From 442a1348d8aadc2192edde569dbefbf85394f9aa Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 21 Aug 2018 20:10:20 +0200 Subject: [PATCH] Change IPA defaults and improve realm discovery Resolves: rhbz#1575538 Resolves: rhbz#1145777 --- ...NetBIOS-name-in-keytab-while-leaving.patch | 44 +++++-- 0001-Fix-issues-found-by-Coverity.patch | 42 +++++++ ...ange-qualified-names-default-for-IPA.patch | 113 ++++++++++++++++++ ...try-to-get-domain-name-from-hostname.patch | 76 ++++++++++++ realmd.spec | 14 ++- 5 files changed, 275 insertions(+), 14 deletions(-) create mode 100644 0001-Fix-issues-found-by-Coverity.patch create mode 100644 0002-Change-qualified-names-default-for-IPA.patch create mode 100644 0003-discover-try-to-get-domain-name-from-hostname.patch diff --git a/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch index 69f6aa3..894fe93 100644 --- a/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch +++ b/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch @@ -1,4 +1,4 @@ -From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001 +From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 31 May 2018 16:16:08 +0200 Subject: [PATCH] Find NetBIOS name in keytab while leaving @@ -10,10 +10,10 @@ entries and use the NAME as the NetBIOS name. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457 --- - service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++ + service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++ service/realm-kerberos.h | 2 ++ - service/realm-samba-enroll.c | 13 ++++++--- - 3 files changed, 76 insertions(+), 3 deletions(-) + service/realm-samba-enroll.c | 17 ++++++++-- + 3 files changed, 80 insertions(+), 3 deletions(-) diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c index 54d1ed7..d6d109f 100644 @@ -101,7 +101,7 @@ index 0447e4d..58cfe07 100644 const gchar * realm_kerberos_get_realm_name (RealmKerberos *self); diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c -index 76e7b79..03f56d0 100644 +index 76e7b79..f5edca3 100644 --- a/service/realm-samba-enroll.c +++ b/service/realm-samba-enroll.c @@ -85,7 +85,8 @@ static JoinClosure * @@ -114,20 +114,38 @@ index 76e7b79..03f56d0 100644 { JoinClosure *join; gchar *workgroup; -@@ -106,6 +107,12 @@ join_closure_init (GTask *task, +@@ -93,6 +94,7 @@ join_closure_init (GTask *task, + int temp_fd; + const gchar *explicit_computer_name = NULL; + const gchar *authid = NULL; ++ gchar *name_from_keytab = NULL; + + join = g_new0 (JoinClosure, 1); + join->disco = realm_disco_ref (disco); +@@ -106,6 +108,14 @@ join_closure_init (GTask *task, else if (disco->explicit_netbios) authid = disco->explicit_netbios; -+ /* try to get the NetBIOS name from the keytab as last option while -+ * leaving the domain */ -+ if (authid == NULL && !do_join) { -+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm); ++ /* try to get the NetBIOS name from the keytab while leaving the domain */ ++ if (explicit_computer_name == NULL && !do_join) { ++ name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm); ++ if (name_from_keytab != NULL) { ++ authid = name_from_keytab; ++ } + } + join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE); realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, "security", "ads", -@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco, +@@ -151,6 +161,7 @@ join_closure_init (GTask *task, + g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ()); + } + ++ g_free (name_from_keytab); + return join; + } + +@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco, g_return_if_fail (cred != NULL); task = g_task_new (NULL, NULL, callback, user_data); @@ -136,7 +154,7 @@ index 76e7b79..03f56d0 100644 explicit_computer_name = realm_options_computer_name (options, disco->domain_name); if (explicit_computer_name != NULL) { realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", -@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, +@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, JoinClosure *join; task = g_task_new (NULL, NULL, callback, user_data); @@ -146,5 +164,5 @@ index 76e7b79..03f56d0 100644 switch (cred->type) { case REALM_CREDENTIAL_PASSWORD: -- -2.14.4 +2.17.1 diff --git a/0001-Fix-issues-found-by-Coverity.patch b/0001-Fix-issues-found-by-Coverity.patch new file mode 100644 index 0000000..abb6782 --- /dev/null +++ b/0001-Fix-issues-found-by-Coverity.patch @@ -0,0 +1,42 @@ +From 1831748847715a13f0cc911a9a491eb8614d6682 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Aug 2018 14:09:48 +0200 +Subject: [PATCH 1/3] Fix issues found by Coverity + +--- + service/realm-kerberos.c | 5 ++++- + service/realm-packages.c | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index d6d109f..252e256 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self, + if (name == NULL) + break; + value = va_arg (va, const gchar *); +- g_return_if_fail (value != NULL); ++ if (value == NULL) { ++ va_end (va); ++ g_return_if_reached (); ++ } + + values[0] = g_variant_new_string (name); + values[1] = g_variant_new_string (value); +diff --git a/service/realm-packages.c b/service/realm-packages.c +index 9a6984c..5976439 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets, + g_ptr_array_add (packages, NULL); + *result_packages = (gchar **)g_ptr_array_free (packages, FALSE); + } else { +- g_ptr_array_free (files, TRUE); ++ g_ptr_array_free (packages, TRUE); + } + + if (result_files) { +-- +2.17.1 + diff --git a/0002-Change-qualified-names-default-for-IPA.patch b/0002-Change-qualified-names-default-for-IPA.patch new file mode 100644 index 0000000..4ac6c6d --- /dev/null +++ b/0002-Change-qualified-names-default-for-IPA.patch @@ -0,0 +1,113 @@ +From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Aug 2018 16:44:39 +0200 +Subject: [PATCH 2/3] Change qualified names default for IPA + +In a FreeIPA domain it is typically expected that the IPA accounts use +sort names while accounts from trusted domains have fully qualified +names. This is automatically done by SSSD's IPA provider so there is no +need to force fully qualified names in the SSSD configuration. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1575538 +--- + service/realm-options.c | 9 +++++---- + service/realm-options.h | 3 ++- + service/realm-samba-winbind.c | 2 +- + service/realm-sssd-ad.c | 2 +- + service/realm-sssd-ipa.c | 2 +- + 5 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/service/realm-options.c b/service/realm-options.c +index bd804ea..34a209f 100644 +--- a/service/realm-options.c ++++ b/service/realm-options.c +@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options, + + if (realm_name && !option) { + section = g_utf8_casefold (realm_name, -1); +- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE); ++ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE); + g_free (section); + } + +@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name) + gboolean mapping; + + section = g_utf8_casefold (realm_name, -1); +- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE); ++ mapping = realm_settings_boolean (section, "automatic-join", FALSE); + g_free (section); + + return mapping; + } + + gboolean +-realm_options_qualify_names (const gchar *realm_name) ++realm_options_qualify_names (const gchar *realm_name, ++ gboolean def) + { + gchar *section; + gboolean qualify; + + section = g_utf8_casefold (realm_name, -1); +- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE); ++ qualify = realm_settings_boolean (section, "fully-qualified-names", def); + g_free (section); + + return qualify; +diff --git a/service/realm-options.h b/service/realm-options.h +index 7a1355e..b71d219 100644 +--- a/service/realm-options.h ++++ b/service/realm-options.h +@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options, + gboolean realm_options_automatic_mapping (GVariant *options, + const gchar *realm_name); + +-gboolean realm_options_qualify_names (const gchar *realm_name); ++gboolean realm_options_qualify_names (const gchar *realm_name, ++ gboolean def); + + gboolean realm_options_check_domain_name (const gchar *domain_name); + +diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c +index 9335e26..61988eb 100644 +--- a/service/realm-samba-winbind.c ++++ b/service/realm-samba-winbind.c +@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + "winbind enum groups", "no", + "winbind offline logon", "yes", + "winbind refresh tickets", "yes", +- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes", ++ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes", + "template shell", realm_settings_string ("users", "default-shell"), + NULL); + +diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c +index 8543ca8..de7ce30 100644 +--- a/service/realm-sssd-ad.c ++++ b/service/realm-sssd-ad.c +@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config, + gchar *home; + + home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home")); +- qualify = realm_options_qualify_names (disco->domain_name); ++ qualify = realm_options_qualify_names (disco->domain_name, TRUE); + shell = realm_settings_string ("users", "default-shell"); + explicit_computer_name = realm_options_computer_name (options, disco->domain_name); + realmd_tags = g_string_new (""); +diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c +index ff1dc8a..5029f6b 100644 +--- a/service/realm-sssd-ipa.c ++++ b/service/realm-sssd-ipa.c +@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source, + + realm_sssd_config_update_domain (config, domain, &error, + "cache_credentials", "True", +- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False", ++ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False", + "krb5_store_password_if_offline", "True", + "default_shell", shell, + "fallback_homedir", home, +-- +2.17.1 + diff --git a/0003-discover-try-to-get-domain-name-from-hostname.patch b/0003-discover-try-to-get-domain-name-from-hostname.patch new file mode 100644 index 0000000..b611d6c --- /dev/null +++ b/0003-discover-try-to-get-domain-name-from-hostname.patch @@ -0,0 +1,76 @@ +From 5e28cf702ad338e399f8fff0b3fa18736a297318 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 21 Aug 2018 13:09:20 +0200 +Subject: [PATCH 3/3] discover: try to get domain name from hostname + +If there is no domain name returned by DHCP check if the hostname +contains a domain part and use this to discover a realm. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162 +--- + service/realm-provider.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/service/realm-provider.c b/service/realm-provider.c +index d647c7a..258e8e1 100644 +--- a/service/realm-provider.c ++++ b/service/realm-provider.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include ++ + #define TIMEOUT_SECONDS 15 + + G_DEFINE_TYPE (RealmProvider, realm_provider, G_TYPE_DBUS_OBJECT_SKELETON); +@@ -181,6 +183,25 @@ on_discover_complete (GObject *source, + return_discover_result (method, realms, relevance, error); + } + ++static gchar * ++get_domain_from_hostname (void) ++{ ++ gchar hostname[HOST_NAME_MAX + 1]; ++ gchar *dot; ++ ++ if (gethostname (hostname, sizeof (hostname)) < 0) { ++ g_warning ("Couldn't get the computer host name: %s", g_strerror (errno)); ++ return NULL; ++ } ++ ++ dot = strchr (hostname, '.'); ++ if (dot != NULL) { ++ return g_strdup (dot + 1); ++ } ++ ++ return NULL; ++} ++ + static void + on_discover_default (GObject *source, + GAsyncResult *result, +@@ -195,6 +216,10 @@ on_discover_default (GObject *source, + g_clear_error (&error); + } + ++ if (method->string == NULL) { ++ method->string = get_domain_from_hostname (); ++ } ++ + if (method->string) { + g_strstrip (method->string); + if (g_str_equal (method->string, "")) { +@@ -210,7 +235,8 @@ on_discover_default (GObject *source, + on_discover_complete, method); + + } else { +- realm_diagnostics_info (method->invocation, "No default domain received via DHCP"); ++ realm_diagnostics_info (method->invocation, ++ "No default domain received via DHCP or given by hostname"); + return_discover_result (method, NULL, 0, NULL); + } + } +-- +2.17.1 + diff --git a/realmd.spec b/realmd.spec index c6dc189..69f8afb 100644 --- a/realmd.spec +++ b/realmd.spec @@ -1,6 +1,6 @@ Name: realmd Version: 0.16.3 -Release: 14%{?dist} +Release: 15%{?dist} Summary: Kerberos realm enrollment service License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/realmd/ @@ -16,6 +16,10 @@ Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch Patch9: 0001-tests-run-tests-with-python3.patch +Patch10: 0001-Fix-issues-found-by-Coverity.patch +Patch11: 0002-Change-qualified-names-default-for-IPA.patch +Patch12: 0003-discover-try-to-get-domain-name-from-hostname.patch + BuildRequires: gcc BuildRequires: automake BuildRequires: autoconf @@ -58,6 +62,9 @@ applications that use %{name}. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build autoreconf -fi @@ -92,6 +99,11 @@ make install DESTDIR=%{buildroot} %doc ChangeLog %changelog +* Tue Aug 21 2018 Sumit Bose - 0.16.3-15 +- Change IPA defaults and improve realm discovery + Resolves: rhbz#1575538 + Resolves: rhbz#1145777 + * Sat Jul 14 2018 Fedora Release Engineering - 0.16.3-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild