import realmd-0.17.1-1.el8
This commit is contained in:
parent
75a8fce85b
commit
43ff262f3c
|
@ -1 +1 @@
|
|||
SOURCES/realmd-0.16.3.tar.gz
|
||||
SOURCES/realmd-0.17.1.tar.gz
|
||||
|
|
|
@ -1 +1 @@
|
|||
0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz
|
||||
681f7f532daa62a08f2f2d6c9d4a1a04c4c793a3 SOURCES/realmd-0.17.1.tar.gz
|
||||
|
|
|
@ -1,113 +0,0 @@
|
|||
From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 14 Aug 2018 16:44:39 +0200
|
||||
Subject: [PATCH] Change qualified names default for IPA
|
||||
|
||||
In a FreeIPA domain it is typically expected that the IPA accounts use
|
||||
sort names while accounts from trusted domains have fully qualified
|
||||
names. This is automatically done by SSSD's IPA provider so there is no
|
||||
need to force fully qualified names in the SSSD configuration.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
|
||||
---
|
||||
service/realm-options.c | 9 +++++----
|
||||
service/realm-options.h | 3 ++-
|
||||
service/realm-samba-winbind.c | 2 +-
|
||||
service/realm-sssd-ad.c | 2 +-
|
||||
service/realm-sssd-ipa.c | 2 +-
|
||||
5 files changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/service/realm-options.c b/service/realm-options.c
|
||||
index bd804ea..34a209f 100644
|
||||
--- a/service/realm-options.c
|
||||
+++ b/service/realm-options.c
|
||||
@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
|
||||
|
||||
if (realm_name && !option) {
|
||||
section = g_utf8_casefold (realm_name, -1);
|
||||
- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
|
||||
+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
|
||||
g_free (section);
|
||||
}
|
||||
|
||||
@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
|
||||
gboolean mapping;
|
||||
|
||||
section = g_utf8_casefold (realm_name, -1);
|
||||
- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
|
||||
+ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
|
||||
g_free (section);
|
||||
|
||||
return mapping;
|
||||
}
|
||||
|
||||
gboolean
|
||||
-realm_options_qualify_names (const gchar *realm_name)
|
||||
+realm_options_qualify_names (const gchar *realm_name,
|
||||
+ gboolean def)
|
||||
{
|
||||
gchar *section;
|
||||
gboolean qualify;
|
||||
|
||||
section = g_utf8_casefold (realm_name, -1);
|
||||
- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
|
||||
+ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
|
||||
g_free (section);
|
||||
|
||||
return qualify;
|
||||
diff --git a/service/realm-options.h b/service/realm-options.h
|
||||
index 7a1355e..b71d219 100644
|
||||
--- a/service/realm-options.h
|
||||
+++ b/service/realm-options.h
|
||||
@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
|
||||
gboolean realm_options_automatic_mapping (GVariant *options,
|
||||
const gchar *realm_name);
|
||||
|
||||
-gboolean realm_options_qualify_names (const gchar *realm_name);
|
||||
+gboolean realm_options_qualify_names (const gchar *realm_name,
|
||||
+ gboolean def);
|
||||
|
||||
gboolean realm_options_check_domain_name (const gchar *domain_name);
|
||||
|
||||
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
|
||||
index 9335e26..61988eb 100644
|
||||
--- a/service/realm-samba-winbind.c
|
||||
+++ b/service/realm-samba-winbind.c
|
||||
@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
|
||||
"winbind enum groups", "no",
|
||||
"winbind offline logon", "yes",
|
||||
"winbind refresh tickets", "yes",
|
||||
- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
|
||||
+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
|
||||
"template shell", realm_settings_string ("users", "default-shell"),
|
||||
NULL);
|
||||
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index 8543ca8..de7ce30 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
|
||||
gchar *home;
|
||||
|
||||
home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
|
||||
- qualify = realm_options_qualify_names (disco->domain_name);
|
||||
+ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
|
||||
shell = realm_settings_string ("users", "default-shell");
|
||||
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
|
||||
realmd_tags = g_string_new ("");
|
||||
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
|
||||
index ff1dc8a..5029f6b 100644
|
||||
--- a/service/realm-sssd-ipa.c
|
||||
+++ b/service/realm-sssd-ipa.c
|
||||
@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
|
||||
|
||||
realm_sssd_config_update_domain (config, domain, &error,
|
||||
"cache_credentials", "True",
|
||||
- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
|
||||
+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
|
||||
"krb5_store_password_if_offline", "True",
|
||||
"default_shell", shell,
|
||||
"fallback_homedir", home,
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,150 +0,0 @@
|
|||
From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 31 May 2018 16:16:08 +0200
|
||||
Subject: [PATCH] Find NetBIOS name in keytab while leaving
|
||||
|
||||
If realmd is used with Samba as membership software, i.e. Samba's net
|
||||
utility, the NetBIOS name must be known when leaving a domain. The most
|
||||
reliable way to find it is by searching the keytab for NAME$@REALM type
|
||||
entries and use the NAME as the NetBIOS name.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
|
||||
---
|
||||
service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
service/realm-kerberos.h | 2 ++
|
||||
service/realm-samba-enroll.c | 13 ++++++---
|
||||
3 files changed, 76 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
|
||||
index 54d1ed7..d6d109f 100644
|
||||
--- a/service/realm-kerberos.c
|
||||
+++ b/service/realm-kerberos.c
|
||||
@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
|
||||
return ret;
|
||||
|
||||
}
|
||||
+
|
||||
+gchar *
|
||||
+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
|
||||
+{
|
||||
+ krb5_error_code code;
|
||||
+ krb5_keytab keytab = NULL;
|
||||
+ krb5_context ctx;
|
||||
+ krb5_kt_cursor cursor = NULL;
|
||||
+ krb5_keytab_entry entry;
|
||||
+ krb5_principal realm_princ = NULL;
|
||||
+ gchar *princ_name = NULL;
|
||||
+ gchar *netbios_name = NULL;
|
||||
+ krb5_data *name_data;
|
||||
+
|
||||
+ code = krb5_init_context (&ctx);
|
||||
+ if (code != 0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ princ_name = g_strdup_printf ("user@%s", realm_name);
|
||||
+ code = krb5_parse_name (ctx, princ_name, &realm_princ);
|
||||
+ g_free (princ_name);
|
||||
+
|
||||
+ if (code == 0) {
|
||||
+ code = krb5_kt_default (ctx, &keytab);
|
||||
+ }
|
||||
+
|
||||
+ if (code == 0) {
|
||||
+ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
|
||||
+ }
|
||||
+
|
||||
+ if (code == 0) {
|
||||
+ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
|
||||
+ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
|
||||
+ name_data = krb5_princ_component (ctx, entry.principal, 0);
|
||||
+ if (name_data != NULL
|
||||
+ && name_data->length > 0
|
||||
+ && name_data->data[name_data->length - 1] == '$') {
|
||||
+ netbios_name = g_strndup (name_data->data, name_data->length - 1);
|
||||
+ if (netbios_name == NULL) {
|
||||
+ code = krb5_kt_free_entry (ctx, &entry);
|
||||
+ warn_if_krb5_failed (ctx, code);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ code = krb5_kt_free_entry (ctx, &entry);
|
||||
+ warn_if_krb5_failed (ctx, code);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
|
||||
+ warn_if_krb5_failed (ctx, code);
|
||||
+
|
||||
+ code = krb5_kt_close (ctx, keytab);
|
||||
+ warn_if_krb5_failed (ctx, code);
|
||||
+
|
||||
+ krb5_free_principal (ctx, realm_princ);
|
||||
+
|
||||
+ krb5_free_context (ctx);
|
||||
+
|
||||
+ return netbios_name;
|
||||
+
|
||||
+}
|
||||
diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
|
||||
index 0447e4d..58cfe07 100644
|
||||
--- a/service/realm-kerberos.h
|
||||
+++ b/service/realm-kerberos.h
|
||||
@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
|
||||
gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
|
||||
GError **error);
|
||||
|
||||
+gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
|
||||
+
|
||||
const gchar * realm_kerberos_get_name (RealmKerberos *self);
|
||||
|
||||
const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
|
||||
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
|
||||
index 76e7b79..03f56d0 100644
|
||||
--- a/service/realm-samba-enroll.c
|
||||
+++ b/service/realm-samba-enroll.c
|
||||
@@ -85,7 +85,8 @@ static JoinClosure *
|
||||
join_closure_init (GTask *task,
|
||||
RealmDisco *disco,
|
||||
GVariant *options,
|
||||
- GDBusMethodInvocation *invocation)
|
||||
+ GDBusMethodInvocation *invocation,
|
||||
+ gboolean do_join)
|
||||
{
|
||||
JoinClosure *join;
|
||||
gchar *workgroup;
|
||||
@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
|
||||
else if (disco->explicit_netbios)
|
||||
authid = disco->explicit_netbios;
|
||||
|
||||
+ /* try to get the NetBIOS name from the keytab as last option while
|
||||
+ * leaving the domain */
|
||||
+ if (authid == NULL && !do_join) {
|
||||
+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
|
||||
+ }
|
||||
+
|
||||
join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
|
||||
realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
"security", "ads",
|
||||
@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
|
||||
g_return_if_fail (cred != NULL);
|
||||
|
||||
task = g_task_new (NULL, NULL, callback, user_data);
|
||||
- join = join_closure_init (task, disco, options, invocation);
|
||||
+ join = join_closure_init (task, disco, options, invocation, TRUE);
|
||||
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
|
||||
if (explicit_computer_name != NULL) {
|
||||
realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
|
||||
@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
|
||||
JoinClosure *join;
|
||||
|
||||
task = g_task_new (NULL, NULL, callback, user_data);
|
||||
- join = join_closure_init (task, disco, options, invocation);
|
||||
+ join = join_closure_init (task, disco, options, invocation, FALSE);
|
||||
|
||||
switch (cred->type) {
|
||||
case REALM_CREDENTIAL_PASSWORD:
|
||||
--
|
||||
2.14.4
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 14 Aug 2018 14:09:48 +0200
|
||||
Subject: [PATCH] Fix issues found by Coverity
|
||||
|
||||
---
|
||||
service/realm-kerberos.c | 5 ++++-
|
||||
service/realm-packages.c | 2 +-
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
|
||||
index d6d109f..252e256 100644
|
||||
--- a/service/realm-kerberos.c
|
||||
+++ b/service/realm-kerberos.c
|
||||
@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
|
||||
if (name == NULL)
|
||||
break;
|
||||
value = va_arg (va, const gchar *);
|
||||
- g_return_if_fail (value != NULL);
|
||||
+ if (value == NULL) {
|
||||
+ va_end (va);
|
||||
+ g_return_if_reached ();
|
||||
+ }
|
||||
|
||||
values[0] = g_variant_new_string (name);
|
||||
values[1] = g_variant_new_string (value);
|
||||
diff --git a/service/realm-packages.c b/service/realm-packages.c
|
||||
index 9a6984c..5976439 100644
|
||||
--- a/service/realm-packages.c
|
||||
+++ b/service/realm-packages.c
|
||||
@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
|
||||
g_ptr_array_add (packages, NULL);
|
||||
*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
|
||||
} else {
|
||||
- g_ptr_array_free (files, TRUE);
|
||||
+ g_ptr_array_free (packages, TRUE);
|
||||
}
|
||||
|
||||
if (result_files) {
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 27 Jul 2016 19:06:29 +0200
|
||||
Subject: [PATCH] Fix man page reference in systemd service file
|
||||
|
||||
---
|
||||
dbus/realmd.service.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
|
||||
index b3bcf7a..64c1090 100644
|
||||
--- a/dbus/realmd.service.in
|
||||
+++ b/dbus/realmd.service.in
|
||||
@@ -1,6 +1,6 @@
|
||||
[Unit]
|
||||
Description=Realm and Domain Configuration
|
||||
-Documentation=man:realmd(8)
|
||||
+Documentation=man:realm(8)
|
||||
|
||||
[Service]
|
||||
Type=dbus
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 27 Sep 2018 13:04:47 +0200
|
||||
Subject: [PATCH] IPA: do not call sssd-enable-logins
|
||||
|
||||
It is expected that ipa-client-install will do all PAM and NSS
|
||||
configuration. To avoid changing IPA default realmd will not try to
|
||||
update the related configuration.
|
||||
---
|
||||
service/realm-sssd-ipa.c | 24 +-----------------------
|
||||
1 file changed, 1 insertion(+), 23 deletions(-)
|
||||
|
||||
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
|
||||
index 5029f6b..70f8b0e 100644
|
||||
--- a/service/realm-sssd-ipa.c
|
||||
+++ b/service/realm-sssd-ipa.c
|
||||
@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
|
||||
g_free (enroll);
|
||||
}
|
||||
|
||||
-static void
|
||||
-on_enable_nss_done (GObject *source,
|
||||
- GAsyncResult *result,
|
||||
- gpointer user_data)
|
||||
-{
|
||||
- GTask *task = G_TASK (user_data);
|
||||
- GError *error = NULL;
|
||||
- gint status;
|
||||
-
|
||||
- status = realm_command_run_finish (result, NULL, &error);
|
||||
- if (error == NULL && status != 0)
|
||||
- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
|
||||
- _("Enabling SSSD in nsswitch.conf and PAM failed."));
|
||||
- if (error != NULL)
|
||||
- g_task_return_error (task, error);
|
||||
- else
|
||||
- g_task_return_boolean (task, TRUE);
|
||||
- g_object_unref (task);
|
||||
-}
|
||||
-
|
||||
static void
|
||||
on_restart_done (GObject *source,
|
||||
GAsyncResult *result,
|
||||
gpointer user_data)
|
||||
{
|
||||
GTask *task = G_TASK (user_data);
|
||||
- EnrollClosure *enroll = g_task_get_task_data (task);
|
||||
RealmSssd *sssd = g_task_get_source_object (task);
|
||||
GError *error = NULL;
|
||||
|
||||
realm_service_enable_and_restart_finish (result, &error);
|
||||
if (error == NULL) {
|
||||
realm_sssd_update_properties (sssd);
|
||||
- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
|
||||
- on_enable_nss_done, g_object_ref (task));
|
||||
+ g_task_return_boolean (task, TRUE);
|
||||
} else {
|
||||
g_task_return_error (task, error);
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,392 +0,0 @@
|
|||
From 2fa90caf4ad38541615446b80dbeaccd0d0e6a6f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 28 Oct 2020 13:40:03 +0100
|
||||
Subject: [PATCH] Kerberos: add default_domain and udp_preference_limit
|
||||
|
||||
When joining an Active Directory domain realmd will set the
|
||||
default_domain and udp_preference_limit in the Kerberos configuration to
|
||||
avoid errors and make Kerberos handling in the AD domain more easy.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791016
|
||||
---
|
||||
doc/manual/realmd.conf.xml | 69 +++++++++++++++++++
|
||||
service/Makefile.am | 2 +
|
||||
service/realm-kerberos-config.c | 116 ++++++++++++++++++++++++++++++++
|
||||
service/realm-kerberos-config.h | 35 ++++++++++
|
||||
service/realm-samba.c | 12 ++++
|
||||
service/realm-sssd-ad.c | 12 ++++
|
||||
service/realmd-debian.conf | 1 +
|
||||
service/realmd-defaults.conf | 1 +
|
||||
service/realmd-redhat.conf | 1 +
|
||||
service/realmd-suse.conf | 1 +
|
||||
10 files changed, 250 insertions(+)
|
||||
create mode 100644 service/realm-kerberos-config.c
|
||||
create mode 100644 service/realm-kerberos-config.h
|
||||
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index 9062252..97d2e8d 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -304,6 +304,75 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
|
||||
|
||||
</refsect1>
|
||||
|
||||
+<refsect1 id="realmd-conf-paths">
|
||||
+ <title>paths</title>
|
||||
+
|
||||
+ <para>These options should go in an <option>[paths]</option>
|
||||
+ section of the <filename>/etc/realmd.conf</filename> file. Only
|
||||
+ specify the settings you wish to override.</para>
|
||||
+
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term><option>krb5.conf</option></term>
|
||||
+ <listitem>
|
||||
+ <para>Path to the Kerberos configuration file, typically
|
||||
+ <filename>/etc/krb5.conf</filename>. It can also be the path of
|
||||
+ a file included by <filename>/etc/krb5.conf</filename>, e.g.
|
||||
+ <filename>/etc/krb5.conf.d/realmd_settings</filename>, if the
|
||||
+ file does not exist if will be created.</para>
|
||||
+
|
||||
+ <informalexample>
|
||||
+<programlisting language="js">
|
||||
+[paths]
|
||||
+krb5.conf = /etc/krb5.conf.d/realmd_settings
|
||||
+
|
||||
+</programlisting>
|
||||
+ </informalexample>
|
||||
+
|
||||
+ <para>When joining an Active Directory domain
|
||||
+ <command>realmd</command> will set the
|
||||
+ <option>default_realm</option> and
|
||||
+ <option>udp_preference_limit</option> options in the Kerberos
|
||||
+ configuration:</para>
|
||||
+
|
||||
+ <informalexample>
|
||||
+<programlisting language="js">
|
||||
+default_realm = DOMAIN.EXAMPLE.COM
|
||||
+udp_preference_limit = 0
|
||||
+
|
||||
+</programlisting>
|
||||
+ </informalexample>
|
||||
+
|
||||
+ <para>The <option>default_realm</option> option is e.g. needed
|
||||
+ when trying to resolve enterprise principals and makes it more
|
||||
+ convenient to request Kerberos tickets for users of the default
|
||||
+ realm. Instead of specifying the whole principal just
|
||||
+ <command>kinit username</command> can be used.</para>
|
||||
+
|
||||
+ <para>With <option>udp_preference_limit = 0</option> always TCP
|
||||
+ will be used to send Kerberos request to domain controller. This
|
||||
+ is useful in Active Directory environments because Kerberos will
|
||||
+ typically switch to TCP after initially starting with UDP
|
||||
+ because AD Kerberos tickets are often larger than UDP can handle.
|
||||
+ Using TCP by default will avoid those extra UDP round trips.
|
||||
+ Additionally it helps to avoid issues with password changes when
|
||||
+ the DC does not reply soon enough and the client will send a
|
||||
+ second UDP request. The DC might reply with a reply error to the
|
||||
+ second request although the original password change request was
|
||||
+ successful and the client will no know if the request was
|
||||
+ successful or not. When using TCP this cannot happen because the
|
||||
+ client will never send a second request but waits on the
|
||||
+ connection until the server replies.</para>
|
||||
+
|
||||
+ <para>Please note that <command>realmd</command> will not remove
|
||||
+ those options while leaving the domain since they are useful in
|
||||
+ general. When joining a new domain <command>realmd</command>
|
||||
+ will of course overwrite <option>default_realm</option>.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+</refsect1>
|
||||
+
|
||||
<refsect1 id="realmd-conf-specific-settings">
|
||||
<title>Realm specific settings</title>
|
||||
<para>These options should go in an section with the same name
|
||||
diff --git a/service/Makefile.am b/service/Makefile.am
|
||||
index 88ee780..031cd1d 100644
|
||||
--- a/service/Makefile.am
|
||||
+++ b/service/Makefile.am
|
||||
@@ -57,6 +57,8 @@ realmd_SOURCES = \
|
||||
service/realm-invocation.h \
|
||||
service/realm-kerberos.c \
|
||||
service/realm-kerberos.h \
|
||||
+ service/realm-kerberos-config.c \
|
||||
+ service/realm-kerberos-config.h \
|
||||
service/realm-kerberos-membership.c \
|
||||
service/realm-kerberos-membership.h \
|
||||
service/realm-kerberos-provider.c \
|
||||
diff --git a/service/realm-kerberos-config.c b/service/realm-kerberos-config.c
|
||||
new file mode 100644
|
||||
index 0000000..447a452
|
||||
--- /dev/null
|
||||
+++ b/service/realm-kerberos-config.c
|
||||
@@ -0,0 +1,116 @@
|
||||
+/* realmd -- Realm configuration service
|
||||
+ *
|
||||
+ * Copyright 2020 Red Hat Inc
|
||||
+ *
|
||||
+ * This program is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU Lesser General Public License as published
|
||||
+ * by the Free Software Foundation; either version 2 of the licence or (at
|
||||
+ * your option) any later version.
|
||||
+ *
|
||||
+ * See the included COPYING file for more information.
|
||||
+ *
|
||||
+ * Author: Sumit Bose <sbose@redhat.com>
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include "realm-ini-config.h"
|
||||
+#include "realm-kerberos-config.h"
|
||||
+#include "realm-settings.h"
|
||||
+
|
||||
+#include <string.h>
|
||||
+
|
||||
+RealmIniConfig *
|
||||
+realm_kerberos_config_new_with_flags (RealmIniFlags flags,
|
||||
+ GError **error)
|
||||
+{
|
||||
+ RealmIniConfig *config;
|
||||
+ const gchar *filename;
|
||||
+ GError *err = NULL;
|
||||
+
|
||||
+ config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS | flags);
|
||||
+
|
||||
+ filename = realm_settings_path ("krb5.conf");
|
||||
+
|
||||
+ realm_ini_config_read_file (config, filename, &err);
|
||||
+
|
||||
+ if (err != NULL) {
|
||||
+ /* If the caller wants errors, then don't return an invalid samba config */
|
||||
+ if (error) {
|
||||
+ g_propagate_error (error, err);
|
||||
+ g_object_unref (config);
|
||||
+ config = NULL;
|
||||
+
|
||||
+ /* If the caller doesn't care, then warn but continue */
|
||||
+ } else {
|
||||
+ g_warning ("Couldn't load config file: %s: %s", filename,
|
||||
+ err->message);
|
||||
+ g_error_free (err);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return config;
|
||||
+}
|
||||
+
|
||||
+RealmIniConfig *
|
||||
+realm_kerberos_config_new (GError **error)
|
||||
+{
|
||||
+ return realm_kerberos_config_new_with_flags (REALM_INI_NONE, error);
|
||||
+}
|
||||
+
|
||||
+gboolean
|
||||
+configure_krb5_conf_for_domain (const gchar *realm, GError **error )
|
||||
+{
|
||||
+ RealmIniConfig *config;
|
||||
+ gboolean res;
|
||||
+ GFile *gfile;
|
||||
+ GFileInfo *file_info = NULL;
|
||||
+
|
||||
+ config = realm_kerberos_config_new (error);
|
||||
+ if (config == NULL) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ /* When writing to a file glib will replace the original file with a
|
||||
+ * new one. To make sure permissions and other attributes like e.g.
|
||||
+ * SELinux labels stay the same this information is saved before the
|
||||
+ * change and applied to the new file afterwards. */
|
||||
+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
|
||||
+ file_info = g_file_query_info (gfile, "*", 0, NULL, error);
|
||||
+ g_object_unref (gfile);
|
||||
+ if (*error != NULL) {
|
||||
+ g_warning ("Couldn't load file attributes, "
|
||||
+ "will continue without: %s: %s",
|
||||
+ realm_ini_config_get_filename (config),
|
||||
+ (*error)->message);
|
||||
+ g_clear_error (error);
|
||||
+ }
|
||||
+
|
||||
+ if (!realm_ini_config_begin_change (config, error)) {
|
||||
+ g_object_unref (config);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ realm_ini_config_set (config, "libdefaults",
|
||||
+ "default_realm", realm,
|
||||
+ "udp_preference_limit", "0",
|
||||
+ NULL);
|
||||
+
|
||||
+ res = realm_ini_config_finish_change (config, error);
|
||||
+
|
||||
+ if (file_info != NULL) {
|
||||
+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
|
||||
+ if (!g_file_set_attributes_from_info (gfile, file_info,
|
||||
+ 0, NULL, error)) {
|
||||
+ g_warning ("Couldn't set file attributes: %s: %s",
|
||||
+ realm_ini_config_get_filename (config),
|
||||
+ (*error)->message);
|
||||
+ }
|
||||
+ g_object_unref (file_info);
|
||||
+ g_object_unref (gfile);
|
||||
+ }
|
||||
+
|
||||
+ g_object_unref (config);
|
||||
+
|
||||
+ return res;
|
||||
+}
|
||||
diff --git a/service/realm-kerberos-config.h b/service/realm-kerberos-config.h
|
||||
new file mode 100644
|
||||
index 0000000..791aa98
|
||||
--- /dev/null
|
||||
+++ b/service/realm-kerberos-config.h
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* realmd -- Realm configuration service
|
||||
+ *
|
||||
+ * Copyright 2020 Red Hat Inc
|
||||
+ *
|
||||
+ * This program is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU Lesser General Public License as published
|
||||
+ * by the Free Software Foundation; either version 2 of the licence or (at
|
||||
+ * your option) any later version.
|
||||
+ *
|
||||
+ * See the included COPYING file for more information.
|
||||
+ *
|
||||
+ * Author: Sumit Bose <sbose@redhat.com>
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#ifndef __REALM_KERBEROS_CONFIG_H__
|
||||
+#define __REALM_KERBEROS_CONFIG_H__
|
||||
+
|
||||
+#include <gio/gio.h>
|
||||
+
|
||||
+#include "realm-ini-config.h"
|
||||
+
|
||||
+
|
||||
+RealmIniConfig * realm_kerberos_config_new (GError **error);
|
||||
+
|
||||
+RealmIniConfig * realm_kerberos_config_new_with_flags (RealmIniFlags flags,
|
||||
+ GError **error);
|
||||
+
|
||||
+gboolean configure_krb5_conf_for_domain (const gchar *realm,
|
||||
+ GError **error );
|
||||
+
|
||||
+G_END_DECLS
|
||||
+
|
||||
+#endif /* __REALM_KERBEROS_CONFIG_H__ */
|
||||
diff --git a/service/realm-samba.c b/service/realm-samba.c
|
||||
index fe33600..e7b80a0 100644
|
||||
--- a/service/realm-samba.c
|
||||
+++ b/service/realm-samba.c
|
||||
@@ -21,6 +21,7 @@
|
||||
#include "realm-disco.h"
|
||||
#include "realm-errors.h"
|
||||
#include "realm-kerberos.h"
|
||||
+#include "realm-kerberos-config.h"
|
||||
#include "realm-kerberos-membership.h"
|
||||
#include "realm-options.h"
|
||||
#include "realm-packages.h"
|
||||
@@ -210,6 +211,17 @@ on_join_do_winbind (GObject *source,
|
||||
NULL);
|
||||
}
|
||||
|
||||
+ if (error == NULL) {
|
||||
+ configure_krb5_conf_for_domain (enroll->disco->kerberos_realm, &error);
|
||||
+ if (error != NULL) {
|
||||
+ realm_diagnostics_error (enroll->invocation, error,
|
||||
+ "Failed to update Kerberos "
|
||||
+ "configuration, not fatal, "
|
||||
+ "please check manually");
|
||||
+ g_clear_error (&error);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (error == NULL) {
|
||||
name = realm_kerberos_get_name (REALM_KERBEROS (self));
|
||||
realm_samba_winbind_configure_async (self->config, name, enroll->options,
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index de7ce30..6b2f9f8 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include "realm-dbus-constants.h"
|
||||
#include "realm-diagnostics.h"
|
||||
#include "realm-errors.h"
|
||||
+#include "realm-kerberos-config.h"
|
||||
#include "realm-kerberos-membership.h"
|
||||
#include "realm-options.h"
|
||||
#include "realm-packages.h"
|
||||
@@ -256,6 +257,17 @@ on_join_do_sssd (GObject *source,
|
||||
join->options, join->use_adcli, &error);
|
||||
}
|
||||
|
||||
+ if (error == NULL) {
|
||||
+ configure_krb5_conf_for_domain (join->disco->kerberos_realm, &error);
|
||||
+ if (error != NULL) {
|
||||
+ realm_diagnostics_error (join->invocation, error,
|
||||
+ "Failed to update Kerberos "
|
||||
+ "configuration, not fatal, "
|
||||
+ "please check manually");
|
||||
+ g_clear_error (&error);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (error == NULL) {
|
||||
realm_service_enable_and_restart ("sssd", join->invocation,
|
||||
on_sssd_enable_nss, g_object_ref (task));
|
||||
diff --git a/service/realmd-debian.conf b/service/realmd-debian.conf
|
||||
index 3e93d60..6cfdcef 100644
|
||||
--- a/service/realmd-debian.conf
|
||||
+++ b/service/realmd-debian.conf
|
||||
@@ -1,6 +1,7 @@
|
||||
# Distro specific overrides for debian
|
||||
[paths]
|
||||
smb.conf = /etc/samba/smb.conf
|
||||
+krb5.conf = /etc/krb5.conf
|
||||
|
||||
#
|
||||
# Normally in these packages sections we can specify a file
|
||||
diff --git a/service/realmd-defaults.conf b/service/realmd-defaults.conf
|
||||
index 6d7ccf8..ac4b436 100644
|
||||
--- a/service/realmd-defaults.conf
|
||||
+++ b/service/realmd-defaults.conf
|
||||
@@ -11,6 +11,7 @@ sssd.conf = /etc/sssd/sssd.conf
|
||||
adcli = /usr/sbin/adcli
|
||||
ipa-client-install = /usr/sbin/ipa-client-install
|
||||
pam_winbind.conf = /etc/security/pam_winbind.conf
|
||||
+krb5.conf = /etc/krb5.conf
|
||||
|
||||
[active-directory]
|
||||
default-client = sssd
|
||||
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
|
||||
index e39fad5..46e61b1 100644
|
||||
--- a/service/realmd-redhat.conf
|
||||
+++ b/service/realmd-redhat.conf
|
||||
@@ -1,6 +1,7 @@
|
||||
# Distro specific overrides for redhat
|
||||
[paths]
|
||||
smb.conf = /etc/samba/smb.conf
|
||||
+krb5.conf = /etc/krb5.conf
|
||||
|
||||
[samba-packages]
|
||||
samba-common-tools = /usr/bin/net
|
||||
diff --git a/service/realmd-suse.conf b/service/realmd-suse.conf
|
||||
index 052b4dc..3165efa 100644
|
||||
--- a/service/realmd-suse.conf
|
||||
+++ b/service/realmd-suse.conf
|
||||
@@ -1,6 +1,7 @@
|
||||
# Distro specific overrides for SuSE
|
||||
[paths]
|
||||
smb.conf = /etc/samba/smb.conf
|
||||
+krb5.conf = /etc/krb5.conf
|
||||
|
||||
[samba-packages]
|
||||
samba-client = /usr/bin/net
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,112 +0,0 @@
|
|||
From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 5 Dec 2016 18:25:44 +0100
|
||||
Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
|
||||
|
||||
---
|
||||
service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 39 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
|
||||
index 2b3a0f8..1477ae8 100644
|
||||
--- a/service/realm-kerberos-provider.c
|
||||
+++ b/service/realm-kerberos-provider.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include "realm-kerberos-provider.h"
|
||||
|
||||
#include <errno.h>
|
||||
+#include <string.h>
|
||||
|
||||
struct _RealmKerberosProvider {
|
||||
RealmProvider parent;
|
||||
@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
|
||||
|
||||
}
|
||||
|
||||
+typedef struct {
|
||||
+ gchar *name;
|
||||
+ const char *prot;
|
||||
+} NameProtPair;
|
||||
+
|
||||
+static void
|
||||
+name_prot_pair_free (gpointer data)
|
||||
+{
|
||||
+ NameProtPair *name_prot_pair = data;
|
||||
+ g_free (name_prot_pair->name);
|
||||
+ g_free (name_prot_pair);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
on_kerberos_discover (GObject *source,
|
||||
GAsyncResult *result,
|
||||
gpointer user_data)
|
||||
{
|
||||
GTask *task = G_TASK (user_data);
|
||||
- const gchar *domain = g_task_get_task_data (task);
|
||||
+ NameProtPair *name_prot_pair = g_task_get_task_data (task);
|
||||
GError *error = NULL;
|
||||
RealmDisco *disco;
|
||||
GList *targets;
|
||||
+ GResolver *resolver;
|
||||
|
||||
targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
|
||||
if (targets) {
|
||||
g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
|
||||
- disco = realm_disco_new (domain);
|
||||
- disco->kerberos_realm = g_ascii_strup (domain, -1);
|
||||
+ disco = realm_disco_new (name_prot_pair->name);
|
||||
+ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
|
||||
g_task_return_pointer (task, disco, realm_disco_unref);
|
||||
|
||||
} else if (error) {
|
||||
- g_debug ("Resolving %s failed: %s", domain, error->message);
|
||||
+ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
|
||||
g_error_free (error);
|
||||
- g_task_return_pointer (task, NULL, NULL);
|
||||
+
|
||||
+ if (strcmp (name_prot_pair->prot, "tcp") == 0) {
|
||||
+ g_task_return_pointer (task, NULL, NULL);
|
||||
+ } else {
|
||||
+ /* Try tcp */
|
||||
+ name_prot_pair->prot = "tcp";
|
||||
+ resolver = g_resolver_get_default ();
|
||||
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
|
||||
+ name_prot_pair->name,
|
||||
+ g_task_get_cancellable (task),
|
||||
+ on_kerberos_discover, g_object_ref (task));
|
||||
+ g_object_unref (resolver);
|
||||
+ }
|
||||
}
|
||||
|
||||
g_object_unref (task);
|
||||
@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
|
||||
GTask *task;
|
||||
const gchar *software;
|
||||
GResolver *resolver;
|
||||
- gchar *name;
|
||||
+ NameProtPair *name_prot_pair;
|
||||
|
||||
task = g_task_new (provider, NULL, callback, user_data);
|
||||
|
||||
@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
|
||||
g_task_return_pointer (task, NULL, NULL);
|
||||
|
||||
} else {
|
||||
- name = g_hostname_to_ascii (string);
|
||||
+ name_prot_pair = g_new0 (NameProtPair, 1);
|
||||
+ name_prot_pair->name = g_hostname_to_ascii (string);
|
||||
+ name_prot_pair->prot = "udp";
|
||||
resolver = g_resolver_get_default ();
|
||||
- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
|
||||
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
|
||||
+ name_prot_pair->name,
|
||||
realm_invocation_get_cancellable (invocation),
|
||||
on_kerberos_discover, g_object_ref (task));
|
||||
- g_task_set_task_data (task, name, g_free);
|
||||
+ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
|
||||
g_object_unref (resolver);
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 25 Nov 2016 17:35:11 +0100
|
||||
Subject: [PATCH] LDAP: don't close LDAP socket twice
|
||||
|
||||
ldap_destroy() will call close() on the LDAP socket so with an explicit
|
||||
close() before the file descriptor will be closed twice. Even worse,
|
||||
since the file descriptor can be reused after the explicit call of
|
||||
close() by any other thread the close() called from ldap_destroy() might
|
||||
close a file descriptor used by a different thread as seen e.g. in
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
|
||||
|
||||
Additionally the patch makes sure that the closed connection cannot be
|
||||
used again.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1398522
|
||||
---
|
||||
service/realm-ldap.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index 061ed61..59817fb 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
|
||||
{
|
||||
LdapSource *ls = (LdapSource *)source;
|
||||
|
||||
- /* Yeah, this is pretty rough, but we don't want blocking here */
|
||||
- close (ls->sock);
|
||||
ldap_destroy (ls->ldap);
|
||||
|
||||
+ ls->sock = -1;
|
||||
+ ls->ldap = NULL;
|
||||
+
|
||||
if (ls->cancellable) {
|
||||
g_cancellable_release_fd (ls->cancellable);
|
||||
g_object_unref (ls->cancellable);
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,185 +0,0 @@
|
|||
From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 30 May 2018 13:10:57 +0200
|
||||
Subject: [PATCH] Use current idmap options for smb.conf
|
||||
|
||||
Samba change some time ago the way how to configure id-mapping. With
|
||||
this patch realmd will use the current supported options when creating
|
||||
smb.conf.
|
||||
|
||||
A new option --legacy-samba-config is added to use the old options if
|
||||
realmd is used with Samba 3.5 or earlier.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
|
||||
---
|
||||
dbus/realm-dbus-constants.h | 1 +
|
||||
doc/manual/realmd.conf.xml | 17 ++++++++++++
|
||||
service/realm-samba-enroll.c | 2 +-
|
||||
service/realm-samba-enroll.h | 3 +++
|
||||
service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
|
||||
5 files changed, 72 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
|
||||
index 9cd30ef..40ffa2d 100644
|
||||
--- a/dbus/realm-dbus-constants.h
|
||||
+++ b/dbus/realm-dbus-constants.h
|
||||
@@ -69,6 +69,7 @@ G_BEGIN_DECLS
|
||||
#define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
|
||||
#define REALM_DBUS_OPTION_OS_NAME "os-name"
|
||||
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
|
||||
+#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
|
||||
|
||||
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
|
||||
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index 7853230..a2b577c 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -192,6 +192,23 @@ automatic-install = no
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><option>legacy-samba-config</option></term>
|
||||
+ <listitem>
|
||||
+ <para>Set this to <parameter>yes</parameter> to create a Samba
|
||||
+ configuration file with id-mapping options used by Samba-3.5
|
||||
+ and earlier version.</para>
|
||||
+
|
||||
+ <informalexample>
|
||||
+<programlisting language="js">
|
||||
+[service]
|
||||
+legacy-samba-config = no
|
||||
+# legacy-samba-config = yes
|
||||
+</programlisting>
|
||||
+ </informalexample>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
|
||||
index c81aed2..76e7b79 100644
|
||||
--- a/service/realm-samba-enroll.c
|
||||
+++ b/service/realm-samba-enroll.c
|
||||
@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
|
||||
g_free (join);
|
||||
}
|
||||
|
||||
-static gchar *
|
||||
+gchar *
|
||||
fallback_workgroup (const gchar *realm)
|
||||
{
|
||||
const gchar *pos;
|
||||
diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
|
||||
index 84e8b2f..310ec65 100644
|
||||
--- a/service/realm-samba-enroll.h
|
||||
+++ b/service/realm-samba-enroll.h
|
||||
@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
|
||||
gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
|
||||
GError **error);
|
||||
|
||||
+gchar *
|
||||
+fallback_workgroup (const gchar *realm);
|
||||
+
|
||||
G_END_DECLS
|
||||
|
||||
#endif /* __REALM_SAMBA_ENROLL_H__ */
|
||||
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
|
||||
index a7ddec3..9335e26 100644
|
||||
--- a/service/realm-samba-winbind.c
|
||||
+++ b/service/realm-samba-winbind.c
|
||||
@@ -21,8 +21,10 @@
|
||||
#include "realm-options.h"
|
||||
#include "realm-samba-config.h"
|
||||
#include "realm-samba-winbind.h"
|
||||
+#include "realm-samba-enroll.h"
|
||||
#include "realm-settings.h"
|
||||
#include "realm-service.h"
|
||||
+#include "dbus/realm-dbus-constants.h"
|
||||
|
||||
#include <glib/gstdio.h>
|
||||
|
||||
@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
|
||||
RealmIniConfig *pwc;
|
||||
GTask *task;
|
||||
GError *error = NULL;
|
||||
+ gchar *workgroup = NULL;
|
||||
+ gchar *idmap_config_backend = NULL;
|
||||
+ gchar *idmap_config_range = NULL;
|
||||
+ gchar *idmap_config_schema_mode = NULL;
|
||||
|
||||
g_return_if_fail (config != NULL);
|
||||
g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
|
||||
@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
|
||||
"template shell", realm_settings_string ("users", "default-shell"),
|
||||
NULL);
|
||||
|
||||
- if (realm_options_automatic_mapping (options, domain_name)) {
|
||||
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
- "idmap uid", "10000-2000000",
|
||||
- "idmap gid", "10000-2000000",
|
||||
- "idmap backend", "tdb",
|
||||
- "idmap schema", NULL,
|
||||
- NULL);
|
||||
+ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
|
||||
+ if (realm_options_automatic_mapping (options, domain_name)) {
|
||||
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
+ "idmap uid", "10000-2000000",
|
||||
+ "idmap gid", "10000-2000000",
|
||||
+ "idmap backend", "tdb",
|
||||
+ "idmap schema", NULL,
|
||||
+ NULL);
|
||||
+ } else {
|
||||
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
+ "idmap uid", "500-4294967296",
|
||||
+ "idmap gid", "500-4294967296",
|
||||
+ "idmap backend", "ad",
|
||||
+ "idmap schema", "rfc2307",
|
||||
+ NULL);
|
||||
+ }
|
||||
} else {
|
||||
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
- "idmap uid", "500-4294967296",
|
||||
- "idmap gid", "500-4294967296",
|
||||
- "idmap backend", "ad",
|
||||
- "idmap schema", "rfc2307",
|
||||
- NULL);
|
||||
+ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
|
||||
+ if (workgroup == NULL) {
|
||||
+ workgroup = fallback_workgroup (domain_name);
|
||||
+ }
|
||||
+ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
|
||||
+ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
|
||||
+ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
|
||||
+ g_free (workgroup);
|
||||
+
|
||||
+ if (realm_options_automatic_mapping (options, domain_name)) {
|
||||
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
+ "idmap config * : backend", "tdb",
|
||||
+ "idmap config * : range", "10000-999999",
|
||||
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
|
||||
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
|
||||
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
|
||||
+ NULL);
|
||||
+ } else {
|
||||
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
+ "idmap config * : backend", "tdb",
|
||||
+ "idmap config * : range", "10000000-10999999",
|
||||
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
|
||||
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
|
||||
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
|
||||
+ NULL);
|
||||
+ }
|
||||
}
|
||||
|
||||
realm_ini_config_finish_change (config, &error);
|
||||
+ g_free (idmap_config_backend);
|
||||
+ g_free (idmap_config_range);
|
||||
}
|
||||
|
||||
/* Setup pam_winbind.conf with decent defaults matching our expectations */
|
||||
--
|
||||
2.14.4
|
||||
|
|
@ -1,74 +0,0 @@
|
|||
From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 3 Jul 2020 17:18:27 +0200
|
||||
Subject: [PATCH] Use startTLS with FreeIPA
|
||||
|
||||
FreeIPA is planning to required a minimal security strength factor (ssf)
|
||||
in an upcoming version. This basically means that communication should
|
||||
be encrypted. The most straight forward way is use TLS by doing a
|
||||
StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
|
||||
since the initial release we will call StartTLS unconditionally but try
|
||||
without if it fails.
|
||||
|
||||
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
|
||||
---
|
||||
service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
|
||||
service/realm-ldap.c | 4 +++-
|
||||
2 files changed, 26 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
|
||||
index 3100650..7614071 100644
|
||||
--- a/service/realm-disco-rootdse.c
|
||||
+++ b/service/realm-disco-rootdse.c
|
||||
@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
|
||||
LDAP *ldap)
|
||||
{
|
||||
const char *attrs[] = { "info", "associatedDomain", NULL };
|
||||
+ int ret;
|
||||
+ int ldap_opt_val;
|
||||
|
||||
clo->request = NULL;
|
||||
clo->result = result_domain_info;
|
||||
|
||||
+ /* Trying to setup a TLS tunnel in the case the IPA server requires an
|
||||
+ * encrypted connected. Trying without in case of an error. Since we
|
||||
+ * most probably do not have the IPA CA certificate we will not check
|
||||
+ * the server certificate. */
|
||||
+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
|
||||
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
|
||||
+ if (ret != LDAP_OPT_SUCCESS) {
|
||||
+ g_debug ("Failed to disable certificate checking, trying without");
|
||||
+ }
|
||||
+
|
||||
+ ldap_opt_val = 0;
|
||||
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
|
||||
+ if (ret != LDAP_OPT_SUCCESS) {
|
||||
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
|
||||
+ }
|
||||
+
|
||||
+ ret = ldap_start_tls_s (ldap, NULL, NULL);
|
||||
+ if (ret != LDAP_SUCCESS) {
|
||||
+ g_debug ("Failed to setup TLS tunnel, trying without");
|
||||
+ }
|
||||
+
|
||||
return search_ldap (task, clo, ldap, clo->default_naming_context,
|
||||
LDAP_SCOPE_BASE, NULL, attrs);
|
||||
}
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index 59817fb..7831b5b 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
|
||||
g_warning ("couldn't set to blocking");
|
||||
|
||||
- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
|
||||
+ url = g_strdup_printf ("ldap://%s:%d", addrname, port);
|
||||
+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
|
||||
+ g_free (url);
|
||||
|
||||
g_free (native);
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
From 4ef597d15df246f4121266aaf3e291e3f06f6f4a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 10 Mar 2021 17:57:07 +0100
|
||||
Subject: [PATCH] build: add --with-vendor-error-message configure option
|
||||
|
||||
With the new configure option --with-vendor-error-message a packager or
|
||||
a distribution can add a message if realmd returns with an error.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386
|
||||
---
|
||||
configure.ac | 15 +++++++++++++++
|
||||
tools/realm.c | 7 +++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index ee067d9..05ec1bf 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -51,6 +51,21 @@ fi
|
||||
|
||||
AC_SUBST(DISTRO)
|
||||
|
||||
+# -----------------------------------------------------------------------------
|
||||
+# Vendor error message
|
||||
+
|
||||
+AC_ARG_WITH([vendor-error-message],
|
||||
+ [AS_HELP_STRING([--with-vendor-error-message=ARG],
|
||||
+ [Add a vendor specific error message shown if a realm command fails]
|
||||
+ )],
|
||||
+ [AS_IF([test "x$withval" != "x"],
|
||||
+ [AC_DEFINE_UNQUOTED([VENDOR_MSG],
|
||||
+ ["$withval"],
|
||||
+ [Vendor specific error message])],
|
||||
+ [AC_MSG_ERROR([--with-vendor-error-message requires an argument])]
|
||||
+ )],
|
||||
+ [])
|
||||
+
|
||||
# -----------------------------------------------------------------------------
|
||||
# Basic tools
|
||||
|
||||
diff --git a/tools/realm.c b/tools/realm.c
|
||||
index 1530f09..8fdca16 100644
|
||||
--- a/tools/realm.c
|
||||
+++ b/tools/realm.c
|
||||
@@ -287,6 +287,13 @@ main (int argc,
|
||||
ret = (realm_commands[i].function) (client, argc, argv);
|
||||
g_object_unref (client);
|
||||
|
||||
+#ifdef VENDOR_MSG
|
||||
+ if (ret != 0) {
|
||||
+ g_printerr (VENDOR_MSG"\n");
|
||||
+ }
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
break;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 28 Nov 2019 18:51:30 +0100
|
||||
Subject: [PATCH] configure: do not inherit DISTRO from the environment
|
||||
|
||||
The argument of the --with-distro configure option is stored in the
|
||||
variable DISTRO. If DISTRO is already set in the build environment it
|
||||
should not be used hence DISTRO must be cleared by the configure script
|
||||
if not set by --with-distro.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396
|
||||
---
|
||||
configure.ac | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index e335247..a424a49 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -31,7 +31,8 @@ AC_ARG_WITH([distro],
|
||||
[AS_HELP_STRING([--with-distro],
|
||||
[Configure for a specific distribution (eg: redhat)]
|
||||
)],
|
||||
- [DISTRO=$withval])
|
||||
+ [DISTRO=$withval],
|
||||
+ [DISTRO=])
|
||||
|
||||
if test -z $DISTRO; then
|
||||
AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"])
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -1,158 +0,0 @@
|
|||
From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 12:25:52 +0100
|
||||
Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual
|
||||
page
|
||||
|
||||
And clean up the documentation for the various arguments.
|
||||
---
|
||||
doc/manual/realm.xml | 70 +++++++++++++++++++++++---------------------
|
||||
1 file changed, 37 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
||||
index 6724d80..9d9136a 100644
|
||||
--- a/doc/manual/realm.xml
|
||||
+++ b/doc/manual/realm.xml
|
||||
@@ -60,7 +60,7 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
- <term><option>--install=/path</option></term>
|
||||
+ <term><option>-i</option>, <option>--install=/path</option></term>
|
||||
<listitem><para>Run in install mode. This makes realmd
|
||||
chroot into the specified directory and place files in
|
||||
appropriate locations for use during an installer. No
|
||||
@@ -73,7 +73,7 @@
|
||||
for input.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term><option>--verbose, -v</option></term>
|
||||
+ <term><option>-v</option>, <option>--verbose</option></term>
|
||||
<listitem><para>Display verbose diagnostics while doing
|
||||
running commands.</para></listitem>
|
||||
</varlistentry>
|
||||
@@ -105,7 +105,7 @@ $ realm discover domain.example.com
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
- <term><option>--all</option></term>
|
||||
+ <term><option>-a</option>, <option>--all</option></term>
|
||||
<listitem><para>Show all discovered realms (in various
|
||||
configurations).</para></listitem>
|
||||
</varlistentry>
|
||||
@@ -116,6 +116,10 @@ $ realm discover domain.example.com
|
||||
<replaceable>sssd</replaceable> or
|
||||
<replaceable>winbind</replaceable>.</para></listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>-n</option>, <option>--name</option></term>
|
||||
+ <listitem><para>Only show the names of the discovered realms.</para></listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--server-software=xxx</option></term>
|
||||
<listitem><para>Only discover realms which run the
|
||||
@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
in the domain already.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term><option>--user=xxx</option></term>
|
||||
- <listitem><para>The user name to be used to authenticate
|
||||
- with when joining the machine to the realm. You will
|
||||
- be prompted for a password.</para></listitem>
|
||||
+ <term><option>--client-software=xxx</option></term>
|
||||
+ <listitem><para>Only join realms for which we can
|
||||
+ use the given client software. Possible values include
|
||||
+ <replaceable>sssd</replaceable> or
|
||||
+ <replaceable>winbind</replaceable>. Not all values are
|
||||
+ supported for all realms. By default the client software
|
||||
+ is automatically selected.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--computer-ou=OU=xxx</option></term>
|
||||
@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
DSE portion of distinguished name. This is an Active
|
||||
Directory specific option.</para></listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>--membership-software=xxx</option></term>
|
||||
+ <listitem><para>The software to use when joining to the
|
||||
+ realm. Possible values include <replaceable>samba</replaceable> or
|
||||
+ <replaceable>adcli</replaceable>. Not all values are
|
||||
+ supported for all realms. By default the membership software
|
||||
+ is automatically selected.</para></listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--no-password</option></term>
|
||||
<listitem><para>Perform the join automatically without
|
||||
@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
all types of realms.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term><option>--client-software=xxx</option></term>
|
||||
- <listitem><para>Only join realms for which we can
|
||||
- use the given client software. Possible values include
|
||||
- <replaceable>sssd</replaceable> or
|
||||
- <replaceable>winbind</replaceable>. Not all values are
|
||||
- supported for all realms. By default the client software
|
||||
- is automatically selected.</para></listitem>
|
||||
+ <term><option>--os-name=xxx</option></term>
|
||||
+ <listitem><para>The name of the operation system of the
|
||||
+ client. When joining an AD domain the value is store in
|
||||
+ the matching AD attribute.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>--os-version=xxx</option></term>
|
||||
+ <listitem><para>The version of the operation system of the
|
||||
+ client. When joining an AD domain the value is store in
|
||||
+ the matching AD attribute.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--server-software=xxx</option></term>
|
||||
@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
<replaceable>ipa</replaceable>.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term><option>--membership-software=xxx</option></term>
|
||||
- <listitem><para>The software to use when joining to the
|
||||
- realm. Possible values include <replaceable>samba</replaceable> or
|
||||
- <replaceable>adcli</replaceable>. Not all values are
|
||||
- supported for all realms. By default the membership software
|
||||
- is automatically selected.</para></listitem>
|
||||
+ <term><option>-U</option>, <option>--user=xxx</option></term>
|
||||
+ <listitem><para>The user name to be used to authenticate
|
||||
+ with when joining the machine to the realm. You will
|
||||
+ be prompted for a password.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
|
||||
@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
the value for this option, then a principal will be set
|
||||
in the form of <literal>host/shortname@REALM</literal></para></listitem>
|
||||
</varlistentry>
|
||||
- <varlistentry>
|
||||
- <term><option>--os-name=xxx</option></term>
|
||||
- <listitem><para>The name of the operation system of the
|
||||
- client. When joining an AD domain the value is store in
|
||||
- the matching AD attribute.</para></listitem>
|
||||
- </varlistentry>
|
||||
- <varlistentry>
|
||||
- <term><option>--os-version=xxx</option></term>
|
||||
- <listitem><para>The version of the operation system of the
|
||||
- client. When joining an AD domain the value is store in
|
||||
- the matching AD attribute.</para></listitem>
|
||||
- </varlistentry>
|
||||
</variablelist>
|
||||
|
||||
</refsect1>
|
||||
@@ -300,7 +304,7 @@ $ realm leave domain.example.com
|
||||
for a pasword.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term><option>--user</option></term>
|
||||
+ <term><option>-U</option>, <option>--user</option></term>
|
||||
<listitem><para>The user name to be used to authenticate
|
||||
with when leaving the realm. You will be prompted for a
|
||||
password. Implies <option>--remove</option>.</para></listitem>
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From 05100771ea6bd775caae705bb53f76a0816f3b81 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 11 May 2021 11:13:06 +0200
|
||||
Subject: [PATCH] doc: add computer-name to realm man page
|
||||
|
||||
---
|
||||
doc/manual/realm.xml | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
||||
index 9160a8a..b4dc27c 100644
|
||||
--- a/doc/manual/realm.xml
|
||||
+++ b/doc/manual/realm.xml
|
||||
@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
supported for all realms. By default the membership software
|
||||
is automatically selected.</para></listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>--computer-name=xxx</option></term>
|
||||
+ <listitem>
|
||||
+ <para>This option only applies to Active
|
||||
+ Directory realms. Specify this option to
|
||||
+ override the default name used when creating
|
||||
+ the computer account. The system's FQDN will
|
||||
+ still be saved in the dNSHostName attribute.</para>
|
||||
+ <para>Specify the name as a string of 15 or
|
||||
+ fewer characters that is a valid NetBIOS
|
||||
+ computer name.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--no-password</option></term>
|
||||
<listitem><para>Perform the join automatically without
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,104 +0,0 @@
|
|||
From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 29 Nov 2019 21:57:02 +0100
|
||||
Subject: [PATCH] doc: extend description of config handling
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005
|
||||
---
|
||||
doc/manual/Makefile.am | 8 ++++++++
|
||||
doc/manual/realmd.conf.xml | 15 +++++++++++----
|
||||
doc/privatedir.xml.in | 1 +
|
||||
4 files changed, 21 insertions(+), 4 deletions(-)
|
||||
create mode 100644 doc/privatedir.xml.in
|
||||
|
||||
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
|
||||
index 8b33fdd..9812c45 100644
|
||||
--- a/doc/manual/Makefile.am
|
||||
+++ b/doc/manual/Makefile.am
|
||||
@@ -1,14 +1,20 @@
|
||||
+XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc
|
||||
|
||||
man8_MANS += \
|
||||
doc/manual/realm.8
|
||||
man5_MANS += \
|
||||
doc/manual/realmd.conf.5
|
||||
|
||||
+$(man5_MANS): doc/privatedir.xml
|
||||
+
|
||||
MAN_IN_FILES = \
|
||||
$(man8_MANS:.8=.xml) \
|
||||
$(man5_MANS:.5=.xml) \
|
||||
$(NULL)
|
||||
|
||||
+doc/privatedir.xml: doc/privatedir.xml.in
|
||||
+ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@
|
||||
+
|
||||
MANUAL_DOCBOOK = doc/manual/realmd-docs.xml
|
||||
|
||||
MANUAL_INCLUDES = \
|
||||
@@ -41,6 +47,7 @@ MANUAL_XSLT = \
|
||||
$(NULL)
|
||||
|
||||
EXTRA_DIST += \
|
||||
+ doc/privatedir.xml.in \
|
||||
$(MANUAL_DOCBOOK) \
|
||||
$(MANUAL_INCLUDES) \
|
||||
$(MAN_IN_FILES) \
|
||||
@@ -50,6 +57,7 @@ EXTRA_DIST += \
|
||||
|
||||
CLEANFILES += \
|
||||
realmd-org.freedesktop.realmd.generated \
|
||||
+ doc/privatedir.xml \
|
||||
$(DBUS_DOC_GENERATED) \
|
||||
$(DBUS_ESCAPED) \
|
||||
$(man8_MANS) \
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index 1592291..9062252 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -1,6 +1,9 @@
|
||||
<?xml version='1.0'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
+[
|
||||
+<!ENTITY privatedir SYSTEM "privatedir.xml">
|
||||
+]>
|
||||
|
||||
<refentry id="realmd-conf">
|
||||
|
||||
@@ -35,7 +38,9 @@
|
||||
to act in specific ways. This is done by placing settings in a
|
||||
<filename>/etc/realmd.conf</filename>. This file does not exist by
|
||||
default. The syntax of this file is the same as an INI file or
|
||||
- Desktop Entry file.</para>
|
||||
+ Desktop Entry file. If the file is changed and
|
||||
+ <command>realmd</command> is running <command>realmd</command> must be
|
||||
+ restarted to read the new values.</para>
|
||||
|
||||
<para>In general, settings in this file only apply at the point of
|
||||
joining a domain or realm. Once the realm has been setup the settings
|
||||
@@ -46,8 +51,10 @@
|
||||
|
||||
<para>Only specify the settings you wish to override in the
|
||||
<filename>/etc/realmd.conf</filename> file. Settings not specified will
|
||||
- be loaded from their packaged defaults. Only override the settings
|
||||
- below. You may find other settings if you look through the
|
||||
+ be loaded from their packaged defaults which can be found in
|
||||
+ <filename>&privatedir;/realmd-defaults.conf</filename> and
|
||||
+ <filename>&privatedir;/realmd-distro.conf</filename>. Only override the
|
||||
+ settings below. You may find other settings if you look through the
|
||||
<command>realmd</command> source code. However these are not guaranteed
|
||||
to remain stable.</para>
|
||||
|
||||
diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in
|
||||
new file mode 100644
|
||||
index 0000000..7f71afe
|
||||
--- /dev/null
|
||||
+++ b/doc/privatedir.xml.in
|
||||
@@ -0,0 +1 @@
|
||||
+@privatedir@
|
||||
\ No newline at end of file
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -1,75 +0,0 @@
|
|||
From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 29 Nov 2019 18:10:03 +0100
|
||||
Subject: [PATCH] doc: extend user-principal section
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814
|
||||
---
|
||||
doc/manual/realm.xml | 21 +++++++++++++++++++--
|
||||
doc/manual/realmd.conf.xml | 15 ++++++++++-----
|
||||
2 files changed, 29 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
||||
index 7b73331..55a7640 100644
|
||||
--- a/doc/manual/realm.xml
|
||||
+++ b/doc/manual/realm.xml
|
||||
@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
|
||||
- <listitem><para>Set the userPrincipalName field of the
|
||||
+ <listitem><para>Set the
|
||||
+ <option>userPrincipalName</option> field of the
|
||||
computer account to this kerberos principal. If you omit
|
||||
the value for this option, then a principal will be set
|
||||
- in the form of <literal>host/shortname@REALM</literal></para></listitem>
|
||||
+ based on the defaults of the membership software.</para>
|
||||
+ <para>AD makes a distinction between user and service
|
||||
+ principals. Only with user principals you can request a
|
||||
+ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user
|
||||
+ principals can be used with the <command>kinit</command>
|
||||
+ command. By default the user principal and the canonical
|
||||
+ principal name of an AD computer account is
|
||||
+ <code>shortname$@AD.DOMAIN</code>, where shortname is
|
||||
+ the NetBIOS name which is limited to 15 characters.</para>
|
||||
+ <para>If there are applications which are not aware of
|
||||
+ the AD default and are using a hard-coded default
|
||||
+ principal the <option>--user-principal</option> can be
|
||||
+ used to make AD aware of this principal. Please note
|
||||
+ that <option>userPrincipalName</option> is a single
|
||||
+ value LDAP attribute, i.e. only one alternative user
|
||||
+ principal besides the AD default user principal can be
|
||||
+ set.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index f0b0879..a26a60c 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -365,12 +365,17 @@ computer-name = SERVER01
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term><option>user-prinicpal</option></term>
|
||||
+ <term><option>user-principal</option></term>
|
||||
<listitem>
|
||||
- <para>Set the <option>user-prinicpal</option> to <code>yes</code>
|
||||
- to create <option>userPrincipalName</option> attributes for the
|
||||
- computer account in the realm, in the form
|
||||
- <code>host/computer@REALM</code></para>
|
||||
+ <para>Set the <option>user-principal</option> to <code>yes</code>
|
||||
+ to create <option>userPrincipalName</option> attribute for the
|
||||
+ computer accounts in the realm. The exact value depends on the
|
||||
+ defaults of the used membership software. To have full control
|
||||
+ over the value please use the
|
||||
+ <option>--user-principal</option> option of the
|
||||
+ <command>realm</command> command, see
|
||||
+ <citerefentry><refentrytitle>realm</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum></citerefentry> for details.</para>
|
||||
|
||||
<informalexample>
|
||||
<programlisting language="js">
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 29 Nov 2019 18:49:15 +0100
|
||||
Subject: [PATCH 1/2] doc: fix discover name-only
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
|
||||
---
|
||||
doc/manual/realmd.conf.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index a26a60c..fc6a785 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
|
||||
|
||||
<informalexample>
|
||||
<screen>
|
||||
-$ <command>realm discover --name DOMAIN.example.com</command>
|
||||
+$ <command>realm discover --name-only DOMAIN.example.com</command>
|
||||
domain.example.com
|
||||
...
|
||||
</screen>
|
||||
--
|
||||
2.21.0
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -1,78 +0,0 @@
|
|||
From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 24 Nov 2021 17:25:18 +0100
|
||||
Subject: [PATCH] ldap: add socket timeout
|
||||
|
||||
During the discovery phase realmd tries to open LDAP connections to
|
||||
multiple DC addresses returned by DNS. When cleaning up we have to call
|
||||
ldap_destroy() to release the resources allocated for the LDAP context.
|
||||
ldap_destroy() tries to send a LDAP unbind request independent of the
|
||||
connection state. If the related address is block by a firewall or a not
|
||||
properly routed IPv6 address there might be no reply on the TCP level
|
||||
and the request might be stuck for quite some tome in the kernel.
|
||||
|
||||
To avoid the unexpected long delays will block realmd this patch lowers
|
||||
the timeout considerably to 5s. As multiple other timeouts this value is
|
||||
currently hardcoded.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
|
||||
---
|
||||
service/realm-ldap.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index bdfb96c..f7b6d13 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
+#include <netinet/tcp.h>
|
||||
|
||||
#include <errno.h>
|
||||
|
||||
@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
|
||||
|
||||
/* Not included in ldap.h but documented */
|
||||
int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
|
||||
+#define LDAP_SOCKET_TIMEOUT 5
|
||||
|
||||
GSource *
|
||||
realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
int opt_rc;
|
||||
int ldap_opt_val;
|
||||
const char *errmsg = NULL;
|
||||
+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
|
||||
+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
|
||||
|
||||
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
|
||||
|
||||
@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
|
||||
g_warning ("couldn't set to blocking");
|
||||
|
||||
+ /* Lower the kernel defaults which might be minutes to hours */
|
||||
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
|
||||
+ &tv, sizeof (tv));
|
||||
+ if (rc != 0) {
|
||||
+ g_warning ("couldn't set SO_RCVTIMEO");
|
||||
+ }
|
||||
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
|
||||
+ &tv, sizeof (tv));
|
||||
+ if (rc != 0) {
|
||||
+ g_warning ("couldn't set SO_SNDTIMEO");
|
||||
+ }
|
||||
+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
|
||||
+ &milli, sizeof (milli));
|
||||
+ if (rc != 0) {
|
||||
+ g_warning ("couldn't set TCP_USER_TIMEOUT");
|
||||
+ }
|
||||
+
|
||||
if (family == G_SOCKET_FAMILY_IPV4) {
|
||||
url = g_strdup_printf ("%s://%s:%d",
|
||||
use_ldaps ? "ldaps" : "ldap",
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From e41de8344a09092ae4d973f495eef54a106a11ee Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 26 Nov 2020 17:24:10 +0100
|
||||
Subject: [PATCH] ldap: setup TLS when using ldaps
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
service/realm-ldap.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index 2076d1e..e07a299 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -263,6 +263,14 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ if (use_ldaps) {
|
||||
+ rc = ldap_install_tls (ls->ldap);
|
||||
+ if (rc != LDAP_SUCCESS) {
|
||||
+ g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
break;
|
||||
|
||||
case G_SOCKET_PROTOCOL_UDP:
|
||||
--
|
||||
2.28.0
|
||||
|
|
@ -1,128 +0,0 @@
|
|||
From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 14 Dec 2021 15:32:32 +0100
|
||||
Subject: [PATCH] samba: use new Samba-4.15 command line options
|
||||
|
||||
Samba-4.15 changed a couple of command line options of the net utility.
|
||||
This patch adds a configure option to select the new or the old style.
|
||||
If the option is not used configure tries to call the net utility to
|
||||
check for the options. If this fails the old style is used.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
|
||||
---
|
||||
configure.ac | 34 ++++++++++++++++++++++++++++++++++
|
||||
service/realm-samba-enroll.c | 18 +++++++++++++-----
|
||||
2 files changed, 47 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index ea51f92..ddc25d0 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
|
||||
AC_SUBST(LDAP_LIBS)
|
||||
AC_SUBST(LDAP_CFLAGS)
|
||||
|
||||
+# -------------------------------------------------------------------
|
||||
+# Samba
|
||||
+
|
||||
+AC_ARG_WITH(new-samba-cli-options,
|
||||
+ AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
|
||||
+ [Use new command line options introduced with Samba-4.15,
|
||||
+ if not provided the output of 'net help' is checked or old
|
||||
+ style options are used]))
|
||||
+
|
||||
+if test "$with_new_samba_cli_options" = "no"; then
|
||||
+ AC_MSG_RESULT([Using old Samba command line options])
|
||||
+elif test "$with_new_samba_cli_options" = "yes"; then
|
||||
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
|
||||
+ [Use new command line options introduced with Samba-4.15])
|
||||
+ AC_MSG_RESULT([Using new Samba command line options])
|
||||
+else
|
||||
+ AC_PATH_PROG([SAMBA_NET], [net])
|
||||
+ if test ! -x "$SAMBA_NET"; then
|
||||
+ AC_MSG_NOTICE([Could not find Samba's net utility, ]
|
||||
+ [assuming old style command line options, ]
|
||||
+ [please install the net utility for proper detection.])
|
||||
+ else
|
||||
+ AC_MSG_CHECKING([for --debug-stdout option of net])
|
||||
+ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
|
||||
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
|
||||
+ [Use new command line options introduced with Samba-4.15])
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
+
|
||||
# -------------------------------------------------------------------
|
||||
# Directories
|
||||
|
||||
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
|
||||
index 5624a08..8b2ee38 100644
|
||||
--- a/service/realm-samba-enroll.c
|
||||
+++ b/service/realm-samba-enroll.c
|
||||
@@ -37,6 +37,14 @@
|
||||
#include <sys/socket.h>
|
||||
#include <netdb.h>
|
||||
|
||||
+#ifdef WITH_NEW_SAMBA_CLI_OPTS
|
||||
+#define SMBCLI_KERBEROS "--use-kerberos=required"
|
||||
+#define SMBCLI_CONF "--configfile"
|
||||
+#else
|
||||
+#define SMBCLI_KERBEROS "-k"
|
||||
+#define SMBCLI_CONF "-s"
|
||||
+#endif
|
||||
+
|
||||
typedef struct {
|
||||
GDBusMethodInvocation *invocation;
|
||||
gchar *join_args[8];
|
||||
@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
|
||||
/* Use our custom smb.conf */
|
||||
g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
|
||||
if (join->custom_smb_conf) {
|
||||
- g_ptr_array_add (args, "-s");
|
||||
+ g_ptr_array_add (args, SMBCLI_CONF);
|
||||
g_ptr_array_add (args, join->custom_smb_conf);
|
||||
}
|
||||
|
||||
@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
|
||||
} else {
|
||||
begin_net_process (join, NULL,
|
||||
on_keytab_do_finish, g_object_ref (task),
|
||||
- "-k", "ads", "keytab", "create", NULL);
|
||||
+ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
|
||||
}
|
||||
|
||||
g_object_unref (task);
|
||||
@@ -428,7 +436,7 @@ begin_join (GTask *task,
|
||||
begin_net_process (join, join->password_input,
|
||||
on_join_do_keytab, g_object_ref (task),
|
||||
"-U", join->user_name,
|
||||
- "-k", "ads", "join", join->disco->domain_name,
|
||||
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
|
||||
join->join_args[0], join->join_args[1],
|
||||
join->join_args[2], join->join_args[3],
|
||||
join->join_args[4], NULL);
|
||||
@@ -437,7 +445,7 @@ begin_join (GTask *task,
|
||||
} else {
|
||||
begin_net_process (join, NULL,
|
||||
on_join_do_keytab, g_object_ref (task),
|
||||
- "-k", "ads", "join", join->disco->domain_name,
|
||||
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
|
||||
join->join_args[0], join->join_args[1],
|
||||
join->join_args[2], join->join_args[3],
|
||||
join->join_args[4], NULL);
|
||||
@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
|
||||
join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
|
||||
begin_net_process (join, NULL,
|
||||
on_leave_complete, g_object_ref (task),
|
||||
- "-k", "ads", "leave", NULL);
|
||||
+ SMBCLI_KERBEROS, "ads", "leave", NULL);
|
||||
break;
|
||||
default:
|
||||
g_return_if_reached ();
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -1,96 +0,0 @@
|
|||
From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@redhat.com>
|
||||
Date: Fri, 28 Oct 2016 20:27:48 +0200
|
||||
Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
|
||||
|
||||
After adding a domain to sssd.conf add the nss and pam services
|
||||
to the [sssd] block.
|
||||
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=98479
|
||||
---
|
||||
service/realm-sssd-ad.c | 3 +++
|
||||
service/realm-sssd-config.c | 2 --
|
||||
service/realm-sssd-ipa.c | 3 +++
|
||||
tests/test-sssd-config.c | 4 ++--
|
||||
4 files changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index 5ed384d..5fa81ce 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
|
||||
gboolean use_adcli,
|
||||
GError **error)
|
||||
{
|
||||
+ const gchar *services[] = { "nss", "pam", NULL };
|
||||
GString *realmd_tags;
|
||||
const gchar *access_provider;
|
||||
const gchar *shell;
|
||||
@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
|
||||
"ldap_sasl_authid", authid,
|
||||
NULL);
|
||||
|
||||
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
|
||||
+
|
||||
g_free (authid);
|
||||
g_string_free (realmd_tags, TRUE);
|
||||
|
||||
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
|
||||
index 2096afd..d4398b9 100644
|
||||
--- a/service/realm-sssd-config.c
|
||||
+++ b/service/realm-sssd-config.c
|
||||
@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
|
||||
g_strfreev (already);
|
||||
|
||||
/* Setup a default sssd section */
|
||||
- if (!realm_ini_config_have (config, "section", "services"))
|
||||
- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
|
||||
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
|
||||
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
|
||||
|
||||
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
|
||||
index b12136e..001870d 100644
|
||||
--- a/service/realm-sssd-ipa.c
|
||||
+++ b/service/realm-sssd-ipa.c
|
||||
@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
|
||||
GAsyncResult *result,
|
||||
gpointer user_data)
|
||||
{
|
||||
+ const gchar *services[] = { "nss", "pam", NULL };
|
||||
GTask *task = G_TASK (user_data);
|
||||
EnrollClosure *enroll = g_task_get_task_data (task);
|
||||
RealmSssd *sssd = g_task_get_source_object (task);
|
||||
@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
|
||||
"realmd_tags", realmd_tags,
|
||||
NULL);
|
||||
|
||||
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
|
||||
+
|
||||
g_free (home);
|
||||
}
|
||||
|
||||
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
|
||||
index 59eab75..892b9d5 100644
|
||||
--- a/tests/test-sssd-config.c
|
||||
+++ b/tests/test-sssd-config.c
|
||||
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
|
||||
gconstpointer unused)
|
||||
{
|
||||
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
|
||||
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
|
||||
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
|
||||
GError *error = NULL;
|
||||
gchar *output;
|
||||
gboolean ret;
|
||||
@@ -140,7 +140,7 @@ static void
|
||||
test_add_domain_only (Test *test,
|
||||
gconstpointer unused)
|
||||
{
|
||||
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
|
||||
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
|
||||
GError *error = NULL;
|
||||
gchar *output;
|
||||
gboolean ret;
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 07:20:17 +0200
|
||||
Subject: [PATCH] service: Add "pam" and "nss" services in
|
||||
realm_sssd_config_add_domain()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
realm_sssd_config_add_domain() must setup the services line in sssd.conf
|
||||
otherwise SSSD won't be able to start any of its services.
|
||||
|
||||
It's a regression caused by 402cbab which leaves SSSD with no services
|
||||
line when joining to an ad client doing "realm join ad.example".
|
||||
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=98479
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
service/realm-sssd-ad.c | 3 ++-
|
||||
service/realm-sssd-config.c | 2 ++
|
||||
service/realm-sssd-ipa.c | 3 ++-
|
||||
tests/test-sssd-config.c | 4 ++--
|
||||
4 files changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index 5fa81ce..8543ca8 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
|
||||
"ldap_sasl_authid", authid,
|
||||
NULL);
|
||||
|
||||
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
|
||||
+ if (ret)
|
||||
+ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
|
||||
|
||||
g_free (authid);
|
||||
g_string_free (realmd_tags, TRUE);
|
||||
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
|
||||
index d4398b9..140d7dc 100644
|
||||
--- a/service/realm-sssd-config.c
|
||||
+++ b/service/realm-sssd-config.c
|
||||
@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
|
||||
gchar **already;
|
||||
gboolean ret;
|
||||
gchar *section;
|
||||
+ const gchar *services[] = { "nss", "pam", NULL };
|
||||
va_list va;
|
||||
gint i;
|
||||
|
||||
@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
|
||||
g_strfreev (already);
|
||||
|
||||
/* Setup a default sssd section */
|
||||
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
|
||||
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
|
||||
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
|
||||
|
||||
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
|
||||
index 001870d..ff1dc8a 100644
|
||||
--- a/service/realm-sssd-ipa.c
|
||||
+++ b/service/realm-sssd-ipa.c
|
||||
@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
|
||||
"realmd_tags", realmd_tags,
|
||||
NULL);
|
||||
|
||||
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
|
||||
+ if (error == NULL)
|
||||
+ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
|
||||
|
||||
g_free (home);
|
||||
}
|
||||
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
|
||||
index 892b9d5..59eab75 100644
|
||||
--- a/tests/test-sssd-config.c
|
||||
+++ b/tests/test-sssd-config.c
|
||||
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
|
||||
gconstpointer unused)
|
||||
{
|
||||
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
|
||||
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
|
||||
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
|
||||
GError *error = NULL;
|
||||
gchar *output;
|
||||
gboolean ret;
|
||||
@@ -140,7 +140,7 @@ static void
|
||||
test_add_domain_only (Test *test,
|
||||
gconstpointer unused)
|
||||
{
|
||||
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
|
||||
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
|
||||
GError *error = NULL;
|
||||
gchar *output;
|
||||
gboolean ret;
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,69 +0,0 @@
|
|||
From cf40987b7f847be70ef3a5a0fa359116c0259477 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 30 Oct 2020 13:19:09 +0100
|
||||
Subject: [PATCH 1/6] service: add REALM_DBUS_OPTION_USE_LDAPS and
|
||||
realm_get_use_ldaps
|
||||
|
||||
Add a new option to the realmd service to use ldaps where possible and
|
||||
supported.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
dbus/realm-dbus-constants.h | 1 +
|
||||
service/realm-options.c | 17 +++++++++++++++++
|
||||
service/realm-options.h | 2 ++
|
||||
3 files changed, 20 insertions(+)
|
||||
|
||||
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
|
||||
index 40ffa2d..0bd7a5d 100644
|
||||
--- a/dbus/realm-dbus-constants.h
|
||||
+++ b/dbus/realm-dbus-constants.h
|
||||
@@ -70,6 +70,7 @@ G_BEGIN_DECLS
|
||||
#define REALM_DBUS_OPTION_OS_NAME "os-name"
|
||||
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
|
||||
#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
|
||||
+#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps"
|
||||
|
||||
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
|
||||
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
|
||||
diff --git a/service/realm-options.c b/service/realm-options.c
|
||||
index 34a209f..d42eb7c 100644
|
||||
--- a/service/realm-options.c
|
||||
+++ b/service/realm-options.c
|
||||
@@ -199,3 +199,20 @@ realm_options_ad_specific (GVariant *options,
|
||||
|
||||
return g_strdup (value);
|
||||
}
|
||||
+
|
||||
+gboolean realm_option_use_ldaps (GVariant *options)
|
||||
+{
|
||||
+ gchar *use_ldaps_str;
|
||||
+
|
||||
+ use_ldaps_str = realm_options_ad_specific (options,
|
||||
+ REALM_DBUS_OPTION_USE_LDAPS);
|
||||
+ if (use_ldaps_str != NULL
|
||||
+ && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
|
||||
+ || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
|
||||
+ g_free (use_ldaps_str);
|
||||
+ return TRUE;
|
||||
+ }
|
||||
+ g_free (use_ldaps_str);
|
||||
+
|
||||
+ return FALSE;
|
||||
+}
|
||||
diff --git a/service/realm-options.h b/service/realm-options.h
|
||||
index b71d219..bc13cd7 100644
|
||||
--- a/service/realm-options.h
|
||||
+++ b/service/realm-options.h
|
||||
@@ -48,6 +48,8 @@ const gchar * realm_options_computer_name (GVariant *options,
|
||||
const gchar * realm_options_ad_specific (GVariant *options,
|
||||
const gchar *option_name);
|
||||
|
||||
+gboolean realm_option_use_ldaps (GVariant *options);
|
||||
+
|
||||
G_END_DECLS
|
||||
|
||||
#endif /* __REALM_OPTIONS_H__ */
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
From ccf48aa7761065283483d667f3efaf33b5b2a728 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 1 Dec 2020 14:12:33 +0100
|
||||
Subject: [PATCH 1/3] service: make sure use_ldaps is not only set for
|
||||
automatic join
|
||||
|
||||
The check if ldaps is requested or not was only called if an automatic
|
||||
join was enabled. With this patch it is checked in all cases.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
service/realm-sssd-ad.c | 26 +++++++++++++-------------
|
||||
1 file changed, 13 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index 00a9093..ea5f28c 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -349,19 +349,6 @@ parse_join_options (JoinClosure *join,
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Check if ldaps should be used and if membership software supports
|
||||
- * it.
|
||||
- */
|
||||
- join->use_ldaps = realm_option_use_ldaps (options);
|
||||
- if (join->use_ldaps &&
|
||||
- g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
|
||||
- realm_diagnostics_info (join->invocation,
|
||||
- "Membership software %s does "
|
||||
- "not support ldaps, trying "
|
||||
- "without.", software);
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* If we are enrolling with a user password, then we have to use samba,
|
||||
* adcli only supports admin passwords.
|
||||
@@ -393,6 +380,19 @@ parse_join_options (JoinClosure *join,
|
||||
|
||||
g_assert (software != NULL);
|
||||
|
||||
+ /*
|
||||
+ * Check if ldaps should be used and if membership software supports
|
||||
+ * it.
|
||||
+ */
|
||||
+ join->use_ldaps = realm_option_use_ldaps (options);
|
||||
+ if (join->use_ldaps &&
|
||||
+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
|
||||
+ realm_diagnostics_info (join->invocation,
|
||||
+ "Membership software %s does "
|
||||
+ "not support ldaps, trying "
|
||||
+ "without.", software);
|
||||
+ }
|
||||
+
|
||||
if (g_str_equal (software, REALM_DBUS_IDENTIFIER_ADCLI)) {
|
||||
join->use_adcli = TRUE;
|
||||
join->packages = ADCLI_PACKAGES;
|
||||
--
|
||||
2.28.0
|
||||
|
|
@ -1,166 +0,0 @@
|
|||
From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 12 Aug 2020 12:58:27 +0200
|
||||
Subject: [PATCH] service: use 'additional dns hostnames' with net ads join
|
||||
|
||||
With newer versions of Samba the net ads join does not add services
|
||||
principals with the configured host name anymore but added the new
|
||||
option 'additional dns hostnames' for this.
|
||||
|
||||
realmd will try to figure out a fully-qualified host name and use it
|
||||
with the new option if it is from a different domain.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912
|
||||
---
|
||||
service/realm-disco.c | 1 +
|
||||
service/realm-disco.h | 1 +
|
||||
service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++-
|
||||
service/realm-samba.c | 6 ++++
|
||||
4 files changed, 64 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/service/realm-disco.c b/service/realm-disco.c
|
||||
index ab06939..a12be50 100644
|
||||
--- a/service/realm-disco.c
|
||||
+++ b/service/realm-disco.c
|
||||
@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data)
|
||||
g_free (disco->explicit_netbios);
|
||||
g_free (disco->kerberos_realm);
|
||||
g_free (disco->workgroup);
|
||||
+ g_free (disco->dns_fqdn);
|
||||
if (disco->server_address)
|
||||
g_object_unref (disco->server_address);
|
||||
g_free (disco);
|
||||
diff --git a/service/realm-disco.h b/service/realm-disco.h
|
||||
index 5f3e5e9..35532d2 100644
|
||||
--- a/service/realm-disco.h
|
||||
+++ b/service/realm-disco.h
|
||||
@@ -30,6 +30,7 @@ typedef struct {
|
||||
gchar *explicit_server;
|
||||
gchar *explicit_netbios;
|
||||
GSocketAddress *server_address;
|
||||
+ gchar *dns_fqdn;
|
||||
} RealmDisco;
|
||||
|
||||
#define REALM_TYPE_DISCO (realm_disco_get_type ())
|
||||
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
|
||||
index 3f86c51..5624a08 100644
|
||||
--- a/service/realm-samba-enroll.c
|
||||
+++ b/service/realm-samba-enroll.c
|
||||
@@ -33,6 +33,9 @@
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netdb.h>
|
||||
|
||||
typedef struct {
|
||||
GDBusMethodInvocation *invocation;
|
||||
@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm)
|
||||
return g_utf8_strup (realm, pos - realm);
|
||||
}
|
||||
|
||||
+static char *
|
||||
+try_to_get_fqdn (void)
|
||||
+{
|
||||
+ char hostname[HOST_NAME_MAX + 1];
|
||||
+ gchar *fqdn = NULL;
|
||||
+ int ret;
|
||||
+ struct addrinfo *res;
|
||||
+ struct addrinfo hints;
|
||||
+
|
||||
+ ret = gethostname (hostname, sizeof (hostname));
|
||||
+ if (ret < 0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (strchr (hostname, '.') == NULL) {
|
||||
+ memset (&hints, 0, sizeof (struct addrinfo));
|
||||
+ hints.ai_socktype = SOCK_DGRAM;
|
||||
+ hints.ai_flags = AI_CANONNAME;
|
||||
+
|
||||
+ ret = getaddrinfo (hostname, NULL, &hints, &res);
|
||||
+ if (ret != 0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Only use a fully-qualified name */
|
||||
+ if (strchr (res->ai_canonname, '.') != NULL) {
|
||||
+ fqdn = g_strdup (res->ai_canonname);
|
||||
+ }
|
||||
+
|
||||
+ freeaddrinfo (res);
|
||||
+
|
||||
+ } else {
|
||||
+ fqdn = g_strdup (hostname);
|
||||
+ }
|
||||
+
|
||||
+ return fqdn;
|
||||
+}
|
||||
+
|
||||
static JoinClosure *
|
||||
join_closure_init (GTask *task,
|
||||
RealmDisco *disco,
|
||||
@@ -95,5 +136,7 @@ join_closure_init (GTask *task,
|
||||
const gchar *explicit_computer_name = NULL;
|
||||
const gchar *authid = NULL;
|
||||
+ gchar *fqdn = NULL;
|
||||
+ gchar *fqdn_dom = NULL;
|
||||
|
||||
join = g_new0 (JoinClosure, 1);
|
||||
join->disco = realm_disco_ref (disco);
|
||||
@@ -124,7 +167,7 @@ join_closure_init (GTask *task,
|
||||
"netbios name", authid,
|
||||
NULL);
|
||||
|
||||
- /*
|
||||
+ /*
|
||||
* Samba complains if we don't set a 'workgroup' setting for the realm we're
|
||||
* going to join. If we didn't yet manage to lookup the workgroup, then go ahead
|
||||
* and assume that the first domain component is the workgroup name.
|
||||
@@ -144,6 +187,18 @@ join_closure_init (GTask *task,
|
||||
g_free (workgroup);
|
||||
}
|
||||
|
||||
+ /* Add the fully-qualified DNS hostname as additional name if it is from
|
||||
+ * a different domain. */
|
||||
+ fqdn = try_to_get_fqdn ();
|
||||
+ if (fqdn != NULL && join->disco->domain_name != NULL
|
||||
+ && (fqdn_dom = strchr (fqdn, '.')) != NULL
|
||||
+ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) {
|
||||
+ disco->dns_fqdn = g_strdup (fqdn);
|
||||
+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
+ "additional dns hostnames", disco->dns_fqdn, NULL);
|
||||
+ }
|
||||
+ g_free (fqdn);
|
||||
+
|
||||
/* Write out the config file for use by various net commands */
|
||||
join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL);
|
||||
temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR);
|
||||
diff --git a/service/realm-samba.c b/service/realm-samba.c
|
||||
index 4940b38..fe33600 100644
|
||||
--- a/service/realm-samba.c
|
||||
+++ b/service/realm-samba.c
|
||||
@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source,
|
||||
NULL);
|
||||
}
|
||||
|
||||
+ if (error == NULL && enroll->disco->dns_fqdn != NULL) {
|
||||
+ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
|
||||
+ "additional dns hostnames", enroll->disco->dns_fqdn,
|
||||
+ NULL);
|
||||
+ }
|
||||
|
||||
if (error == NULL) {
|
||||
name = realm_kerberos_get_name (REALM_KERBEROS (self));
|
||||
@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self,
|
||||
if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
|
||||
"workgroup", NULL,
|
||||
"realm", NULL,
|
||||
+ "additional dns hostnames", NULL,
|
||||
"security", "user",
|
||||
NULL)) {
|
||||
g_task_return_error (task, error);
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 21 Feb 2020 14:06:16 +0100
|
||||
Subject: [PATCH] service: use "kerberos method" "secrets and keytab"
|
||||
|
||||
When using Samba with Winbind the host password stored in secrets.tdb is
|
||||
still important so the "secrets and keytab" should be the preferred
|
||||
"kerberos method".
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195
|
||||
---
|
||||
service/realm-samba.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/service/realm-samba.c b/service/realm-samba.c
|
||||
index e2a3608..4940b38 100644
|
||||
--- a/service/realm-samba.c
|
||||
+++ b/service/realm-samba.c
|
||||
@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source,
|
||||
"template shell", realm_settings_string ("users", "default-shell"),
|
||||
"netbios name", computer_name,
|
||||
"password server", enroll->disco->explicit_server,
|
||||
- "kerberos method", "system keytab",
|
||||
+ "kerberos method", "secrets and keytab",
|
||||
NULL);
|
||||
}
|
||||
|
||||
--
|
||||
2.24.1
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 11 Aug 2020 11:18:17 +0200
|
||||
Subject: [PATCH] service: use net ads join with -k for user join as well
|
||||
|
||||
The NTLM authentication used by 'net ads join' does only support crypto
|
||||
algorithms which e.g. are not allowed by FIPS. It would be better to
|
||||
tell 'net ads join' to try Kerberos first before falling back to NTLM by
|
||||
adding the '-k' option.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
|
||||
---
|
||||
service/realm-samba-enroll.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
|
||||
index f5edca3..3f86c51 100644
|
||||
--- a/service/realm-samba-enroll.c
|
||||
+++ b/service/realm-samba-enroll.c
|
||||
@@ -372,7 +372,8 @@ begin_join (GTask *task,
|
||||
} else if (join->user_name) {
|
||||
begin_net_process (join, join->password_input,
|
||||
on_join_do_keytab, g_object_ref (task),
|
||||
- "-U", join->user_name, "ads", "join", join->disco->domain_name,
|
||||
+ "-U", join->user_name,
|
||||
+ "-k", "ads", "join", join->disco->domain_name,
|
||||
join->join_args[0], join->join_args[1],
|
||||
join->join_args[2], join->join_args[3],
|
||||
join->join_args[4], NULL);
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 11:51:06 +0100
|
||||
Subject: [PATCH] switch to authselect
|
||||
|
||||
---
|
||||
service/realmd-redhat.conf | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
|
||||
index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
|
||||
--- a/service/realmd-redhat.conf
|
||||
+++ b/service/realmd-redhat.conf
|
||||
@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
|
||||
freeipa-client = /usr/sbin/ipa-client-install
|
||||
|
||||
[commands]
|
||||
-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
|
||||
-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
|
||||
+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
|
||||
+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
|
||||
winbind-enable-service = /usr/bin/systemctl enable winbind.service
|
||||
winbind-disable-service = /usr/bin/systemctl disable winbind.service
|
||||
winbind-restart-service = /usr/bin/systemctl restart winbind.service
|
||||
winbind-stop-service = /usr/bin/systemctl stop winbind.service
|
||||
|
||||
-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
|
||||
-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
|
||||
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
|
||||
+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
|
||||
sssd-enable-service = /usr/bin/systemctl enable sssd.service
|
||||
sssd-disable-service = /usr/bin/systemctl disable sssd.service
|
||||
sssd-restart-service = /usr/bin/systemctl restart sssd.service
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 25 Nov 2021 14:36:10 +0100
|
||||
Subject: [PATCH] syslog: avoid duplicate log messages
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
|
||||
---
|
||||
service/realm-diagnostics.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
|
||||
index 850b2e3..6aa5288 100644
|
||||
--- a/service/realm-diagnostics.c
|
||||
+++ b/service/realm-diagnostics.c
|
||||
@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
|
||||
while ((ptr = memchr (at, '\n', length)) != NULL) {
|
||||
*ptr = '\0';
|
||||
if (line_buffer && line_buffer->len > 0) {
|
||||
+#ifdef WITH_JOURNAL
|
||||
+ /* Call realm_daemon_syslog directly to add
|
||||
+ * REALMD_OPERATION to the jounrnal */
|
||||
realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
|
||||
+#else
|
||||
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
|
||||
+#endif
|
||||
g_string_set_size (line_buffer, 0);
|
||||
} else {
|
||||
+#ifdef WITH_JOURNAL
|
||||
realm_daemon_syslog (operation, log_level, "%s", at);
|
||||
+#else
|
||||
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
|
||||
+#endif
|
||||
}
|
||||
|
||||
*ptr = '\n';
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -1,374 +0,0 @@
|
|||
From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 4 Jul 2018 16:41:16 +0200
|
||||
Subject: [PATCH] tests: run tests with python3
|
||||
|
||||
To allow the test to run with python3 build/tap-driver and
|
||||
build/tap-gtester are updated to the latest version provided by the
|
||||
cockpit project https://github.com/cockpit-project/cockpit.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
|
||||
---
|
||||
build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
|
||||
build/tap-gtester | 59 ++++++++++++++++++++++---------
|
||||
2 files changed, 125 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/build/tap-driver b/build/tap-driver
|
||||
index 42f57c8..241fd50 100755
|
||||
--- a/build/tap-driver
|
||||
+++ b/build/tap-driver
|
||||
@@ -1,4 +1,5 @@
|
||||
-#!/usr/bin/python
|
||||
+#!/usr/bin/python3
|
||||
+# This can also be run with Python 2.
|
||||
|
||||
# Copyright (C) 2013 Red Hat, Inc.
|
||||
#
|
||||
@@ -29,20 +30,58 @@
|
||||
#
|
||||
|
||||
import argparse
|
||||
+import fcntl
|
||||
import os
|
||||
import select
|
||||
+import struct
|
||||
import subprocess
|
||||
import sys
|
||||
+import termios
|
||||
+import errno
|
||||
+
|
||||
+_PY3 = sys.version[0] >= '3'
|
||||
+_str = _PY3 and str or unicode
|
||||
+
|
||||
+def out(data, stream=None, flush=False):
|
||||
+ if not isinstance(data, bytes):
|
||||
+ data = data.encode("UTF-8")
|
||||
+ if not stream:
|
||||
+ stream = _PY3 and sys.stdout.buffer or sys.stdout
|
||||
+ while True:
|
||||
+ try:
|
||||
+ if data:
|
||||
+ stream.write(data)
|
||||
+ data = None
|
||||
+ if flush:
|
||||
+ stream.flush()
|
||||
+ flush = False
|
||||
+ break
|
||||
+ except IOError as e:
|
||||
+ if e.errno == errno.EAGAIN:
|
||||
+ continue
|
||||
+ raise
|
||||
+
|
||||
+def terminal_width():
|
||||
+ try:
|
||||
+ h, w, hp, wp = struct.unpack('HHHH',
|
||||
+ fcntl.ioctl(1, termios.TIOCGWINSZ,
|
||||
+ struct.pack('HHHH', 0, 0, 0, 0)))
|
||||
+ return w
|
||||
+ except IOError as e:
|
||||
+ if e.errno != errno.ENOTTY:
|
||||
+ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
|
||||
+ return sys.maxsize
|
||||
|
||||
class Driver:
|
||||
def __init__(self, args):
|
||||
self.argv = args.command
|
||||
self.test_name = args.test_name
|
||||
- self.log = open(args.log_file, "w")
|
||||
- self.log.write("# %s\n" % " ".join(sys.argv))
|
||||
+ self.log = open(args.log_file, "wb")
|
||||
+ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
|
||||
self.trs = open(args.trs_file, "w")
|
||||
self.color_tests = args.color_tests
|
||||
self.expect_failure = args.expect_failure
|
||||
+ self.width = terminal_width() - 9
|
||||
|
||||
def report(self, code, *args):
|
||||
CODES = {
|
||||
@@ -57,17 +96,18 @@ class Driver:
|
||||
# Print out to console
|
||||
if self.color_tests:
|
||||
if code in CODES:
|
||||
- sys.stdout.write(CODES[code])
|
||||
- sys.stdout.write(code)
|
||||
+ out(CODES[code])
|
||||
+ out(code)
|
||||
if self.color_tests:
|
||||
- sys.stdout.write('\x1b[m')
|
||||
- sys.stdout.write(": ")
|
||||
- sys.stdout.write(self.test_name)
|
||||
- sys.stdout.write(" ")
|
||||
- for arg in args:
|
||||
- sys.stdout.write(str(arg))
|
||||
- sys.stdout.write("\n")
|
||||
- sys.stdout.flush()
|
||||
+ out('\x1b[m')
|
||||
+ out(": ")
|
||||
+ msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
|
||||
+ if code == "PASS" and len(msg) > self.width:
|
||||
+ out(msg[:self.width])
|
||||
+ out("...")
|
||||
+ else:
|
||||
+ out(msg)
|
||||
+ out("\n", flush=True)
|
||||
|
||||
# Book keeping
|
||||
if code in CODES:
|
||||
@@ -100,12 +140,14 @@ class Driver:
|
||||
def execute(self):
|
||||
try:
|
||||
proc = subprocess.Popen(self.argv, close_fds=True,
|
||||
+ stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
- except OSError, ex:
|
||||
+ except OSError as ex:
|
||||
self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
|
||||
return
|
||||
|
||||
+ proc.stdin.close()
|
||||
outf = proc.stdout.fileno()
|
||||
errf = proc.stderr.fileno()
|
||||
rset = [outf, errf]
|
||||
@@ -113,18 +155,25 @@ class Driver:
|
||||
ret = select.select(rset, [], [], 10)
|
||||
if outf in ret[0]:
|
||||
data = os.read(outf, 1024)
|
||||
- if data == "":
|
||||
+ if data == b"":
|
||||
rset.remove(outf)
|
||||
self.log.write(data)
|
||||
self.process(data)
|
||||
if errf in ret[0]:
|
||||
data = os.read(errf, 1024)
|
||||
- if data == "":
|
||||
+ if data == b"":
|
||||
rset.remove(errf)
|
||||
self.log.write(data)
|
||||
- sys.stderr.write(data)
|
||||
+ stream = _PY3 and sys.stderr.buffer or sys.stderr
|
||||
+ out(data, stream=stream, flush=True)
|
||||
|
||||
proc.wait()
|
||||
+
|
||||
+ # Make sure the test didn't change blocking output
|
||||
+ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
|
||||
+ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
|
||||
+ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
|
||||
+
|
||||
return proc.returncode
|
||||
|
||||
|
||||
@@ -137,6 +186,7 @@ class TapDriver(Driver):
|
||||
self.late_plan = False
|
||||
self.errored = False
|
||||
self.bail_out = False
|
||||
+ self.skip_all_reason = None
|
||||
|
||||
def report(self, code, num, *args):
|
||||
if num:
|
||||
@@ -170,13 +220,19 @@ class TapDriver(Driver):
|
||||
else:
|
||||
self.result_fail(num, description)
|
||||
|
||||
- def consume_test_plan(self, first, last):
|
||||
+ def consume_test_plan(self, line):
|
||||
# Only one test plan is supported
|
||||
if self.test_plan:
|
||||
self.report_error("Get a second TAP test plan")
|
||||
return
|
||||
|
||||
+ if line.lower().startswith('1..0 # skip'):
|
||||
+ self.skip_all_reason = line[5:].strip()
|
||||
+ self.bail_out = True
|
||||
+ return
|
||||
+
|
||||
try:
|
||||
+ (first, unused, last) = line.partition("..")
|
||||
first = int(first)
|
||||
last = int(last)
|
||||
except ValueError:
|
||||
@@ -192,7 +248,7 @@ class TapDriver(Driver):
|
||||
|
||||
def process(self, output):
|
||||
if output:
|
||||
- self.output += output
|
||||
+ self.output += output.decode("UTF-8")
|
||||
elif self.output:
|
||||
self.output += "\n"
|
||||
(ready, unused, self.output) = self.output.rpartition("\n")
|
||||
@@ -202,8 +258,7 @@ class TapDriver(Driver):
|
||||
elif line.startswith("not ok "):
|
||||
self.consume_test_line(False, line[7:])
|
||||
elif line and line[0].isdigit() and ".." in line:
|
||||
- (first, unused, last) = line.partition("..")
|
||||
- self.consume_test_plan(first, last)
|
||||
+ self.consume_test_plan(line)
|
||||
elif line.lower().startswith("bail out!"):
|
||||
self.consume_bail_out(line)
|
||||
|
||||
@@ -213,6 +268,13 @@ class TapDriver(Driver):
|
||||
failed = False
|
||||
skipped = True
|
||||
|
||||
+ if self.skip_all_reason is not None:
|
||||
+ self.result_skip("skipping:", self.skip_all_reason)
|
||||
+ self.trs.write(":global-test-result: SKIP\n")
|
||||
+ self.trs.write(":test-global-result: SKIP\n")
|
||||
+ self.trs.write(":recheck: no\n")
|
||||
+ return 0
|
||||
+
|
||||
# Basic collation of results
|
||||
for (num, code) in self.reported.items():
|
||||
if code == "ERROR":
|
||||
diff --git a/build/tap-gtester b/build/tap-gtester
|
||||
index 7e667d4..bbda266 100755
|
||||
--- a/build/tap-gtester
|
||||
+++ b/build/tap-gtester
|
||||
@@ -1,4 +1,5 @@
|
||||
-#!/usr/bin/python
|
||||
+#!/usr/bin/python3
|
||||
+# This can also be run with Python 2.
|
||||
|
||||
# Copyright (C) 2014 Red Hat, Inc.
|
||||
#
|
||||
@@ -30,9 +31,19 @@
|
||||
import argparse
|
||||
import os
|
||||
import select
|
||||
+import signal
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
+# Yes, it's dumb, but strsignal is not exposed in python
|
||||
+# In addition signal numbers varify heavily from arch to arch
|
||||
+def strsignal(sig):
|
||||
+ for name in dir(signal):
|
||||
+ if name.startswith("SIG") and sig == getattr(signal, name):
|
||||
+ return name
|
||||
+ return str(sig)
|
||||
+
|
||||
+
|
||||
class NullCompiler:
|
||||
def __init__(self, command):
|
||||
self.command = command
|
||||
@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
|
||||
elif cmd == "result":
|
||||
if self.test_name:
|
||||
if data == "OK":
|
||||
- print "ok %d %s" % (self.test_num, self.test_name)
|
||||
+ print("ok %d %s" % (self.test_num, self.test_name))
|
||||
if data == "FAIL":
|
||||
- print "not ok %d %s", (self.test_num, self.test_name)
|
||||
+ print("not ok %d %s" % (self.test_num, self.test_name))
|
||||
self.test_name = None
|
||||
elif cmd == "skipping":
|
||||
if "/subprocess" not in data:
|
||||
- print "ok %d # skip -- %s" % (self.test_num, data)
|
||||
+ print("ok %d # skip -- %s" % (self.test_num, data))
|
||||
self.test_name = None
|
||||
elif data:
|
||||
- print "# %s: %s" % (cmd, data)
|
||||
+ print("# %s: %s" % (cmd, data))
|
||||
else:
|
||||
- print "# %s" % cmd
|
||||
+ print("# %s" % cmd)
|
||||
elif line.startswith("(MSG: "):
|
||||
- print "# %s" % line[6:-1]
|
||||
+ print("# %s" % line[6:-1])
|
||||
elif line:
|
||||
- print "# %s" % line
|
||||
+ print("# %s" % line)
|
||||
sys.stdout.flush()
|
||||
|
||||
def run(self, proc, output=""):
|
||||
@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
|
||||
if line.startswith("/"):
|
||||
self.test_remaining.append(line.strip())
|
||||
if not self.test_remaining:
|
||||
- print "Bail out! No tests found in GTest: %s" % self.command[0]
|
||||
+ print("Bail out! No tests found in GTest: %s" % self.command[0])
|
||||
return 0
|
||||
|
||||
- print "1..%d" % len(self.test_remaining)
|
||||
+ print("1..%d" % len(self.test_remaining))
|
||||
|
||||
# First try to run all the tests in a batch
|
||||
- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
|
||||
+ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
|
||||
+ stdout=subprocess.PIPE, universal_newlines=True)
|
||||
result = self.process(proc)
|
||||
if result == 0:
|
||||
return 0
|
||||
|
||||
+ if result < 0:
|
||||
+ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
|
||||
+
|
||||
# Now pick up any stragglers due to failures
|
||||
while True:
|
||||
# Assume that the last test failed
|
||||
if self.test_name:
|
||||
- print "not ok %d %s" % (self.test_num, self.test_name)
|
||||
+ print("not ok %d %s" % (self.test_num, self.test_name))
|
||||
self.test_name = None
|
||||
|
||||
# Run any tests which didn't get run
|
||||
@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
|
||||
break
|
||||
|
||||
proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
|
||||
- close_fds=True, stdout=subprocess.PIPE)
|
||||
+ close_fds=True, stdout=subprocess.PIPE,
|
||||
+ universal_newlines=True)
|
||||
result = self.process(proc)
|
||||
|
||||
# The various exit codes and signals we continue for
|
||||
@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
|
||||
return result
|
||||
|
||||
def main(argv):
|
||||
- parser = argparse.ArgumentParser(description='Automake TAP compiler')
|
||||
+ parser = argparse.ArgumentParser(description='Automake TAP compiler',
|
||||
+ usage="tap-gtester [--format FORMAT] command ...")
|
||||
parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
|
||||
default="auto", help='The input format to compile')
|
||||
parser.add_argument('--verbose', action='store_true',
|
||||
default=True, help='Verbose mode (ignored)')
|
||||
- parser.add_argument('command', nargs='+', help="A test command to run")
|
||||
+ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
|
||||
args = parser.parse_args(argv[1:])
|
||||
|
||||
output = None
|
||||
format = args.format
|
||||
cmd = args.command
|
||||
+ if not cmd:
|
||||
+ sys.stderr.write("tap-gtester: specify a command to run\n")
|
||||
+ return 2
|
||||
+ if cmd[0] == '--':
|
||||
+ cmd.pop(0)
|
||||
+
|
||||
proc = None
|
||||
|
||||
os.environ['HARNESS_ACTIVE'] = '1'
|
||||
|
||||
if format in ["auto", "gtest"]:
|
||||
list_cmd = cmd + ["-l", "--verbose"]
|
||||
- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
|
||||
+ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
|
||||
+ universal_newlines=True)
|
||||
output = proc.stdout.readline()
|
||||
# Smell whether we're dealing with GTest list output from first line
|
||||
if "random seed" in output or "GTest" in output or output.startswith("/"):
|
||||
@@ -164,7 +188,8 @@ def main(argv):
|
||||
else:
|
||||
format = "tap"
|
||||
else:
|
||||
- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
|
||||
+ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
|
||||
+ universal_newlines=True)
|
||||
|
||||
if format == "gtest":
|
||||
compiler = GTestCompiler(cmd)
|
||||
--
|
||||
2.14.4
|
||||
|
|
@ -1,93 +0,0 @@
|
|||
From 3bdf6f25923c3a3bd8404f4a1228053d6a7551b2 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 12:32:20 +0100
|
||||
Subject: [PATCH] tools: Update the usage help text of the realm commands
|
||||
|
||||
Add better synopsis, sort arguments appropriately, and include
|
||||
missing arguments.
|
||||
---
|
||||
tools/realm-discover.c | 4 ++--
|
||||
tools/realm-join.c | 30 +++++++++++++++---------------
|
||||
2 files changed, 17 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
|
||||
index cec3fd0..8dde4ed 100644
|
||||
--- a/tools/realm-discover.c
|
||||
+++ b/tools/realm-discover.c
|
||||
@@ -186,7 +186,7 @@ realm_discover (RealmClient *client,
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
- context = g_option_context_new ("realm-or-domain");
|
||||
+ context = g_option_context_new ("discover REALM-OR-DOMAIN");
|
||||
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
|
||||
g_option_context_add_main_entries (context, option_entries, NULL);
|
||||
g_option_context_add_main_entries (context, realm_global_options, NULL);
|
||||
@@ -274,7 +274,7 @@ realm_list (RealmClient *client,
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
- context = g_option_context_new ("realm");
|
||||
+ context = g_option_context_new ("list");
|
||||
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
|
||||
g_option_context_add_main_entries (context, option_entries, NULL);
|
||||
g_option_context_add_main_entries (context, realm_global_options, NULL);
|
||||
diff --git a/tools/realm-join.c b/tools/realm-join.c
|
||||
index 8e46c20..249f502 100644
|
||||
--- a/tools/realm-join.c
|
||||
+++ b/tools/realm-join.c
|
||||
@@ -286,28 +286,28 @@ realm_join (RealmClient *client,
|
||||
gint ret = 0;
|
||||
|
||||
GOptionEntry option_entries[] = {
|
||||
- { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
|
||||
- N_("User name to use for enrollment"), NULL },
|
||||
- { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
|
||||
- N_("Computer OU DN to join"), NULL },
|
||||
- { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
|
||||
- N_("Use specific computer name instead of hostname"), NULL },
|
||||
- { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
|
||||
- N_("Use specific operation system name"), NULL },
|
||||
- { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
|
||||
- N_("Use specific operation system version"), NULL },
|
||||
+ { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
|
||||
+ realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
|
||||
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software,
|
||||
N_("Use specific client software"), NULL },
|
||||
- { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
|
||||
- N_("Use specific server software"), NULL },
|
||||
+ { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
|
||||
+ N_("Use specific computer name instead of hostname"), NULL },
|
||||
+ { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
|
||||
+ N_("Computer OU DN to join"), NULL },
|
||||
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software,
|
||||
N_("Use specific membership software"), NULL },
|
||||
{ "no-password", 0, 0, G_OPTION_ARG_NONE, &args.no_password,
|
||||
N_("Join automatically without a password"), NULL },
|
||||
{ "one-time-password", 0, 0, G_OPTION_ARG_STRING, &args.one_time_password,
|
||||
N_("Join using a preset one time password"), NULL },
|
||||
- { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
|
||||
- realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
|
||||
+ { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
|
||||
+ N_("Use specific operation system name"), NULL },
|
||||
+ { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
|
||||
+ N_("Use specific operation system version"), NULL },
|
||||
+ { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
|
||||
+ N_("Use specific server software"), NULL },
|
||||
+ { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
|
||||
+ N_("User name to use for enrollment"), NULL },
|
||||
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
|
||||
N_("Set the user principal for the computer account"), NULL },
|
||||
{ NULL, }
|
||||
@@ -315,7 +315,7 @@ realm_join (RealmClient *client,
|
||||
|
||||
memset (&args, 0, sizeof (args));
|
||||
|
||||
- context = g_option_context_new ("realm");
|
||||
+ context = g_option_context_new ("join REALM");
|
||||
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
|
||||
|
||||
group = g_option_group_new (NULL, NULL, NULL, &args, realm_join_args_clear);
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 29 Nov 2019 18:49:51 +0100
|
||||
Subject: [PATCH 2/2] doc: add see also to man pages
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
|
||||
---
|
||||
doc/manual/realm.xml | 7 +++++++
|
||||
doc/manual/realmd.conf.xml | 7 +++++++
|
||||
2 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
||||
index 55a7640..e5d4608 100644
|
||||
--- a/doc/manual/realm.xml
|
||||
+++ b/doc/manual/realm.xml
|
||||
@@ -440,4 +440,11 @@ $ realm deny --all
|
||||
|
||||
</refsect1>
|
||||
|
||||
+<refsect1 id='realm_see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+
|
||||
+ <para><citerefentry><refentrytitle>realmd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum></citerefentry></para>
|
||||
+</refsect1>
|
||||
+
|
||||
</refentry>
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index fc6a785..1592291 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -471,4 +471,11 @@ fully-qualified-names = no
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
+<refsect1 id='realmd_conf_see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+
|
||||
+ <para><citerefentry><refentrytitle>realm</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum></citerefentry></para>
|
||||
+</refsect1>
|
||||
+
|
||||
</refentry>
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -1,271 +0,0 @@
|
|||
From 20adfff6c0db657d302bd96f986f2e79a8b2d791 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 30 Oct 2020 13:20:46 +0100
|
||||
Subject: [PATCH 2/6] service: allow to use ldaps for rootDSE lookup
|
||||
|
||||
Let the realmd service use ldaps for the rootDSE lookup when requested.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
service/realm-disco-dns.c | 10 +++++++---
|
||||
service/realm-disco-dns.h | 1 +
|
||||
service/realm-disco-domain.c | 8 +++++++-
|
||||
service/realm-disco-domain.h | 1 +
|
||||
service/realm-disco-mscldap.c | 2 +-
|
||||
service/realm-disco-rootdse.c | 3 ++-
|
||||
service/realm-disco-rootdse.h | 1 +
|
||||
service/realm-ldap.c | 5 ++++-
|
||||
service/realm-ldap.h | 1 +
|
||||
service/realm-samba-provider.c | 5 ++++-
|
||||
service/realm-sssd-provider.c | 5 ++++-
|
||||
11 files changed, 33 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/service/realm-disco-dns.c b/service/realm-disco-dns.c
|
||||
index 446010c..77d5034 100644
|
||||
--- a/service/realm-disco-dns.c
|
||||
+++ b/service/realm-disco-dns.c
|
||||
@@ -32,6 +32,7 @@ typedef struct {
|
||||
GQueue addresses;
|
||||
GQueue targets;
|
||||
gint current_port;
|
||||
+ gboolean use_ldaps;
|
||||
gint returned;
|
||||
DiscoPhase phase;
|
||||
GResolver *resolver;
|
||||
@@ -180,7 +181,7 @@ return_or_resolve (RealmDiscoDns *self,
|
||||
|
||||
target = g_queue_pop_head (&self->targets);
|
||||
if (target) {
|
||||
- self->current_port = g_srv_target_get_port (target);
|
||||
+ self->current_port = self->use_ldaps ? 636 : g_srv_target_get_port (target);
|
||||
g_resolver_lookup_by_name_async (self->resolver, g_srv_target_get_hostname (target),
|
||||
g_task_get_cancellable (task), on_name_resolved,
|
||||
g_object_ref (task));
|
||||
@@ -201,7 +202,7 @@ return_or_resolve (RealmDiscoDns *self,
|
||||
g_resolver_lookup_by_name_async (self->resolver, self->name,
|
||||
g_task_get_cancellable (task), on_name_resolved,
|
||||
g_object_ref (task));
|
||||
- self->current_port = 389;
|
||||
+ self->current_port = self->use_ldaps ? 636 : 389;
|
||||
self->phase = PHASE_HOST;
|
||||
break;
|
||||
case PHASE_HOST:
|
||||
@@ -251,6 +252,7 @@ realm_disco_dns_class_init (RealmDiscoDnsClass *klass)
|
||||
|
||||
GSocketAddressEnumerator *
|
||||
realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation)
|
||||
{
|
||||
RealmDiscoDns *self;
|
||||
@@ -262,12 +264,14 @@ realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
|
||||
|
||||
self = g_object_new (REALM_TYPE_DISCO_DNS, NULL);
|
||||
self->name = g_hostname_to_ascii (input);
|
||||
+ self->use_ldaps = use_ldaps;
|
||||
self->invocation = g_object_ref (invocation);
|
||||
|
||||
/* If is an IP, skip resolution */
|
||||
if (g_hostname_is_ip_address (input)) {
|
||||
inet = g_inet_address_new_from_string (input);
|
||||
- g_queue_push_head (&self->addresses, g_inet_socket_address_new (inet, 389));
|
||||
+ g_queue_push_head (&self->addresses,
|
||||
+ g_inet_socket_address_new (inet, use_ldaps ? 636 : 389));
|
||||
g_object_unref (inet);
|
||||
self->phase = PHASE_HOST;
|
||||
} else {
|
||||
diff --git a/service/realm-disco-dns.h b/service/realm-disco-dns.h
|
||||
index a51777f..5b20fe9 100644
|
||||
--- a/service/realm-disco-dns.h
|
||||
+++ b/service/realm-disco-dns.h
|
||||
@@ -26,6 +26,7 @@ typedef enum {
|
||||
G_BEGIN_DECLS
|
||||
|
||||
GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation);
|
||||
|
||||
RealmDiscoDnsHint realm_disco_dns_get_hint (GSocketAddressEnumerator *enumerator);
|
||||
diff --git a/service/realm-disco-domain.c b/service/realm-disco-domain.c
|
||||
index 3f0ccb5..fdda8f6 100644
|
||||
--- a/service/realm-disco-domain.c
|
||||
+++ b/service/realm-disco-domain.c
|
||||
@@ -37,6 +37,7 @@ typedef struct _Callback {
|
||||
typedef struct {
|
||||
GObject parent;
|
||||
gchar *input;
|
||||
+ gboolean use_ldaps;
|
||||
GCancellable *cancellable;
|
||||
GDBusMethodInvocation *invocation;
|
||||
GSocketAddressEnumerator *enumerator;
|
||||
@@ -206,6 +207,7 @@ on_discover_next_address (GObject *source,
|
||||
|
||||
realm_diagnostics_info (self->invocation, "Performing LDAP DSE lookup on: %s", string);
|
||||
realm_disco_rootdse_async (address, explicit_host,
|
||||
+ self->use_ldaps,
|
||||
self->invocation, self->cancellable,
|
||||
on_discover_rootdse, g_object_ref (self));
|
||||
self->outstanding++;
|
||||
@@ -248,6 +250,7 @@ on_cancel_propagate (GCancellable *source,
|
||||
|
||||
void
|
||||
realm_disco_domain_async (const gchar *string,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GAsyncReadyCallback callback,
|
||||
gpointer user_data)
|
||||
@@ -267,8 +270,11 @@ realm_disco_domain_async (const gchar *string,
|
||||
if (self == NULL) {
|
||||
self = g_object_new (REALM_TYPE_DISCO_DOMAIN, NULL);
|
||||
self->input = g_strdup (string);
|
||||
+ self->use_ldaps = use_ldaps;
|
||||
self->invocation = g_object_ref (invocation);
|
||||
- self->enumerator = realm_disco_dns_enumerate_servers (string, invocation);
|
||||
+ self->enumerator = realm_disco_dns_enumerate_servers (string,
|
||||
+ use_ldaps,
|
||||
+ invocation);
|
||||
|
||||
g_hash_table_insert (discover_cache, self->input, self);
|
||||
g_assert (!self->completed);
|
||||
diff --git a/service/realm-disco-domain.h b/service/realm-disco-domain.h
|
||||
index 27dcc6c..02d4998 100644
|
||||
--- a/service/realm-disco-domain.h
|
||||
+++ b/service/realm-disco-domain.h
|
||||
@@ -24,6 +24,7 @@
|
||||
G_BEGIN_DECLS
|
||||
|
||||
void realm_disco_domain_async (const gchar *string,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GAsyncReadyCallback callback,
|
||||
gpointer user_data);
|
||||
diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
|
||||
index d3d3c10..2504904 100644
|
||||
--- a/service/realm-disco-mscldap.c
|
||||
+++ b/service/realm-disco-mscldap.c
|
||||
@@ -348,7 +348,7 @@ realm_disco_mscldap_async (GSocketAddress *address,
|
||||
return;
|
||||
}
|
||||
|
||||
- clo->source = realm_ldap_connect_anonymous (address, protocol, cancellable);
|
||||
+ clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
|
||||
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
|
||||
g_object_ref (task), g_object_unref);
|
||||
g_source_attach (clo->source, g_task_get_context (task));
|
||||
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
|
||||
index 7614071..4ed19e5 100644
|
||||
--- a/service/realm-disco-rootdse.c
|
||||
+++ b/service/realm-disco-rootdse.c
|
||||
@@ -452,6 +452,7 @@ on_ldap_io (LDAP *ldap,
|
||||
void
|
||||
realm_disco_rootdse_async (GSocketAddress *address,
|
||||
const gchar *explicit_server,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GCancellable *cancellable,
|
||||
GAsyncReadyCallback callback,
|
||||
@@ -473,7 +474,7 @@ realm_disco_rootdse_async (GSocketAddress *address,
|
||||
g_task_set_task_data (task, clo, closure_free);
|
||||
|
||||
clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
|
||||
- cancellable);
|
||||
+ use_ldaps, cancellable);
|
||||
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
|
||||
g_object_ref (task), g_object_unref);
|
||||
g_source_attach (clo->source, g_task_get_context (task));
|
||||
diff --git a/service/realm-disco-rootdse.h b/service/realm-disco-rootdse.h
|
||||
index e024c84..7b21960 100644
|
||||
--- a/service/realm-disco-rootdse.h
|
||||
+++ b/service/realm-disco-rootdse.h
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
void realm_disco_rootdse_async (GSocketAddress *address,
|
||||
const gchar *explicit_server,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GCancellable *cancellable,
|
||||
GAsyncReadyCallback callback,
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index 7831b5b..28c5c8a 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -183,6 +183,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
|
||||
GSource *
|
||||
realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
GSocketProtocol protocol,
|
||||
+ gboolean use_ldaps,
|
||||
GCancellable *cancellable)
|
||||
{
|
||||
GSource *source;
|
||||
@@ -238,7 +239,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
|
||||
g_warning ("couldn't set to blocking");
|
||||
|
||||
- url = g_strdup_printf ("ldap://%s:%d", addrname, port);
|
||||
+ url = g_strdup_printf ("%s://%s:%d",
|
||||
+ use_ldaps ? "ldaps" : "ldap",
|
||||
+ addrname, port);
|
||||
rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
|
||||
g_free (url);
|
||||
|
||||
diff --git a/service/realm-ldap.h b/service/realm-ldap.h
|
||||
index 263f72a..0f9f40e 100644
|
||||
--- a/service/realm-ldap.h
|
||||
+++ b/service/realm-ldap.h
|
||||
@@ -37,6 +37,7 @@ typedef GIOCondition (* RealmLdapCallback) (LDAP *ldap,
|
||||
|
||||
GSource * realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
GSocketProtocol protocol,
|
||||
+ gboolean use_ldaps,
|
||||
GCancellable *cancellable);
|
||||
|
||||
void realm_ldap_set_condition (GSource *source,
|
||||
diff --git a/service/realm-samba-provider.c b/service/realm-samba-provider.c
|
||||
index 9b489ce..de9f5e6 100644
|
||||
--- a/service/realm-samba-provider.c
|
||||
+++ b/service/realm-samba-provider.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include "realm-samba-enroll.h"
|
||||
#include "realm-samba-provider.h"
|
||||
#include "realm-samba-winbind.h"
|
||||
+#include "realm-options.h"
|
||||
|
||||
#include <glib/gstdio.h>
|
||||
|
||||
@@ -121,7 +122,9 @@ realm_samba_provider_discover_async (RealmProvider *provider,
|
||||
g_task_return_pointer (task, NULL, NULL);
|
||||
|
||||
} else {
|
||||
- realm_disco_domain_async (string, invocation,
|
||||
+ realm_disco_domain_async (string,
|
||||
+ realm_option_use_ldaps (options),
|
||||
+ invocation,
|
||||
on_ad_discover, g_object_ref (task));
|
||||
}
|
||||
|
||||
diff --git a/service/realm-sssd-provider.c b/service/realm-sssd-provider.c
|
||||
index 7ac0645..db183c0 100644
|
||||
--- a/service/realm-sssd-provider.c
|
||||
+++ b/service/realm-sssd-provider.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include "realm-sssd-ipa.h"
|
||||
#include "realm-sssd-provider.h"
|
||||
#include "realm-sssd-config.h"
|
||||
+#include "realm-options.h"
|
||||
|
||||
#include <glib/gstdio.h>
|
||||
|
||||
@@ -140,7 +141,9 @@ realm_sssd_provider_discover_async (RealmProvider *provider,
|
||||
g_task_return_pointer (task, NULL, NULL);
|
||||
|
||||
} else {
|
||||
- realm_disco_domain_async (string, invocation, on_kerberos_discover,
|
||||
+ realm_disco_domain_async (string,
|
||||
+ realm_option_use_ldaps (options),
|
||||
+ invocation, on_kerberos_discover,
|
||||
g_object_ref (task));
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,68 +0,0 @@
|
|||
From d7089129b966df83f083cb56ee90f6b906971cb6 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 1 Dec 2020 16:09:10 +0100
|
||||
Subject: [PATCH 2/3] service: avoid crash if LDAP connection fails
|
||||
|
||||
There was always a chance for a crash if the connection to LDAP failed.
|
||||
In the ldaps case a failed connection became more likely e.g. due to
|
||||
failed certificate checks.
|
||||
|
||||
This patch avoids the crash and returns an error to the client cleanly.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
po/POTFILES.in | 1 +
|
||||
service/realm-disco-mscldap.c | 7 +++++++
|
||||
service/realm-disco-rootdse.c | 6 ++++++
|
||||
3 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/po/POTFILES.in b/po/POTFILES.in
|
||||
index 2de67c8..140ed4c 100644
|
||||
--- a/po/POTFILES.in
|
||||
+++ b/po/POTFILES.in
|
||||
@@ -1,6 +1,7 @@
|
||||
service/org.freedesktop.realmd.policy.in
|
||||
service/realm-command.c
|
||||
service/realm-disco-mscldap.c
|
||||
+service/realm-disco-rootdse.c
|
||||
service/realm-example.c
|
||||
service/realm-ini-config.c
|
||||
service/realm-invocation.c
|
||||
diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
|
||||
index 2504904..003bb66 100644
|
||||
--- a/service/realm-disco-mscldap.c
|
||||
+++ b/service/realm-disco-mscldap.c
|
||||
@@ -349,6 +349,13 @@ realm_disco_mscldap_async (GSocketAddress *address,
|
||||
}
|
||||
|
||||
clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
|
||||
+ if (clo->source == NULL) {
|
||||
+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
|
||||
+ _("Failed to setup LDAP connection"));
|
||||
+ g_object_unref (task);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
|
||||
g_object_ref (task), g_object_unref);
|
||||
g_source_attach (clo->source, g_task_get_context (task));
|
||||
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
|
||||
index 4ed19e5..d9b44b3 100644
|
||||
--- a/service/realm-disco-rootdse.c
|
||||
+++ b/service/realm-disco-rootdse.c
|
||||
@@ -475,6 +475,12 @@ realm_disco_rootdse_async (GSocketAddress *address,
|
||||
|
||||
clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
|
||||
use_ldaps, cancellable);
|
||||
+ if (clo->source == NULL) {
|
||||
+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
|
||||
+ _("Failed to setup LDAP connection"));
|
||||
+ g_object_unref (task);
|
||||
+ return;
|
||||
+ }
|
||||
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
|
||||
g_object_ref (task), g_object_unref);
|
||||
g_source_attach (clo->source, g_task_get_context (task));
|
||||
--
|
||||
2.28.0
|
||||
|
|
@ -1,186 +0,0 @@
|
|||
From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 30 Oct 2020 13:28:52 +0100
|
||||
Subject: [PATCH 3/6] service: add ldaps support when using adcli
|
||||
|
||||
Call adcli with the --use-ldaps option if the realmd service is
|
||||
requested to do so.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
service/realm-adcli-enroll.c | 10 ++++++++++
|
||||
service/realm-adcli-enroll.h | 2 ++
|
||||
service/realm-samba.c | 11 +++++++++--
|
||||
service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++-
|
||||
4 files changed, 47 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
|
||||
index 05947fa..2731283 100644
|
||||
--- a/service/realm-adcli-enroll.c
|
||||
+++ b/service/realm-adcli-enroll.c
|
||||
@@ -68,6 +68,7 @@ void
|
||||
realm_adcli_enroll_join_async (RealmDisco *disco,
|
||||
RealmCredential *cred,
|
||||
GVariant *options,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GAsyncReadyCallback callback,
|
||||
gpointer user_data)
|
||||
@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
|
||||
g_ptr_array_add (args, "--domain-realm");
|
||||
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
|
||||
|
||||
+ if (use_ldaps) {
|
||||
+ g_ptr_array_add (args, "--use-ldaps");
|
||||
+ }
|
||||
+
|
||||
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
|
||||
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
|
||||
server_arg = g_inet_address_to_string (address);
|
||||
@@ -218,6 +223,7 @@ void
|
||||
realm_adcli_enroll_delete_async (RealmDisco *disco,
|
||||
RealmCredential *cred,
|
||||
GVariant *options,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GAsyncReadyCallback callback,
|
||||
gpointer user_data)
|
||||
@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
|
||||
g_ptr_array_add (args, "--domain-realm");
|
||||
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
|
||||
|
||||
+ if (use_ldaps) {
|
||||
+ g_ptr_array_add (args, "--use-ldaps");
|
||||
+ }
|
||||
+
|
||||
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
|
||||
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
|
||||
server_arg = g_inet_address_to_string (address);
|
||||
diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
|
||||
index 855b2f7..3f535d0 100644
|
||||
--- a/service/realm-adcli-enroll.h
|
||||
+++ b/service/realm-adcli-enroll.h
|
||||
@@ -29,6 +29,7 @@ G_BEGIN_DECLS
|
||||
void realm_adcli_enroll_join_async (RealmDisco *disco,
|
||||
RealmCredential *cred,
|
||||
GVariant *options,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GAsyncReadyCallback callback,
|
||||
gpointer user_data);
|
||||
@@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result,
|
||||
void realm_adcli_enroll_delete_async (RealmDisco *disco,
|
||||
RealmCredential *cred,
|
||||
GVariant *options,
|
||||
+ gboolean use_ldaps,
|
||||
GDBusMethodInvocation *invocation,
|
||||
GAsyncReadyCallback callback,
|
||||
gpointer user_data);
|
||||
diff --git a/service/realm-samba.c b/service/realm-samba.c
|
||||
index e7b80a0..7aa5416 100644
|
||||
--- a/service/realm-samba.c
|
||||
+++ b/service/realm-samba.c
|
||||
@@ -257,7 +257,8 @@ on_install_do_join (GObject *source,
|
||||
}
|
||||
|
||||
static gboolean
|
||||
-validate_membership_options (GVariant *options,
|
||||
+validate_membership_options (EnrollClosure *enroll,
|
||||
+ GVariant *options,
|
||||
GError **error)
|
||||
{
|
||||
const gchar *software;
|
||||
@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (realm_option_use_ldaps (options)) {
|
||||
+ realm_diagnostics_info (enroll->invocation,
|
||||
+ "Membership software %s does "
|
||||
+ "not support ldaps, trying without.",
|
||||
+ software);
|
||||
+ }
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership,
|
||||
g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED,
|
||||
_("Already joined to a domain"));
|
||||
|
||||
- } else if (!validate_membership_options (options, &error)) {
|
||||
+ } else if (!validate_membership_options (enroll, options, &error)) {
|
||||
g_task_return_error (task, error);
|
||||
|
||||
} else {
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index 6b2f9f8..00a9093 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -98,6 +98,7 @@ typedef struct {
|
||||
GVariant *options;
|
||||
RealmDisco *disco;
|
||||
gboolean use_adcli;
|
||||
+ gboolean use_ldaps;
|
||||
const gchar **packages;
|
||||
} JoinClosure;
|
||||
|
||||
@@ -294,6 +295,7 @@ on_install_do_join (GObject *source,
|
||||
realm_adcli_enroll_join_async (join->disco,
|
||||
join->cred,
|
||||
join->options,
|
||||
+ join->use_ldaps,
|
||||
join->invocation,
|
||||
on_join_do_sssd,
|
||||
g_object_ref (task));
|
||||
@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join,
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Check if ldaps should be used and if membership software supports
|
||||
+ * it.
|
||||
+ */
|
||||
+ join->use_ldaps = realm_option_use_ldaps (options);
|
||||
+ if (join->use_ldaps &&
|
||||
+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
|
||||
+ realm_diagnostics_info (join->invocation,
|
||||
+ "Membership software %s does "
|
||||
+ "not support ldaps, trying "
|
||||
+ "without.", software);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* If we are enrolling with a user password, then we have to use samba,
|
||||
* adcli only supports admin passwords.
|
||||
@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
|
||||
GTask *task;
|
||||
LeaveClosure *leave;
|
||||
gchar *tags;
|
||||
+ gboolean use_ldaps = FALSE;
|
||||
|
||||
task = g_task_new (self, NULL, callback, user_data);
|
||||
|
||||
@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
|
||||
leave->invocation = g_object_ref (invocation);
|
||||
leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
|
||||
g_task_set_task_data (task, leave, leave_closure_free);
|
||||
+
|
||||
+ use_ldaps = realm_option_use_ldaps (options);
|
||||
if (leave->use_adcli) {
|
||||
- realm_adcli_enroll_delete_async (disco, cred, options, invocation,
|
||||
+ realm_adcli_enroll_delete_async (disco, cred, options,
|
||||
+ use_ldaps, invocation,
|
||||
on_leave_do_deconfigure, g_object_ref (task));
|
||||
} else {
|
||||
+ if (use_ldaps) {
|
||||
+ realm_diagnostics_info (leave->invocation,
|
||||
+ "Membership software does "
|
||||
+ "not support ldaps, trying "
|
||||
+ "without.");
|
||||
+ }
|
||||
realm_samba_enroll_leave_async (disco, cred, options, invocation,
|
||||
on_leave_do_deconfigure, g_object_ref (task));
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,89 +0,0 @@
|
|||
From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 2 Dec 2020 10:10:37 +0100
|
||||
Subject: [PATCH 3/3] service: make TLS check more releaxed
|
||||
|
||||
Since realmd is most often the first application called to discover a
|
||||
domain we do not require a strict certificate check when using the ldaps
|
||||
port to connect to a domain controller.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
doc/manual/realm.xml | 8 +++++++-
|
||||
service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++-
|
||||
2 files changed, 38 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
||||
index 01af62e..d7d8e5e 100644
|
||||
--- a/doc/manual/realm.xml
|
||||
+++ b/doc/manual/realm.xml
|
||||
@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
which offers a comparable level of security than ldaps.
|
||||
This option is only needed if the standard LDAP port
|
||||
(389/tcp) is blocked by a firewall and only the LDAPS
|
||||
- port (636/tcp) is available.</para>
|
||||
+ port (636/tcp) is available. Given that and to lower
|
||||
+ the initial effort to discover a remote domain
|
||||
+ <command>realmd</command> does not require a strict
|
||||
+ certificate check. If the validation of the LDAP server
|
||||
+ certificate fails <command>realmd</command> will
|
||||
+ continue to setup the encrypted connection to the LDAP
|
||||
+ server.</para>
|
||||
|
||||
<para>If this option is set to
|
||||
<parameter>yes</parameter> <command>realmd</command>
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index e07a299..bdfb96c 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
gint port;
|
||||
gchar *url;
|
||||
int rc;
|
||||
+ int opt_rc;
|
||||
+ int ldap_opt_val;
|
||||
+ const char *errmsg = NULL;
|
||||
|
||||
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
|
||||
|
||||
@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
}
|
||||
|
||||
if (use_ldaps) {
|
||||
+ /* Since we currently use the IP address in the URI
|
||||
+ * the certificate check might fail because in most
|
||||
+ * cases the IP address won't be listed in the SANs of
|
||||
+ * the LDAP server certificate. We will try to
|
||||
+ * continue in this case and not fail. */
|
||||
+ ldap_opt_val = LDAP_OPT_X_TLS_ALLOW;
|
||||
+ rc = ldap_set_option (ls->ldap,
|
||||
+ LDAP_OPT_X_TLS_REQUIRE_CERT,
|
||||
+ &ldap_opt_val);
|
||||
+ if (rc != LDAP_OPT_SUCCESS) {
|
||||
+ g_debug ("Failed to disable certificate checking, trying without");
|
||||
+ }
|
||||
+
|
||||
+ ldap_opt_val = 0;
|
||||
+ rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX,
|
||||
+ &ldap_opt_val);
|
||||
+ if (rc != LDAP_OPT_SUCCESS) {
|
||||
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
|
||||
+ }
|
||||
+
|
||||
rc = ldap_install_tls (ls->ldap);
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
- g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
|
||||
+ opt_rc = ldap_get_option (ls->ldap,
|
||||
+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
|
||||
+ (void *) &errmsg);
|
||||
+ if (opt_rc != LDAP_SUCCESS) {
|
||||
+ errmsg = "- no details -";
|
||||
+ }
|
||||
+ g_warning ("ldap_start_tls_s() failed [%s]: %s",
|
||||
+ ldap_err2string (rc), errmsg);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.28.0
|
||||
|
|
@ -1,88 +0,0 @@
|
|||
From 7daf5993995baad0f5c7f7ae3822dae37eb9f46f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 30 Oct 2020 16:44:23 +0100
|
||||
Subject: [PATCH 4/6] service: do not copy option values to avoid memory leaks
|
||||
|
||||
---
|
||||
service/realm-adcli-enroll.c | 15 ++++++++-------
|
||||
service/realm-options.c | 8 +++-----
|
||||
2 files changed, 11 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
|
||||
index 2731283..e0d752b 100644
|
||||
--- a/service/realm-adcli-enroll.c
|
||||
+++ b/service/realm-adcli-enroll.c
|
||||
@@ -80,7 +80,8 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
|
||||
GBytes *input = NULL;
|
||||
const gchar *upn;
|
||||
GPtrArray *args;
|
||||
- const gchar *os;
|
||||
+ const gchar *os_n = NULL;
|
||||
+ const gchar *os_v = NULL;
|
||||
gchar *ccache_arg = NULL;
|
||||
gchar *upn_arg = NULL;
|
||||
gchar *server_arg = NULL;
|
||||
@@ -144,16 +145,16 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
|
||||
g_ptr_array_add (args, (gpointer)computer_ou);
|
||||
}
|
||||
|
||||
- os = realm_options_ad_specific (options, "os-name");
|
||||
- if (os != NULL && !g_str_equal (os, "")) {
|
||||
+ os_n = realm_options_ad_specific (options, "os-name");
|
||||
+ if (os_n != NULL && !g_str_equal (os_n, "")) {
|
||||
g_ptr_array_add (args, "--os-name");
|
||||
- g_ptr_array_add (args, (gpointer)os);
|
||||
+ g_ptr_array_add (args, (gpointer)os_n);
|
||||
}
|
||||
|
||||
- os = realm_options_ad_specific (options, "os-version");
|
||||
- if (os != NULL && !g_str_equal (os, "")) {
|
||||
+ os_v = realm_options_ad_specific (options, "os-version");
|
||||
+ if (os_v != NULL && !g_str_equal (os_v, "")) {
|
||||
g_ptr_array_add (args, "--os-version");
|
||||
- g_ptr_array_add (args, (gpointer)os);
|
||||
+ g_ptr_array_add (args, (gpointer)os_v);
|
||||
}
|
||||
|
||||
switch (cred->type) {
|
||||
diff --git a/service/realm-options.c b/service/realm-options.c
|
||||
index d42eb7c..4ebd6c0 100644
|
||||
--- a/service/realm-options.c
|
||||
+++ b/service/realm-options.c
|
||||
@@ -179,7 +179,7 @@ realm_options_computer_name (GVariant *options,
|
||||
g_free (section);
|
||||
}
|
||||
|
||||
- return g_strdup (computer_name);
|
||||
+ return computer_name;
|
||||
}
|
||||
|
||||
const gchar *
|
||||
@@ -197,22 +197,20 @@ realm_options_ad_specific (GVariant *options,
|
||||
value = realm_settings_value ("active-directory", option_name);
|
||||
}
|
||||
|
||||
- return g_strdup (value);
|
||||
+ return value;
|
||||
}
|
||||
|
||||
gboolean realm_option_use_ldaps (GVariant *options)
|
||||
{
|
||||
- gchar *use_ldaps_str;
|
||||
+ const gchar *use_ldaps_str;
|
||||
|
||||
use_ldaps_str = realm_options_ad_specific (options,
|
||||
REALM_DBUS_OPTION_USE_LDAPS);
|
||||
if (use_ldaps_str != NULL
|
||||
&& ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
|
||||
|| g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
|
||||
- g_free (use_ldaps_str);
|
||||
return TRUE;
|
||||
}
|
||||
- g_free (use_ldaps_str);
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,305 +0,0 @@
|
|||
From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 30 Oct 2020 17:22:13 +0100
|
||||
Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and
|
||||
leave
|
||||
|
||||
Add --use-ldaps option to the realm command to be able to ask the realmd
|
||||
service to use ldaps where possible.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
||||
---
|
||||
doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++
|
||||
doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
|
||||
tools/realm-client.c | 2 ++
|
||||
tools/realm-client.h | 1 +
|
||||
tools/realm-discover.c | 7 ++++++-
|
||||
tools/realm-join.c | 6 +++++-
|
||||
tools/realm-leave.c | 15 +++++++++++----
|
||||
7 files changed, 80 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
||||
index e5d4608..01af62e 100644
|
||||
--- a/doc/manual/realm.xml
|
||||
+++ b/doc/manual/realm.xml
|
||||
@@ -134,6 +134,11 @@ $ realm discover domain.example.com
|
||||
Possible values include <replaceable>samba</replaceable> or
|
||||
<replaceable>adcli</replaceable>. </para></listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>--use-ldaps</option></term>
|
||||
+ <listitem><para>See option description in
|
||||
+ <xref linkend="man-join"/>.</para></listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
|
||||
</refsect1>
|
||||
@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
||||
principal besides the AD default user principal can be
|
||||
set.</para></listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>--use-ldaps</option></term>
|
||||
+ <listitem><para>Use the ldaps port when connecting to AD
|
||||
+ where possible. In general this option is not needed
|
||||
+ because <command>realmd</command> itself only read
|
||||
+ public information from the Active Directory domain
|
||||
+ controller which is available anonymously. The
|
||||
+ supported membership software products will use
|
||||
+ encrypted connections protected with GSS-SPNEGO/GSSAPI
|
||||
+ which offers a comparable level of security than ldaps.
|
||||
+ This option is only needed if the standard LDAP port
|
||||
+ (389/tcp) is blocked by a firewall and only the LDAPS
|
||||
+ port (636/tcp) is available.</para>
|
||||
+
|
||||
+ <para>If this option is set to
|
||||
+ <parameter>yes</parameter> <command>realmd</command>
|
||||
+ will use the ldaps port when reading the rootDSE and
|
||||
+ call the <command>adcli</command> membership software
|
||||
+ with the option <option>--use-ldaps</option>. The Samba
|
||||
+ base membership currently offers only deprecated ways
|
||||
+ to enable ldaps. Support will be added in
|
||||
+ <command>realmd</command> when a new way is available.
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
|
||||
</refsect1>
|
||||
@@ -326,6 +355,11 @@ $ realm leave domain.example.com
|
||||
with when leaving the realm. You will be prompted for a
|
||||
password. Implies <option>--remove</option>.</para></listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>--use-ldaps</option></term>
|
||||
+ <listitem><para>See option description in
|
||||
+ <xref linkend="man-join"/>.</para></listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
|
||||
</refsect1>
|
||||
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
||||
index 97d2e8d..72b706c 100644
|
||||
--- a/doc/manual/realmd.conf.xml
|
||||
+++ b/doc/manual/realmd.conf.xml
|
||||
@@ -141,6 +141,27 @@ domain.example.com
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><option>use-ldaps</option></term>
|
||||
+ <listitem><para>Use the ldaps port when connecting to AD where possible.
|
||||
+ In general this option is not needed because <command>realmd</command>
|
||||
+ itself only read public information from the Active Directory domain
|
||||
+ controller which is available anonymously. The supported membership
|
||||
+ software products will use encrypted connections protected with
|
||||
+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than
|
||||
+ ldaps. This option is only needed if the standard LDAP port (389/tcp)
|
||||
+ is blocked by a firewall and only the LDAPS port (636/tcp) is
|
||||
+ available.</para>
|
||||
+
|
||||
+ <para>If this option is set to <parameter>yes</parameter>
|
||||
+ <command>realmd</command> will use the ldaps port when reading the
|
||||
+ rootDSE and call the <command>adcli</command> membership software with
|
||||
+ the option <option>--use-ldaps</option>. The Samba base membership
|
||||
+ currently offers only deprecated ways to enable ldaps. Support will be
|
||||
+ added in <command>realmd</command> when a new way is available.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><option>os-name</option></term>
|
||||
<listitem><para>(see below)</para></listitem>
|
||||
diff --git a/tools/realm-client.c b/tools/realm-client.c
|
||||
index 2f102db..c386e64 100644
|
||||
--- a/tools/realm-client.c
|
||||
+++ b/tools/realm-client.c
|
||||
@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
|
||||
GList *
|
||||
realm_client_discover (RealmClient *self,
|
||||
const gchar *string,
|
||||
+ gboolean use_ldaps,
|
||||
const gchar *client_software,
|
||||
const gchar *server_software,
|
||||
const gchar *membership_software,
|
||||
@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
|
||||
options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
|
||||
REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
|
||||
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
|
||||
+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
|
||||
NULL);
|
||||
|
||||
/* Start actual operation */
|
||||
diff --git a/tools/realm-client.h b/tools/realm-client.h
|
||||
index 5ecf2de..e9e50cd 100644
|
||||
--- a/tools/realm-client.h
|
||||
+++ b/tools/realm-client.h
|
||||
@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien
|
||||
|
||||
GList * realm_client_discover (RealmClient *self,
|
||||
const gchar *string,
|
||||
+ gboolean use_ldaps,
|
||||
const gchar *client_software,
|
||||
const gchar *server_software,
|
||||
const gchar *membership_software,
|
||||
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
|
||||
index 8dde4ed..c0acd79 100644
|
||||
--- a/tools/realm-discover.c
|
||||
+++ b/tools/realm-discover.c
|
||||
@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
|
||||
const gchar *string,
|
||||
gboolean all,
|
||||
gboolean name_only,
|
||||
+ gboolean use_ldaps,
|
||||
const gchar *server_software,
|
||||
const gchar *client_software,
|
||||
const gchar *membership_software)
|
||||
@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
|
||||
GList *realms;
|
||||
GList *l;
|
||||
|
||||
- realms = realm_client_discover (client, string, client_software,
|
||||
+ realms = realm_client_discover (client, string, use_ldaps, client_software,
|
||||
server_software, membership_software,
|
||||
REALM_DBUS_REALM_INTERFACE, NULL, &error);
|
||||
|
||||
@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
|
||||
GError *error = NULL;
|
||||
gboolean arg_all = FALSE;
|
||||
gboolean arg_name_only = FALSE;
|
||||
+ gboolean arg_use_ldaps = FALSE;
|
||||
gint result = 0;
|
||||
gint ret;
|
||||
gint i;
|
||||
@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
|
||||
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
|
||||
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
|
||||
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
|
||||
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
|
||||
} else if (argc == 1) {
|
||||
result = perform_discover (client, NULL, arg_all,
|
||||
arg_name_only,
|
||||
+ arg_use_ldaps,
|
||||
arg_server_software,
|
||||
arg_client_software,
|
||||
arg_membership_software);
|
||||
@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
|
||||
for (i = 1; i < argc; i++) {
|
||||
ret = perform_discover (client, argv[i], arg_all,
|
||||
arg_name_only,
|
||||
+ arg_use_ldaps,
|
||||
arg_server_software,
|
||||
arg_client_software,
|
||||
arg_membership_software);
|
||||
diff --git a/tools/realm-join.c b/tools/realm-join.c
|
||||
index 249f502..dbe6197 100644
|
||||
--- a/tools/realm-join.c
|
||||
+++ b/tools/realm-join.c
|
||||
@@ -179,6 +179,7 @@ typedef struct {
|
||||
gchar *user_principal;
|
||||
gboolean automatic_id_mapping_set;
|
||||
gboolean automatic_id_mapping;
|
||||
+ gboolean use_ldaps;
|
||||
} RealmJoinArgs;
|
||||
|
||||
static void
|
||||
@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
|
||||
GList *realms;
|
||||
gint ret;
|
||||
|
||||
- realms = realm_client_discover (client, string, args->client_software,
|
||||
+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
|
||||
args->server_software, args->membership_software,
|
||||
REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
|
||||
&had_mismatched, &error);
|
||||
@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
|
||||
REALM_DBUS_OPTION_OS_VERSION, args->os_version,
|
||||
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
|
||||
REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
|
||||
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
|
||||
args->automatic_id_mapping_set ?
|
||||
REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
|
||||
args->automatic_id_mapping,
|
||||
@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
|
||||
N_("User name to use for enrollment"), NULL },
|
||||
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
|
||||
N_("Set the user principal for the computer account"), NULL },
|
||||
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
|
||||
+ N_("Use ldaps to connect to LDAP"), NULL },
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
diff --git a/tools/realm-leave.c b/tools/realm-leave.c
|
||||
index 45a9c46..c88a110 100644
|
||||
--- a/tools/realm-leave.c
|
||||
+++ b/tools/realm-leave.c
|
||||
@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
|
||||
|
||||
static int
|
||||
perform_user_leave (RealmClient *client,
|
||||
+ gboolean use_ldaps,
|
||||
RealmDbusKerberosMembership *membership,
|
||||
const gchar *user_name)
|
||||
{
|
||||
@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
|
||||
return 1;
|
||||
}
|
||||
|
||||
- options = realm_build_options(NULL, NULL);
|
||||
+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
|
||||
+ NULL);
|
||||
ret = call_leave (membership, credentials, options, &error);
|
||||
|
||||
if (error != NULL)
|
||||
@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
|
||||
static int
|
||||
perform_leave (RealmClient *client,
|
||||
const gchar *realm_name,
|
||||
+ gboolean use_ldaps,
|
||||
gboolean remove,
|
||||
const gchar *user_name,
|
||||
const gchar *client_software,
|
||||
@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
|
||||
if (!remove)
|
||||
ret = perform_deconfigure (client, realm);
|
||||
else
|
||||
- ret = perform_user_leave (client, membership, user_name);
|
||||
+ ret = perform_user_leave (client, use_ldaps, membership,
|
||||
+ user_name);
|
||||
|
||||
g_object_unref (membership);
|
||||
g_object_unref (realm);
|
||||
@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
|
||||
gchar *arg_server_software = NULL;
|
||||
GError *error = NULL;
|
||||
const gchar *realm_name;
|
||||
+ gboolean arg_use_ldaps = FALSE;
|
||||
gint ret = 0;
|
||||
|
||||
GOptionEntry option_entries[] = {
|
||||
@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
|
||||
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
|
||||
N_("Use specific server software"), NULL },
|
||||
{ "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
|
||||
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
|
||||
|
||||
} else {
|
||||
realm_name = argc < 2 ? NULL : argv[1];
|
||||
- ret = perform_leave (client, realm_name, arg_remove, arg_user,
|
||||
- arg_client_software, arg_server_software);
|
||||
+ ret = perform_leave (client, realm_name, arg_use_ldaps,
|
||||
+ arg_remove, arg_user, arg_client_software,
|
||||
+ arg_server_software);
|
||||
}
|
||||
|
||||
g_free (arg_user);
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
From 8cddf81199e96c7edc701bcb7ca782d7bcddbddd Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 30 Oct 2020 19:24:40 +0100
|
||||
Subject: [PATCH 6/6] ldap: generate proper ldap uri for IPv6 addresses
|
||||
|
||||
When using IPv6 addresses the address must be put into brackets.
|
||||
|
||||
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
|
||||
---
|
||||
service/realm-ldap.c | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
||||
index 28c5c8a..2076d1e 100644
|
||||
--- a/service/realm-ldap.c
|
||||
+++ b/service/realm-ldap.c
|
||||
@@ -190,6 +190,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
LdapSource *ls;
|
||||
gchar *addrname;
|
||||
GInetSocketAddress *inet;
|
||||
+ GSocketFamily family;
|
||||
struct berval cred;
|
||||
Sockbuf *sb = NULL;
|
||||
gsize native_len;
|
||||
@@ -204,6 +205,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
inet = G_INET_SOCKET_ADDRESS (address);
|
||||
addrname = g_inet_address_to_string (g_inet_socket_address_get_address (inet));
|
||||
port = g_inet_socket_address_get_port (inet);
|
||||
+ family = g_inet_address_get_family (g_inet_socket_address_get_address (inet));
|
||||
if (port == 0)
|
||||
port = 389;
|
||||
|
||||
@@ -239,9 +241,17 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
||||
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
|
||||
g_warning ("couldn't set to blocking");
|
||||
|
||||
- url = g_strdup_printf ("%s://%s:%d",
|
||||
- use_ldaps ? "ldaps" : "ldap",
|
||||
- addrname, port);
|
||||
+ if (family == G_SOCKET_FAMILY_IPV4) {
|
||||
+ url = g_strdup_printf ("%s://%s:%d",
|
||||
+ use_ldaps ? "ldaps" : "ldap",
|
||||
+ addrname, port);
|
||||
+ } else if (family == G_SOCKET_FAMILY_IPV6) {
|
||||
+ url = g_strdup_printf ("%s://[%s]:%d",
|
||||
+ use_ldaps ? "ldaps" : "ldap",
|
||||
+ addrname, port);
|
||||
+ } else {
|
||||
+ url = NULL;
|
||||
+ }
|
||||
rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
|
||||
g_free (url);
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -1,102 +1,38 @@
|
|||
Name: realmd
|
||||
Version: 0.16.3
|
||||
Release: 25%{?dist}
|
||||
Summary: Kerberos realm enrollment service
|
||||
License: LGPLv2+
|
||||
URL: http://cgit.freedesktop.org/realmd/realmd/
|
||||
Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
|
||||
Name: realmd
|
||||
Version: 0.17.1
|
||||
Release: 1%{?dist}
|
||||
Summary: Kerberos realm enrollment service
|
||||
License: LGPLv2+
|
||||
URL: https://gitlab.freedesktop.org/realmd/realmd
|
||||
Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
|
||||
|
||||
Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch
|
||||
Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
|
||||
Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
|
||||
Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
|
||||
Patch5: 0001-switch-to-authselect.patch
|
||||
Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch
|
||||
Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
|
||||
Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
|
||||
Patch9: 0001-tests-run-tests-with-python3.patch
|
||||
Patch10: ipa-packages.patch
|
||||
Patch11: 0001-Fix-issues-found-by-Coverity.patch
|
||||
### Downstream Patches ###
|
||||
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
|
||||
# using freeipa-*, the following patch applies the needed changes.
|
||||
Patch0100: ipa-packages.patch
|
||||
|
||||
Patch12: 0001-Change-qualified-names-default-for-IPA.patch
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: automake
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: intltool pkgconfig
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: glib2-devel >= 2.32.0
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: polkit-devel
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: xmlto
|
||||
BuildRequires: samba-common-tools
|
||||
BuildRequires: python3
|
||||
|
||||
Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch
|
||||
|
||||
# rhbz#1747454 - rebuild fails if DISTRO variable is exported
|
||||
Patch14: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
|
||||
|
||||
# rhbz#1747452 - realmd.conf user-principal RFE and clarification (plus dependencies)
|
||||
Patch15: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
|
||||
Patch16: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch
|
||||
Patch17: 0001-doc-extend-user-principal-section.patch
|
||||
|
||||
# rhbz#1747457 - realmd.conf documentation incorrect
|
||||
Patch18: 0001-doc-fix-discover-name-only.patch
|
||||
Patch19: 0002-doc-add-see-also-to-man-pages.patch
|
||||
|
||||
# rhbz#1747456 - Document realmd.conf and how realmd reads the configuration
|
||||
Patch20: 0001-doc-extend-description-of-config-handling.patch
|
||||
|
||||
# rhbz#1801195
|
||||
Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch
|
||||
|
||||
# rhbz#1859503 - Realm join fails with error 'Failed to join domain: failed to
|
||||
# lookup DC info ...'
|
||||
Patch22: 0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
|
||||
|
||||
# rhbz#1867912 - realm command to use option like dnshostname=fqdn
|
||||
Patch23: 0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
|
||||
|
||||
# rhbz#1791016 - realmd should handle default_realm in krb5.conf
|
||||
Patch24: 0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
|
||||
|
||||
# rhbz#1826964 - [RFE] Enable LDAPS functionality in realmd join
|
||||
Patch25: 0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
|
||||
Patch26: 0001-Use-startTLS-with-FreeIPA.patch
|
||||
Patch27: 0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
|
||||
Patch28: 0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
|
||||
Patch29: 0003-service-add-ldaps-support-when-using-adcli.patch
|
||||
Patch30: 0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
|
||||
Patch31: 0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
|
||||
Patch32: 0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
|
||||
Patch33: 0001-ldap-setup-TLS-when-using-ldaps.patch
|
||||
Patch34: 0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
|
||||
Patch35: 0002-service-avoid-crash-if-LDAP-connection-fails.patch
|
||||
Patch36: 0003-service-make-TLS-check-more-releaxed.patch
|
||||
|
||||
Patch37: 0001-doc-add-computer-name-to-realm-man-page.patch
|
||||
Patch38: 0001-build-add-with-vendor-error-message-configure-option.patch
|
||||
|
||||
# rhbz#2024248 - realmd logs are duplicated
|
||||
Patch39: 0001-syslog-avoid-duplicate-log-messages.patch
|
||||
|
||||
# rhbz#2028528 - realm join needs to updated to use the command line options of
|
||||
# Samba's net command
|
||||
Patch40: 0001-samba-use-new-Samba-4.15-command-line-options.patch
|
||||
|
||||
# rhbz#2037864 - realmd operations hang if a DC is unreachable
|
||||
Patch41: 0001-ldap-add-socket-timeout.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: automake
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: intltool pkgconfig
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: glib2-devel >= 2.32.0
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: polkit-devel
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: xmlto
|
||||
BuildRequires: samba-common-tools
|
||||
BuildRequires: %{_bindir}/python3
|
||||
|
||||
Requires: authselect
|
||||
Requires: polkit
|
||||
Requires: authselect
|
||||
Requires: polkit
|
||||
Conflicts: realmd-devel-docs < %{version}-%{release}
|
||||
# This build will use Samba's new command line options so it cannot be used
|
||||
# with older versions of Samba.
|
||||
Conflicts: samba-common-tools < 4.15
|
||||
Conflicts: samba-common-tools < 4.15
|
||||
|
||||
%description
|
||||
realmd is a DBus system service which manages discovery and enrollment in realms
|
||||
|
@ -104,7 +40,8 @@ and domains like Active Directory or IPA. The control center uses realmd as the
|
|||
back end to 'join' a domain simply and automatically configure things correctly.
|
||||
|
||||
%package devel-docs
|
||||
Summary: Developer documentation files for %{name}
|
||||
Summary: Developer documentation files for %{name}
|
||||
Conflicts: realmd < %{version}-%{release}
|
||||
|
||||
%description devel-docs
|
||||
The %{name}-devel package contains developer documentation for developing
|
||||
|
@ -124,7 +61,6 @@ autoreconf -fi
|
|||
%endif
|
||||
%{nil}
|
||||
|
||||
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%check
|
||||
|
@ -146,10 +82,10 @@ make install DESTDIR=%{buildroot}
|
|||
|
||||
%files -f realmd.lang
|
||||
%doc AUTHORS COPYING NEWS README
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
|
||||
%{_sbindir}/realm
|
||||
%dir %{_prefix}/lib/realmd
|
||||
%{_prefix}/lib/realmd/realmd
|
||||
%{_libexecdir}/realmd
|
||||
%{_prefix}/lib/realmd/realmd-defaults.conf
|
||||
%{_prefix}/lib/realmd/realmd-distro.conf
|
||||
%{_unitdir}/realmd.service
|
||||
|
@ -164,6 +100,10 @@ make install DESTDIR=%{buildroot}
|
|||
%doc ChangeLog
|
||||
|
||||
%changelog
|
||||
* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
|
||||
- Update to upstream release 0.17.1
|
||||
Resolves: rhbz#2133841
|
||||
|
||||
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
|
||||
- add LDAP socket timeout
|
||||
Resolves: rhbz#2037864
|
||||
|
|
Loading…
Reference in New Issue