644
--- a/tools/realm-discover.c
+++ b/tools/realm-discover.c
@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
const gchar *string,
gboolean all,
gboolean name_only,
+ gboolean use_ldaps,
const gchar *server_software,
const gchar *client_software,
const gchar *membership_software)
@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
GList *realms;
GList *l;
- realms = realm_client_discover (client, string, client_software,
+ realms = realm_client_discover (client, string, use_ldaps, client_software,
server_software, membership_software,
REALM_DBUS_REALM_INTERFACE, NULL, &error);
@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
GError *error = NULL;
gboolean arg_all = FALSE;
gboolean arg_name_only = FALSE;
+ gboolean arg_use_ldaps = FALSE;
gint result = 0;
gint ret;
gint i;
@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
} else if (argc == 1) {
result = perform_discover (client, NULL, arg_all,
arg_name_only,
+ arg_use_ldaps,
arg_server_software,
arg_client_software,
arg_membership_software);
@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
for (i = 1; i < argc; i++) {
ret = perform_discover (client, argv[i], arg_all,
arg_name_only,
+ arg_use_ldaps,
arg_server_software,
arg_client_software,
arg_membership_software);
diff --git a/tools/realm-join.c b/tools/realm-join.c
index 249f502..dbe6197 100644
--- a/tools/realm-join.c
+++ b/tools/realm-join.c
@@ -179,6 +179,7 @@ typedef struct {
gchar *user_principal;
gboolean automatic_id_mapping_set;
gboolean automatic_id_mapping;
+ gboolean use_ldaps;
} RealmJoinArgs;
static void
@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
GList *realms;
gint ret;
- realms = realm_client_discover (client, string, args->client_software,
+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
args->server_software, args->membership_software,
REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
&had_mismatched, &error);
@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
REALM_DBUS_OPTION_OS_VERSION, args->os_version,
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
args->automatic_id_mapping_set ?
REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
args->automatic_id_mapping,
@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
N_("User name to use for enrollment"), NULL },
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
N_("Set the user principal for the computer account"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
+ N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
diff --git a/tools/realm-leave.c b/tools/realm-leave.c
index 45a9c46..c88a110 100644
--- a/tools/realm-leave.c
+++ b/tools/realm-leave.c
@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
static int
perform_user_leave (RealmClient *client,
+ gboolean use_ldaps,
RealmDbusKerberosMembership *membership,
const gchar *user_name)
{
@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
return 1;
}
- options = realm_build_options(NULL, NULL);
+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
+ NULL);
ret = call_leave (membership, credentials, options, &error);
if (error != NULL)
@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
static int
perform_leave (RealmClient *client,
const gchar *realm_name,
+ gboolean use_ldaps,
gboolean remove,
const gchar *user_name,
const gchar *client_software,
@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
if (!remove)
ret = perform_deconfigure (client, realm);
else
- ret = perform_user_leave (client, membership, user_name);
+ ret = perform_user_leave (client, use_ldaps, membership,
+ user_name);
g_object_unref (membership);
g_object_unref (realm);
@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
gchar *arg_server_software = NULL;
GError *error = NULL;
const gchar *realm_name;
+ gboolean arg_use_ldaps = FALSE;
gint ret = 0;
GOptionEntry option_entries[] = {
@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
N_("Use specific server software"), NULL },
{ "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
} else {
realm_name = argc < 2 ? NULL : argv[1];
- ret = perform_leave (client, realm_name, arg_remove, arg_user,
- arg_client_software, arg_server_software);
+ ret = perform_leave (client, realm_name, arg_use_ldaps,
+ arg_remove, arg_user, arg_client_software,
+ arg_server_software);
}
g_free (arg_user);
--
2.26.2

56
SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
View File

@ -1,56 +0,0 @@
From 8cddf81199e96c7edc701bcb7ca782d7bcddbddd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 19:24:40 +0100
Subject: [PATCH 6/6] ldap: generate proper ldap uri for IPv6 addresses
When using IPv6 addresses the address must be put into brackets.
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
---
service/realm-ldap.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 28c5c8a..2076d1e 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -190,6 +190,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
LdapSource *ls;
gchar *addrname;
GInetSocketAddress *inet;
+ GSocketFamily family;
struct berval cred;
Sockbuf *sb = NULL;
gsize native_len;
@@ -204,6 +205,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
inet = G_INET_SOCKET_ADDRESS (address);
addrname = g_inet_address_to_string (g_inet_socket_address_get_address (inet));
port = g_inet_socket_address_get_port (inet);
+ family = g_inet_address_get_family (g_inet_socket_address_get_address (inet));
if (port == 0)
port = 389;
@@ -239,9 +241,17 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
- url = g_strdup_printf ("%s://%s:%d",
- use_ldaps ? "ldaps" : "ldap",
- addrname, port);
+ if (family == G_SOCKET_FAMILY_IPV4) {
+ url = g_strdup_printf ("%s://%s:%d",
+ use_ldaps ? "ldaps" : "ldap",
+ addrname, port);
+ } else if (family == G_SOCKET_FAMILY_IPV6) {
+ url = g_strdup_printf ("%s://[%s]:%d",
+ use_ldaps ? "ldaps" : "ldap",
+ addrname, port);
+ } else {
+ url = NULL;
+ }
rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
g_free (url);
--
2.26.2

136
SPECS/realmd.spec
View File

@ -1,102 +1,38 @@
Name: realmd
Version: 0.16.3
Release: 25%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/realmd/
Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
Name: realmd
Version: 0.17.1
Release: 1%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: https://gitlab.freedesktop.org/realmd/realmd
Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch
Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
Patch5: 0001-switch-to-authselect.patch
Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch
Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
Patch9: 0001-tests-run-tests-with-python3.patch
Patch10: ipa-packages.patch
Patch11: 0001-Fix-issues-found-by-Coverity.patch
### Downstream Patches ###
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
# using freeipa-*, the following patch applies the needed changes.
Patch0100: ipa-packages.patch
Patch12: 0001-Change-qualified-names-default-for-IPA.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: intltool pkgconfig
BuildRequires: gettext-devel
BuildRequires: glib2-devel >= 2.32.0
BuildRequires: openldap-devel
BuildRequires: polkit-devel
BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: samba-common-tools
BuildRequires: python3
Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch
# rhbz#1747454 - rebuild fails if DISTRO variable is exported
Patch14: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
# rhbz#1747452 - realmd.conf user-principal RFE and clarification (plus dependencies)
Patch15: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
Patch16: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch
Patch17: 0001-doc-extend-user-principal-section.patch
# rhbz#1747457 - realmd.conf documentation incorrect
Patch18: 0001-doc-fix-discover-name-only.patch
Patch19: 0002-doc-add-see-also-to-man-pages.patch
# rhbz#1747456 - Document realmd.conf and how realmd reads the configuration
Patch20: 0001-doc-extend-description-of-config-handling.patch
# rhbz#1801195
Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch
# rhbz#1859503 - Realm join fails with error 'Failed to join domain: failed to
# lookup DC info ...'
Patch22: 0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
# rhbz#1867912 - realm command to use option like dnshostname=fqdn
Patch23: 0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
# rhbz#1791016 - realmd should handle default_realm in krb5.conf
Patch24: 0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
# rhbz#1826964 - [RFE] Enable LDAPS functionality in realmd join
Patch25: 0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
Patch26: 0001-Use-startTLS-with-FreeIPA.patch
Patch27: 0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
Patch28: 0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
Patch29: 0003-service-add-ldaps-support-when-using-adcli.patch
Patch30: 0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
Patch31: 0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
Patch32: 0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
Patch33: 0001-ldap-setup-TLS-when-using-ldaps.patch
Patch34: 0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
Patch35: 0002-service-avoid-crash-if-LDAP-connection-fails.patch
Patch36: 0003-service-make-TLS-check-more-releaxed.patch
Patch37: 0001-doc-add-computer-name-to-realm-man-page.patch
Patch38: 0001-build-add-with-vendor-error-message-configure-option.patch
# rhbz#2024248 - realmd logs are duplicated
Patch39: 0001-syslog-avoid-duplicate-log-messages.patch
# rhbz#2028528 - realm join needs to updated to use the command line options of
# Samba's net command
Patch40: 0001-samba-use-new-Samba-4.15-command-line-options.patch
# rhbz#2037864 - realmd operations hang if a DC is unreachable
Patch41: 0001-ldap-add-socket-timeout.patch
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: intltool pkgconfig
BuildRequires: gettext-devel
BuildRequires: glib2-devel >= 2.32.0
BuildRequires: openldap-devel
BuildRequires: polkit-devel
BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: samba-common-tools
BuildRequires: %{_bindir}/python3
Requires: authselect
Requires: polkit
Requires: authselect
Requires: polkit
Conflicts: realmd-devel-docs < %{version}-%{release}
# This build will use Samba's new command line options so it cannot be used
# with older versions of Samba.
Conflicts: samba-common-tools < 4.15
Conflicts: samba-common-tools < 4.15
%description
realmd is a DBus system service which manages discovery and enrollment in realms
@ -104,7 +40,8 @@ and domains like Active Directory or IPA. The control center uses realmd as the
back end to 'join' a domain simply and automatically configure things correctly.
%package devel-docs
Summary: Developer documentation files for %{name}
Summary: Developer documentation files for %{name}
Conflicts: realmd < %{version}-%{release}
%description devel-docs
The %{name}-devel package contains developer documentation for developing
@ -124,7 +61,6 @@ autoreconf -fi
%endif
%{nil}
make %{?_smp_mflags}
%check
@ -146,10 +82,10 @@ make install DESTDIR=%{buildroot}
%files -f realmd.lang
%doc AUTHORS COPYING NEWS README
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
%{_prefix}/lib/realmd/realmd
%{_libexecdir}/realmd
%{_prefix}/lib/realmd/realmd-defaults.conf
%{_prefix}/lib/realmd/realmd-distro.conf
%{_unitdir}/realmd.service
@ -164,6 +100,10 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Update to upstream release 0.17.1
Resolves: rhbz#2133841
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- add LDAP socket timeout
Resolves: rhbz#2037864