Change IPA defaults and improve realm discovery

Resolves: rhbz#1575538
Resolves: rhbz#1145777

0001-Find-NetBIOS-name-in-keytab-while-leaving.patch

@@ -1,4 +1,4 @@
-From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
+From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Thu, 31 May 2018 16:16:08 +0200
 Subject: [PATCH] Find NetBIOS name in keytab while leaving
@@ -10,10 +10,10 @@ entries and use the NAME as the NetBIOS name.
 
 Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
 ---
- service/realm-kerberos.c     | 64 ++++++++++++++++++++++++++++++++++++++++++++
+ service/realm-kerberos.c     | 64 ++++++++++++++++++++++++++++++++++++
  service/realm-kerberos.h     |  2 ++
- service/realm-samba-enroll.c | 13 ++++++---
- 3 files changed, 76 insertions(+), 3 deletions(-)
+ service/realm-samba-enroll.c | 17 ++++++++--
+ 3 files changed, 80 insertions(+), 3 deletions(-)
 
 diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
 index 54d1ed7..d6d109f 100644
@@ -101,7 +101,7 @@ index 0447e4d..58cfe07 100644
  
  const gchar *       realm_kerberos_get_realm_name              (RealmKerberos *self);
 diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index 76e7b79..03f56d0 100644
+index 76e7b79..f5edca3 100644
 --- a/service/realm-samba-enroll.c
 +++ b/service/realm-samba-enroll.c
 @@ -85,7 +85,8 @@ static JoinClosure *
@@ -114,20 +114,38 @@ index 76e7b79..03f56d0 100644
  {
  	JoinClosure *join;
  	gchar *workgroup;
-@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
+@@ -93,6 +94,7 @@ join_closure_init (GTask *task,
+ 	int temp_fd;
+ 	const gchar *explicit_computer_name = NULL;
+ 	const gchar *authid = NULL;
++	gchar *name_from_keytab = NULL;
+ 
+ 	join = g_new0 (JoinClosure, 1);
+ 	join->disco = realm_disco_ref (disco);
+@@ -106,6 +108,14 @@ join_closure_init (GTask *task,
  	else if (disco->explicit_netbios)
  		authid = disco->explicit_netbios;
  
-+	/* try to get the NetBIOS name from the keytab as last option while
-+	 * leaving the domain */
-+	if (authid == NULL && !do_join) {
-+		authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
++	/* try to get the NetBIOS name from the keytab while leaving the domain */
++	if (explicit_computer_name == NULL && !do_join) {
++		name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
++		if (name_from_keytab != NULL) {
++			authid = name_from_keytab;
++		}
 +	}
 +
  	join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
  	realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
  	                      "security", "ads",
-@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
+@@ -151,6 +161,7 @@ join_closure_init (GTask *task,
+ 		g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ());
+ 	}
+ 
++	g_free (name_from_keytab);
+ 	return join;
+ }
+ 
+@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
  	g_return_if_fail (cred != NULL);
  
  	task = g_task_new (NULL, NULL, callback, user_data);
@@ -136,7 +154,7 @@ index 76e7b79..03f56d0 100644
  	explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
  	if (explicit_computer_name != NULL) {
  		realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
-@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
+@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
  	JoinClosure *join;
  
  	task = g_task_new (NULL, NULL, callback, user_data);
@@ -146,5 +164,5 @@ index 76e7b79..03f56d0 100644
  	switch (cred->type) {
  	case REALM_CREDENTIAL_PASSWORD:
 -- 
-2.14.4
+2.17.1
 

0001-Fix-issues-found-by-Coverity.patch

@@ -0,0 +1,42 @@
+From 1831748847715a13f0cc911a9a491eb8614d6682 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 14:09:48 +0200
+Subject: [PATCH 1/3] Fix issues found by Coverity
+
+---
+ service/realm-kerberos.c | 5 ++++-
+ service/realm-packages.c | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
+index d6d109f..252e256 100644
+--- a/service/realm-kerberos.c
++++ b/service/realm-kerberos.c
+@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
+ 		if (name == NULL)
+ 			break;
+ 		value = va_arg (va, const gchar *);
+-		g_return_if_fail (value != NULL);
++		if (value == NULL) {
++			va_end (va);
++			g_return_if_reached ();
++		}
+ 
+ 		values[0] = g_variant_new_string (name);
+ 		values[1] = g_variant_new_string (value);
+diff --git a/service/realm-packages.c b/service/realm-packages.c
+index 9a6984c..5976439 100644
+--- a/service/realm-packages.c
++++ b/service/realm-packages.c
+@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
+ 		g_ptr_array_add (packages, NULL);
+ 		*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
+ 	} else {
+-		g_ptr_array_free (files, TRUE);
++		g_ptr_array_free (packages, TRUE);
+ 	}
+ 
+ 	if (result_files) {
+-- 
+2.17.1
+

0002-Change-qualified-names-default-for-IPA.patch

@@ -0,0 +1,113 @@
+From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 16:44:39 +0200
+Subject: [PATCH 2/3] Change qualified names default for IPA
+
+In a FreeIPA domain it is typically expected that the IPA accounts use
+sort names while accounts from trusted domains have fully qualified
+names. This is automatically done by SSSD's IPA provider so there is no
+need to force fully qualified names in the SSSD configuration.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1575538
+---
+ service/realm-options.c       | 9 +++++----
+ service/realm-options.h       | 3 ++-
+ service/realm-samba-winbind.c | 2 +-
+ service/realm-sssd-ad.c       | 2 +-
+ service/realm-sssd-ipa.c      | 2 +-
+ 5 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/service/realm-options.c b/service/realm-options.c
+index bd804ea..34a209f 100644
+--- a/service/realm-options.c
++++ b/service/realm-options.c
+@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
+ 
+ 	if (realm_name && !option) {
+ 		section = g_utf8_casefold (realm_name, -1);
+-		mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
++		mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
+ 		g_free (section);
+ 	}
+ 
+@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
+ 	gboolean mapping;
+ 
+ 	section = g_utf8_casefold (realm_name, -1);
+-	mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
++	mapping = realm_settings_boolean (section, "automatic-join", FALSE);
+ 	g_free (section);
+ 
+ 	return mapping;
+ }
+ 
+ gboolean
+-realm_options_qualify_names (const gchar *realm_name)
++realm_options_qualify_names (const gchar *realm_name,
++                             gboolean def)
+ {
+ 	gchar *section;
+ 	gboolean qualify;
+ 
+ 	section = g_utf8_casefold (realm_name, -1);
+-	qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
++	qualify = realm_settings_boolean (section, "fully-qualified-names", def);
+ 	g_free (section);
+ 
+ 	return qualify;
+diff --git a/service/realm-options.h b/service/realm-options.h
+index 7a1355e..b71d219 100644
+--- a/service/realm-options.h
++++ b/service/realm-options.h
+@@ -37,7 +37,8 @@ const gchar *  realm_options_user_principal           (GVariant *options,
+ gboolean       realm_options_automatic_mapping        (GVariant *options,
+ 						       const gchar *realm_name);
+ 
+-gboolean       realm_options_qualify_names            (const gchar *realm_name);
++gboolean       realm_options_qualify_names            (const gchar *realm_name,
++                                                       gboolean def);
+ 
+ gboolean       realm_options_check_domain_name        (const gchar *domain_name);
+ 
+diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
+index 9335e26..61988eb 100644
+--- a/service/realm-samba-winbind.c
++++ b/service/realm-samba-winbind.c
+@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ 		                      "winbind enum groups", "no",
+ 		                      "winbind offline logon", "yes",
+ 		                      "winbind refresh tickets", "yes",
+-		                      "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
++		                      "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
+ 		                      "template shell", realm_settings_string ("users", "default-shell"),
+ 		                      NULL);
+ 
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 8543ca8..de7ce30 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
+ 	gchar *home;
+ 
+ 	home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
+-	qualify = realm_options_qualify_names (disco->domain_name);
++	qualify = realm_options_qualify_names (disco->domain_name, TRUE);
+ 	shell = realm_settings_string ("users", "default-shell");
+ 	explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
+ 	realmd_tags = g_string_new ("");
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index ff1dc8a..5029f6b 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
+ 
+ 		realm_sssd_config_update_domain (config, domain, &error,
+ 		                                 "cache_credentials", "True",
+-		                                 "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
++		                                 "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
+ 		                                 "krb5_store_password_if_offline", "True",
+ 		                                 "default_shell", shell,
+ 		                                 "fallback_homedir", home,
+-- 
+2.17.1
+

0003-discover-try-to-get-domain-name-from-hostname.patch

@@ -0,0 +1,76 @@
+From 5e28cf702ad338e399f8fff0b3fa18736a297318 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 21 Aug 2018 13:09:20 +0200
+Subject: [PATCH 3/3] discover: try to get domain name from hostname
+
+If there is no domain name returned by DHCP check if the hostname
+contains a domain part and use this to discover a realm.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
+---
+ service/realm-provider.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/service/realm-provider.c b/service/realm-provider.c
+index d647c7a..258e8e1 100644
+--- a/service/realm-provider.c
++++ b/service/realm-provider.c
+@@ -28,6 +28,8 @@
+ #include <glib/gi18n.h>
+ #include <gio/gio.h>
+ 
++#include <errno.h>
++
+ #define TIMEOUT_SECONDS 15
+ 
+ G_DEFINE_TYPE (RealmProvider, realm_provider, G_TYPE_DBUS_OBJECT_SKELETON);
+@@ -181,6 +183,25 @@ on_discover_complete (GObject *source,
+ 	return_discover_result (method, realms, relevance, error);
+ }
+ 
++static gchar *
++get_domain_from_hostname (void)
++{
++	gchar hostname[HOST_NAME_MAX + 1];
++	gchar *dot;
++
++	if (gethostname (hostname, sizeof (hostname)) < 0) {
++		g_warning ("Couldn't get the computer host name: %s", g_strerror (errno));
++		return NULL;
++	}
++
++	dot = strchr (hostname, '.');
++	if (dot != NULL) {
++		return g_strdup (dot + 1);
++	}
++
++	return NULL;
++}
++
+ static void
+ on_discover_default (GObject *source,
+                      GAsyncResult *result,
+@@ -195,6 +216,10 @@ on_discover_default (GObject *source,
+ 		g_clear_error (&error);
+ 	}
+ 
++	if (method->string == NULL) {
++		method->string = get_domain_from_hostname ();
++	}
++
+ 	if (method->string) {
+ 		g_strstrip (method->string);
+ 		if (g_str_equal (method->string, "")) {
+@@ -210,7 +235,8 @@ on_discover_default (GObject *source,
+ 		                         on_discover_complete, method);
+ 
+ 	} else {
+-		realm_diagnostics_info (method->invocation, "No default domain received via DHCP");
++		realm_diagnostics_info (method->invocation,
++		                        "No default domain received via DHCP or given by hostname");
+ 		return_discover_result (method, NULL, 0, NULL);
+ 	}
+ }
+-- 
+2.17.1
+

realmd.spec

@@ -1,6 +1,6 @@
 Name:		realmd
 Version:	0.16.3
-Release:	14%{?dist}
+Release:	15%{?dist}
 Summary:	Kerberos realm enrollment service
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/realmd/
@@ -16,6 +16,10 @@ Patch7:		0001-Use-current-idmap-options-for-smb.conf.patch
 Patch8:		0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
 Patch9:		0001-tests-run-tests-with-python3.patch
 
+Patch10:	0001-Fix-issues-found-by-Coverity.patch
+Patch11:	0002-Change-qualified-names-default-for-IPA.patch
+Patch12:	0003-discover-try-to-get-domain-name-from-hostname.patch
+
 BuildRequires:	gcc
 BuildRequires:	automake
 BuildRequires:	autoconf
@@ -58,6 +62,9 @@ applications that use %{name}.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 
 %build
 autoreconf -fi
@@ -92,6 +99,11 @@ make install DESTDIR=%{buildroot}
 %doc ChangeLog
 
 %changelog
+* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
+- Change IPA defaults and improve realm discovery
+  Resolves: rhbz#1575538
+  Resolves: rhbz#1145777
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild