Change IPA defaults and improve realm discovery
Resolves: rhbz#1575538 Resolves: rhbz#1145777
This commit is contained in:
parent
92a6a945de
commit
442a1348d8
@ -1,4 +1,4 @@
|
||||
From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
|
||||
From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 31 May 2018 16:16:08 +0200
|
||||
Subject: [PATCH] Find NetBIOS name in keytab while leaving
|
||||
@ -10,10 +10,10 @@ entries and use the NAME as the NetBIOS name.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
|
||||
---
|
||||
service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++
|
||||
service/realm-kerberos.h | 2 ++
|
||||
service/realm-samba-enroll.c | 13 ++++++---
|
||||
3 files changed, 76 insertions(+), 3 deletions(-)
|
||||
service/realm-samba-enroll.c | 17 ++++++++--
|
||||
3 files changed, 80 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
|
||||
index 54d1ed7..d6d109f 100644
|
||||
@ -101,7 +101,7 @@ index 0447e4d..58cfe07 100644
|
||||
|
||||
const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
|
||||
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
|
||||
index 76e7b79..03f56d0 100644
|
||||
index 76e7b79..f5edca3 100644
|
||||
--- a/service/realm-samba-enroll.c
|
||||
+++ b/service/realm-samba-enroll.c
|
||||
@@ -85,7 +85,8 @@ static JoinClosure *
|
||||
@ -114,20 +114,38 @@ index 76e7b79..03f56d0 100644
|
||||
{
|
||||
JoinClosure *join;
|
||||
gchar *workgroup;
|
||||
@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
|
||||
@@ -93,6 +94,7 @@ join_closure_init (GTask *task,
|
||||
int temp_fd;
|
||||
const gchar *explicit_computer_name = NULL;
|
||||
const gchar *authid = NULL;
|
||||
+ gchar *name_from_keytab = NULL;
|
||||
|
||||
join = g_new0 (JoinClosure, 1);
|
||||
join->disco = realm_disco_ref (disco);
|
||||
@@ -106,6 +108,14 @@ join_closure_init (GTask *task,
|
||||
else if (disco->explicit_netbios)
|
||||
authid = disco->explicit_netbios;
|
||||
|
||||
+ /* try to get the NetBIOS name from the keytab as last option while
|
||||
+ * leaving the domain */
|
||||
+ if (authid == NULL && !do_join) {
|
||||
+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
|
||||
+ /* try to get the NetBIOS name from the keytab while leaving the domain */
|
||||
+ if (explicit_computer_name == NULL && !do_join) {
|
||||
+ name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
|
||||
+ if (name_from_keytab != NULL) {
|
||||
+ authid = name_from_keytab;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
|
||||
realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
|
||||
"security", "ads",
|
||||
@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
|
||||
@@ -151,6 +161,7 @@ join_closure_init (GTask *task,
|
||||
g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ());
|
||||
}
|
||||
|
||||
+ g_free (name_from_keytab);
|
||||
return join;
|
||||
}
|
||||
|
||||
@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
|
||||
g_return_if_fail (cred != NULL);
|
||||
|
||||
task = g_task_new (NULL, NULL, callback, user_data);
|
||||
@ -136,7 +154,7 @@ index 76e7b79..03f56d0 100644
|
||||
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
|
||||
if (explicit_computer_name != NULL) {
|
||||
realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
|
||||
@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
|
||||
@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
|
||||
JoinClosure *join;
|
||||
|
||||
task = g_task_new (NULL, NULL, callback, user_data);
|
||||
@ -146,5 +164,5 @@ index 76e7b79..03f56d0 100644
|
||||
switch (cred->type) {
|
||||
case REALM_CREDENTIAL_PASSWORD:
|
||||
--
|
||||
2.14.4
|
||||
2.17.1
|
||||
|
||||
|
||||
42
0001-Fix-issues-found-by-Coverity.patch
Normal file
42
0001-Fix-issues-found-by-Coverity.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 1831748847715a13f0cc911a9a491eb8614d6682 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 14 Aug 2018 14:09:48 +0200
|
||||
Subject: [PATCH 1/3] Fix issues found by Coverity
|
||||
|
||||
---
|
||||
service/realm-kerberos.c | 5 ++++-
|
||||
service/realm-packages.c | 2 +-
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
|
||||
index d6d109f..252e256 100644
|
||||
--- a/service/realm-kerberos.c
|
||||
+++ b/service/realm-kerberos.c
|
||||
@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
|
||||
if (name == NULL)
|
||||
break;
|
||||
value = va_arg (va, const gchar *);
|
||||
- g_return_if_fail (value != NULL);
|
||||
+ if (value == NULL) {
|
||||
+ va_end (va);
|
||||
+ g_return_if_reached ();
|
||||
+ }
|
||||
|
||||
values[0] = g_variant_new_string (name);
|
||||
values[1] = g_variant_new_string (value);
|
||||
diff --git a/service/realm-packages.c b/service/realm-packages.c
|
||||
index 9a6984c..5976439 100644
|
||||
--- a/service/realm-packages.c
|
||||
+++ b/service/realm-packages.c
|
||||
@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
|
||||
g_ptr_array_add (packages, NULL);
|
||||
*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
|
||||
} else {
|
||||
- g_ptr_array_free (files, TRUE);
|
||||
+ g_ptr_array_free (packages, TRUE);
|
||||
}
|
||||
|
||||
if (result_files) {
|
||||
--
|
||||
2.17.1
|
||||
|
||||
113
0002-Change-qualified-names-default-for-IPA.patch
Normal file
113
0002-Change-qualified-names-default-for-IPA.patch
Normal file
@ -0,0 +1,113 @@
|
||||
From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 14 Aug 2018 16:44:39 +0200
|
||||
Subject: [PATCH 2/3] Change qualified names default for IPA
|
||||
|
||||
In a FreeIPA domain it is typically expected that the IPA accounts use
|
||||
sort names while accounts from trusted domains have fully qualified
|
||||
names. This is automatically done by SSSD's IPA provider so there is no
|
||||
need to force fully qualified names in the SSSD configuration.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1575538
|
||||
---
|
||||
service/realm-options.c | 9 +++++----
|
||||
service/realm-options.h | 3 ++-
|
||||
service/realm-samba-winbind.c | 2 +-
|
||||
service/realm-sssd-ad.c | 2 +-
|
||||
service/realm-sssd-ipa.c | 2 +-
|
||||
5 files changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/service/realm-options.c b/service/realm-options.c
|
||||
index bd804ea..34a209f 100644
|
||||
--- a/service/realm-options.c
|
||||
+++ b/service/realm-options.c
|
||||
@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
|
||||
|
||||
if (realm_name && !option) {
|
||||
section = g_utf8_casefold (realm_name, -1);
|
||||
- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
|
||||
+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
|
||||
g_free (section);
|
||||
}
|
||||
|
||||
@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
|
||||
gboolean mapping;
|
||||
|
||||
section = g_utf8_casefold (realm_name, -1);
|
||||
- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
|
||||
+ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
|
||||
g_free (section);
|
||||
|
||||
return mapping;
|
||||
}
|
||||
|
||||
gboolean
|
||||
-realm_options_qualify_names (const gchar *realm_name)
|
||||
+realm_options_qualify_names (const gchar *realm_name,
|
||||
+ gboolean def)
|
||||
{
|
||||
gchar *section;
|
||||
gboolean qualify;
|
||||
|
||||
section = g_utf8_casefold (realm_name, -1);
|
||||
- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
|
||||
+ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
|
||||
g_free (section);
|
||||
|
||||
return qualify;
|
||||
diff --git a/service/realm-options.h b/service/realm-options.h
|
||||
index 7a1355e..b71d219 100644
|
||||
--- a/service/realm-options.h
|
||||
+++ b/service/realm-options.h
|
||||
@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
|
||||
gboolean realm_options_automatic_mapping (GVariant *options,
|
||||
const gchar *realm_name);
|
||||
|
||||
-gboolean realm_options_qualify_names (const gchar *realm_name);
|
||||
+gboolean realm_options_qualify_names (const gchar *realm_name,
|
||||
+ gboolean def);
|
||||
|
||||
gboolean realm_options_check_domain_name (const gchar *domain_name);
|
||||
|
||||
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
|
||||
index 9335e26..61988eb 100644
|
||||
--- a/service/realm-samba-winbind.c
|
||||
+++ b/service/realm-samba-winbind.c
|
||||
@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
|
||||
"winbind enum groups", "no",
|
||||
"winbind offline logon", "yes",
|
||||
"winbind refresh tickets", "yes",
|
||||
- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
|
||||
+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
|
||||
"template shell", realm_settings_string ("users", "default-shell"),
|
||||
NULL);
|
||||
|
||||
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
|
||||
index 8543ca8..de7ce30 100644
|
||||
--- a/service/realm-sssd-ad.c
|
||||
+++ b/service/realm-sssd-ad.c
|
||||
@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
|
||||
gchar *home;
|
||||
|
||||
home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
|
||||
- qualify = realm_options_qualify_names (disco->domain_name);
|
||||
+ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
|
||||
shell = realm_settings_string ("users", "default-shell");
|
||||
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
|
||||
realmd_tags = g_string_new ("");
|
||||
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
|
||||
index ff1dc8a..5029f6b 100644
|
||||
--- a/service/realm-sssd-ipa.c
|
||||
+++ b/service/realm-sssd-ipa.c
|
||||
@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
|
||||
|
||||
realm_sssd_config_update_domain (config, domain, &error,
|
||||
"cache_credentials", "True",
|
||||
- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
|
||||
+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
|
||||
"krb5_store_password_if_offline", "True",
|
||||
"default_shell", shell,
|
||||
"fallback_homedir", home,
|
||||
--
|
||||
2.17.1
|
||||
|
||||
76
0003-discover-try-to-get-domain-name-from-hostname.patch
Normal file
76
0003-discover-try-to-get-domain-name-from-hostname.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From 5e28cf702ad338e399f8fff0b3fa18736a297318 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 21 Aug 2018 13:09:20 +0200
|
||||
Subject: [PATCH 3/3] discover: try to get domain name from hostname
|
||||
|
||||
If there is no domain name returned by DHCP check if the hostname
|
||||
contains a domain part and use this to discover a realm.
|
||||
|
||||
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
|
||||
---
|
||||
service/realm-provider.c | 28 +++++++++++++++++++++++++++-
|
||||
1 file changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/service/realm-provider.c b/service/realm-provider.c
|
||||
index d647c7a..258e8e1 100644
|
||||
--- a/service/realm-provider.c
|
||||
+++ b/service/realm-provider.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#include <glib/gi18n.h>
|
||||
#include <gio/gio.h>
|
||||
|
||||
+#include <errno.h>
|
||||
+
|
||||
#define TIMEOUT_SECONDS 15
|
||||
|
||||
G_DEFINE_TYPE (RealmProvider, realm_provider, G_TYPE_DBUS_OBJECT_SKELETON);
|
||||
@@ -181,6 +183,25 @@ on_discover_complete (GObject *source,
|
||||
return_discover_result (method, realms, relevance, error);
|
||||
}
|
||||
|
||||
+static gchar *
|
||||
+get_domain_from_hostname (void)
|
||||
+{
|
||||
+ gchar hostname[HOST_NAME_MAX + 1];
|
||||
+ gchar *dot;
|
||||
+
|
||||
+ if (gethostname (hostname, sizeof (hostname)) < 0) {
|
||||
+ g_warning ("Couldn't get the computer host name: %s", g_strerror (errno));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ dot = strchr (hostname, '.');
|
||||
+ if (dot != NULL) {
|
||||
+ return g_strdup (dot + 1);
|
||||
+ }
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
on_discover_default (GObject *source,
|
||||
GAsyncResult *result,
|
||||
@@ -195,6 +216,10 @@ on_discover_default (GObject *source,
|
||||
g_clear_error (&error);
|
||||
}
|
||||
|
||||
+ if (method->string == NULL) {
|
||||
+ method->string = get_domain_from_hostname ();
|
||||
+ }
|
||||
+
|
||||
if (method->string) {
|
||||
g_strstrip (method->string);
|
||||
if (g_str_equal (method->string, "")) {
|
||||
@@ -210,7 +235,8 @@ on_discover_default (GObject *source,
|
||||
on_discover_complete, method);
|
||||
|
||||
} else {
|
||||
- realm_diagnostics_info (method->invocation, "No default domain received via DHCP");
|
||||
+ realm_diagnostics_info (method->invocation,
|
||||
+ "No default domain received via DHCP or given by hostname");
|
||||
return_discover_result (method, NULL, 0, NULL);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
||||
14
realmd.spec
14
realmd.spec
@ -1,6 +1,6 @@
|
||||
Name: realmd
|
||||
Version: 0.16.3
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
Summary: Kerberos realm enrollment service
|
||||
License: LGPLv2+
|
||||
URL: http://cgit.freedesktop.org/realmd/realmd/
|
||||
@ -16,6 +16,10 @@ Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
|
||||
Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
|
||||
Patch9: 0001-tests-run-tests-with-python3.patch
|
||||
|
||||
Patch10: 0001-Fix-issues-found-by-Coverity.patch
|
||||
Patch11: 0002-Change-qualified-names-default-for-IPA.patch
|
||||
Patch12: 0003-discover-try-to-get-domain-name-from-hostname.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: automake
|
||||
BuildRequires: autoconf
|
||||
@ -58,6 +62,9 @@ applications that use %{name}.
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fi
|
||||
@ -92,6 +99,11 @@ make install DESTDIR=%{buildroot}
|
||||
%doc ChangeLog
|
||||
|
||||
%changelog
|
||||
* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
|
||||
- Change IPA defaults and improve realm discovery
|
||||
Resolves: rhbz#1575538
|
||||
Resolves: rhbz#1145777
|
||||
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-14
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user