rpms/realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources

Browse Source 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/realmd.git#ca68463eef2fa47a73352e8598ded5ff169ecbb1
This commit is contained in:
DistroBaker 2021-02-19 14:50:23 +00:00
parent 162d24c556
commit 69a70a6368
46 changed files with 29 additions and 5847 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@
/realmd-0.16.1.tar.gz
/realmd-0.16.2.tar.gz
/realmd-0.16.3.tar.gz
/realmd-0.17.0.tar.gz

27
0001-Add-missing-xsl-file-to-Makefile.am.patch
View File

@ -1,27 +0,0 @@
From 81b5e3478269ea47d66ddb98f7cbebd06fe950e6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 2 Aug 2019 13:18:37 +0200
Subject: [PATCH 1/7] Add missing xsl file to Makefile.am
In commit 4f3c02dc14300c0b8e51a55d627c57f73c108f64 it was forgotten to
add the new file devhelp2.xsl to the Makefile to make sure it is
include in the tar ball.
---
doc/manual/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
index 39e1581..8b33fdd 100644
--- a/doc/manual/Makefile.am
+++ b/doc/manual/Makefile.am
@@ -37,6 +37,7 @@ MANUAL_XSLT = \
doc/manual/gdbus-fix-bugs.xsl \
doc/manual/gtk-doc.xsl \
doc/manual/version-greater-or-equal.xsl \
+ doc/manual/devhelp2.xsl \
$(NULL)
EXTRA_DIST += \
--
2.25.1

168
0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
View File

@ -1,168 +0,0 @@
From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 31 May 2018 16:16:08 +0200
Subject: [PATCH] Find NetBIOS name in keytab while leaving
If realmd is used with Samba as membership software, i.e. Samba's net
utility, the NetBIOS name must be known when leaving a domain. The most
reliable way to find it is by searching the keytab for NAME$@REALM type
entries and use the NAME as the NetBIOS name.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
---
service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++
service/realm-kerberos.h | 2 ++
service/realm-samba-enroll.c | 17 ++++++++--
3 files changed, 80 insertions(+), 3 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 54d1ed7..d6d109f 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
return ret;
}
+
+gchar *
+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
+{
+ krb5_error_code code;
+ krb5_keytab keytab = NULL;
+ krb5_context ctx;
+ krb5_kt_cursor cursor = NULL;
+ krb5_keytab_entry entry;
+ krb5_principal realm_princ = NULL;
+ gchar *princ_name = NULL;
+ gchar *netbios_name = NULL;
+ krb5_data *name_data;
+
+ code = krb5_init_context (&ctx);
+ if (code != 0) {
+ return NULL;
+ }
+
+ princ_name = g_strdup_printf ("user@%s", realm_name);
+ code = krb5_parse_name (ctx, princ_name, &realm_princ);
+ g_free (princ_name);
+
+ if (code == 0) {
+ code = krb5_kt_default (ctx, &keytab);
+ }
+
+ if (code == 0) {
+ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
+ }
+
+ if (code == 0) {
+ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
+ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
+ name_data = krb5_princ_component (ctx, entry.principal, 0);
+ if (name_data != NULL
+ && name_data->length > 0
+ && name_data->data[name_data->length - 1] == '$') {
+ netbios_name = g_strndup (name_data->data, name_data->length - 1);
+ if (netbios_name == NULL) {
+ code = krb5_kt_free_entry (ctx, &entry);
+ warn_if_krb5_failed (ctx, code);
+ break;
+ }
+ }
+ }
+ code = krb5_kt_free_entry (ctx, &entry);
+ warn_if_krb5_failed (ctx, code);
+ }
+ }
+
+ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
+ warn_if_krb5_failed (ctx, code);
+
+ code = krb5_kt_close (ctx, keytab);
+ warn_if_krb5_failed (ctx, code);
+
+ krb5_free_principal (ctx, realm_princ);
+
+ krb5_free_context (ctx);
+
+ return netbios_name;
+
+}
diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
index 0447e4d..58cfe07 100644
--- a/service/realm-kerberos.h
+++ b/service/realm-kerberos.h
@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
GError **error);
+gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
+
const gchar * realm_kerberos_get_name (RealmKerberos *self);
const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 76e7b79..f5edca3 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -85,7 +85,8 @@ static JoinClosure *
join_closure_init (GTask *task,
RealmDisco *disco,
GVariant *options,
- GDBusMethodInvocation *invocation)
+ GDBusMethodInvocation *invocation,
+ gboolean do_join)
{
JoinClosure *join;
gchar *workgroup;
@@ -93,6 +94,7 @@ join_closure_init (GTask *task,
int temp_fd;
const gchar *explicit_computer_name = NULL;
const gchar *authid = NULL;
+ gchar *name_from_keytab = NULL;
join = g_new0 (JoinClosure, 1);
join->disco = realm_disco_ref (disco);
@@ -106,6 +108,14 @@ join_closure_init (GTask *task,
else if (disco->explicit_netbios)
authid = disco->explicit_netbios;
+ /* try to get the NetBIOS name from the keytab while leaving the domain */
+ if (explicit_computer_name == NULL && !do_join) {
+ name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
+ if (name_from_keytab != NULL) {
+ authid = name_from_keytab;
+ }
+ }
+
join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
"security", "ads",
@@ -151,6 +161,7 @@ join_closure_init (GTask *task,
g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ());
}
+ g_free (name_from_keytab);
return join;
}
@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
g_return_if_fail (cred != NULL);
task = g_task_new (NULL, NULL, callback, user_data);
- join = join_closure_init (task, disco, options, invocation);
+ join = join_closure_init (task, disco, options, invocation, TRUE);
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
if (explicit_computer_name != NULL) {
realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
JoinClosure *join;
task = g_task_new (NULL, NULL, callback, user_data);
- join = join_closure_init (task, disco, options, invocation);
+ join = join_closure_init (task, disco, options, invocation, FALSE);
switch (cred->type) {
case REALM_CREDENTIAL_PASSWORD:
--
2.17.1

32
0001-Fix-for-ini-config-test-issue.patch
View File

@ -1,32 +0,0 @@
From f2162c30155eb0d9f7475f583856a2675ad2c881 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 3 Jul 2020 17:18:13 +0200
Subject: [PATCH 1/4] Fix for ini-config test issue
Recently I came across some issues with the ini-config tests where the
test run into a deadlock and didn't finish. It looks it happens
somewhere in the glib inotify code and might be a timing issues because
I never saw the issue when running the tests with strace.
To get around the issue I added REALM_INI_NO_WATCH to not use the
inotify code for testing.
---
tests/test-ini-config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test-ini-config.c b/tests/test-ini-config.c
index 7799e13..854df88 100644
--- a/tests/test-ini-config.c
+++ b/tests/test-ini-config.c
@@ -29,7 +29,7 @@ static void
setup (Test *test,
gconstpointer unused)
{
- test->config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS);
+ test->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_LINE_CONTINUATIONS);
}
static void
--
2.26.2

37
0001-Fix-invalid-unrefs-on-realm_invocation_get_cancellab.patch
View File

@ -1,37 +0,0 @@
From 8b8b7bf8eb651c56d6e85101d9ff277155981cb3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 May 2016 14:42:46 +0200
Subject: [PATCH] Fix invalid unrefs on realm_invocation_get_cancellable()
retval
https://bugzilla.redhat.com/show_bug.cgi?id=1330766
Signed-off-by: Stef Walter <stefw@redhat.com>
---
service/realm-packages.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/service/realm-packages.c b/service/realm-packages.c
index 321921a..9a6984c 100644
--- a/service/realm-packages.c
+++ b/service/realm-packages.c
@@ -479,8 +479,6 @@ on_install_resolved (GObject *source,
packages_install_async (install->connection,
(const gchar **)package_ids, cancellable,
on_install_installed, g_object_ref (task));
- if (cancellable)
- g_object_unref (cancellable);
}
g_free (missing);
@@ -649,7 +647,6 @@ realm_packages_install_async (const gchar **package_sets,
cancellable = realm_invocation_get_cancellable (install->invocation);
packages_resolve_async (connection, (const gchar **)install->packages, cancellable,
on_install_resolved, g_object_ref (task));
- g_object_unref (cancellable);
}
g_object_unref (task);
--
2.5.5

42
0001-Fix-issues-found-by-Coverity.patch
View File

@ -1,42 +0,0 @@
From 1831748847715a13f0cc911a9a491eb8614d6682 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 14:09:48 +0200
Subject: [PATCH 1/3] Fix issues found by Coverity
---
service/realm-kerberos.c | 5 ++++-
service/realm-packages.c | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index d6d109f..252e256 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
if (name == NULL)
break;
value = va_arg (va, const gchar *);
- g_return_if_fail (value != NULL);
+ if (value == NULL) {
+ va_end (va);
+ g_return_if_reached ();
+ }
values[0] = g_variant_new_string (name);
values[1] = g_variant_new_string (value);
diff --git a/service/realm-packages.c b/service/realm-packages.c
index 9a6984c..5976439 100644
--- a/service/realm-packages.c
+++ b/service/realm-packages.c
@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
g_ptr_array_add (packages, NULL);
*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
} else {
- g_ptr_array_free (files, TRUE);
+ g_ptr_array_free (packages, TRUE);
}
if (result_files) {
--
2.17.1

24
0001-Fix-man-page-reference-in-systemd-service-file.patch
View File

@ -1,24 +0,0 @@
From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Jul 2016 19:06:29 +0200
Subject: [PATCH] Fix man page reference in systemd service file
---
dbus/realmd.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
index b3bcf7a..64c1090 100644
--- a/dbus/realmd.service.in
+++ b/dbus/realmd.service.in
@@ -1,6 +1,6 @@
[Unit]
Description=Realm and Domain Configuration
-Documentation=man:realmd(8)
+Documentation=man:realm(8)
[Service]
Type=dbus
--
2.7.4

62
0001-IPA-do-not-call-sssd-enable-logins.patch
View File

@ -1,62 +0,0 @@
From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Sep 2018 13:04:47 +0200
Subject: [PATCH] IPA: do not call sssd-enable-logins
It is expected that ipa-client-install will do all PAM and NSS
configuration. To avoid changing IPA default realmd will not try to
update the related configuration.
---
service/realm-sssd-ipa.c | 24 +-----------------------
1 file changed, 1 insertion(+), 23 deletions(-)
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index 5029f6b..70f8b0e 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
g_free (enroll);
}
-static void
-on_enable_nss_done (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
-{
- GTask *task = G_TASK (user_data);
- GError *error = NULL;
- gint status;
-
- status = realm_command_run_finish (result, NULL, &error);
- if (error == NULL && status != 0)
- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
- _("Enabling SSSD in nsswitch.conf and PAM failed."));
- if (error != NULL)
- g_task_return_error (task, error);
- else
- g_task_return_boolean (task, TRUE);
- g_object_unref (task);
-}
-
static void
on_restart_done (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
GTask *task = G_TASK (user_data);
- EnrollClosure *enroll = g_task_get_task_data (task);
RealmSssd *sssd = g_task_get_source_object (task);
GError *error = NULL;
realm_service_enable_and_restart_finish (result, &error);
if (error == NULL) {
realm_sssd_update_properties (sssd);
- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
- on_enable_nss_done, g_object_ref (task));
+ g_task_return_boolean (task, TRUE);
} else {
g_task_return_error (task, error);
}
--
2.17.1

392
0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
View File

@ -1,392 +0,0 @@
From 2fa90caf4ad38541615446b80dbeaccd0d0e6a6f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 28 Oct 2020 13:40:03 +0100
Subject: [PATCH 1/7] Kerberos: add default_domain and udp_preference_limit
When joining an Active Directory domain realmd will set the
default_domain and udp_preference_limit in the Kerberos configuration to
avoid errors and make Kerberos handling in the AD domain more easy.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791016
---
doc/manual/realmd.conf.xml | 69 +++++++++++++++++++
service/Makefile.am | 2 +
service/realm-kerberos-config.c | 116 ++++++++++++++++++++++++++++++++
service/realm-kerberos-config.h | 35 ++++++++++
service/realm-samba.c | 12 ++++
service/realm-sssd-ad.c | 12 ++++
service/realmd-debian.conf | 1 +
service/realmd-defaults.conf | 1 +
service/realmd-redhat.conf | 1 +
service/realmd-suse.conf | 1 +
10 files changed, 250 insertions(+)
create mode 100644 service/realm-kerberos-config.c
create mode 100644 service/realm-kerberos-config.h
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 9062252..97d2e8d 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -304,6 +304,75 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
</refsect1>
+<refsect1 id="realmd-conf-paths">
+ <title>paths</title>
+
+ <para>These options should go in an <option>[paths]</option>
+ section of the <filename>/etc/realmd.conf</filename> file. Only
+ specify the settings you wish to override.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>krb5.conf</option></term>
+ <listitem>
+ <para>Path to the Kerberos configuration file, typically
+ <filename>/etc/krb5.conf</filename>. It can also be the path of
+ a file included by <filename>/etc/krb5.conf</filename>, e.g.
+ <filename>/etc/krb5.conf.d/realmd_settings</filename>, if the
+ file does not exist if will be created.</para>
+
+ <informalexample>
+<programlisting language="js">
+[paths]
+krb5.conf = /etc/krb5.conf.d/realmd_settings
+
+</programlisting>
+ </informalexample>
+
+ <para>When joining an Active Directory domain
+ <command>realmd</command> will set the
+ <option>default_realm</option> and
+ <option>udp_preference_limit</option> options in the Kerberos
+ configuration:</para>
+
+ <informalexample>
+<programlisting language="js">
+default_realm = DOMAIN.EXAMPLE.COM
+udp_preference_limit = 0
+
+</programlisting>
+ </informalexample>
+
+ <para>The <option>default_realm</option> option is e.g. needed
+ when trying to resolve enterprise principals and makes it more
+ convenient to request Kerberos tickets for users of the default
+ realm. Instead of specifying the whole principal just
+ <command>kinit username</command> can be used.</para>
+
+ <para>With <option>udp_preference_limit = 0</option> always TCP
+ will be used to send Kerberos request to domain controller. This
+ is useful in Active Directory environments because Kerberos will
+ typically switch to TCP after initially starting with UDP
+ because AD Kerberos tickets are often larger than UDP can handle.
+ Using TCP by default will avoid those extra UDP round trips.
+ Additionally it helps to avoid issues with password changes when
+ the DC does not reply soon enough and the client will send a
+ second UDP request. The DC might reply with a reply error to the
+ second request although the original password change request was
+ successful and the client will no know if the request was
+ successful or not. When using TCP this cannot happen because the
+ client will never send a second request but waits on the
+ connection until the server replies.</para>
+
+ <para>Please note that <command>realmd</command> will not remove
+ those options while leaving the domain since they are useful in
+ general. When joining a new domain <command>realmd</command>
+ will of course overwrite <option>default_realm</option>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id="realmd-conf-specific-settings">
<title>Realm specific settings</title>
<para>These options should go in an section with the same name
diff --git a/service/Makefile.am b/service/Makefile.am
index 88ee780..031cd1d 100644
--- a/service/Makefile.am
+++ b/service/Makefile.am
@@ -57,6 +57,8 @@ realmd_SOURCES = \
service/realm-invocation.h \
service/realm-kerberos.c \
service/realm-kerberos.h \
+ service/realm-kerberos-config.c \
+ service/realm-kerberos-config.h \
service/realm-kerberos-membership.c \
service/realm-kerberos-membership.h \
service/realm-kerberos-provider.c \
diff --git a/service/realm-kerberos-config.c b/service/realm-kerberos-config.c
new file mode 100644
index 0000000..447a452
--- /dev/null
+++ b/service/realm-kerberos-config.c
@@ -0,0 +1,116 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2020 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#include "realm-ini-config.h"
+#include "realm-kerberos-config.h"
+#include "realm-settings.h"
+
+#include <string.h>
+
+RealmIniConfig *
+realm_kerberos_config_new_with_flags (RealmIniFlags flags,
+ GError **error)
+{
+ RealmIniConfig *config;
+ const gchar *filename;
+ GError *err = NULL;
+
+ config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS | flags);
+
+ filename = realm_settings_path ("krb5.conf");
+
+ realm_ini_config_read_file (config, filename, &err);
+
+ if (err != NULL) {
+ /* If the caller wants errors, then don't return an invalid samba config */
+ if (error) {
+ g_propagate_error (error, err);
+ g_object_unref (config);
+ config = NULL;
+
+ /* If the caller doesn't care, then warn but continue */
+ } else {
+ g_warning ("Couldn't load config file: %s: %s", filename,
+ err->message);
+ g_error_free (err);
+ }
+ }
+
+ return config;
+}
+
+RealmIniConfig *
+realm_kerberos_config_new (GError **error)
+{
+ return realm_kerberos_config_new_with_flags (REALM_INI_NONE, error);
+}
+
+gboolean
+configure_krb5_conf_for_domain (const gchar *realm, GError **error )
+{
+ RealmIniConfig *config;
+ gboolean res;
+ GFile *gfile;
+ GFileInfo *file_info = NULL;
+
+ config = realm_kerberos_config_new (error);
+ if (config == NULL) {
+ return FALSE;
+ }
+
+ /* When writing to a file glib will replace the original file with a
+ * new one. To make sure permissions and other attributes like e.g.
+ * SELinux labels stay the same this information is saved before the
+ * change and applied to the new file afterwards. */
+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
+ file_info = g_file_query_info (gfile, "*", 0, NULL, error);
+ g_object_unref (gfile);
+ if (*error != NULL) {
+ g_warning ("Couldn't load file attributes, "
+ "will continue without: %s: %s",
+ realm_ini_config_get_filename (config),
+ (*error)->message);
+ g_clear_error (error);
+ }
+
+ if (!realm_ini_config_begin_change (config, error)) {
+ g_object_unref (config);
+ return FALSE;
+ }
+
+ realm_ini_config_set (config, "libdefaults",
+ "default_realm", realm,
+ "udp_preference_limit", "0",
+ NULL);
+
+ res = realm_ini_config_finish_change (config, error);
+
+ if (file_info != NULL) {
+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
+ if (!g_file_set_attributes_from_info (gfile, file_info,
+ 0, NULL, error)) {
+ g_warning ("Couldn't set file attributes: %s: %s",
+ realm_ini_config_get_filename (config),
+ (*error)->message);
+ }
+ g_object_unref (file_info);
+ g_object_unref (gfile);
+ }
+
+ g_object_unref (config);
+
+ return res;
+}
diff --git a/service/realm-kerberos-config.h b/service/realm-kerberos-config.h
new file mode 100644
index 0000000..791aa98
--- /dev/null
+++ b/service/realm-kerberos-config.h
@@ -0,0 +1,35 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2020 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#ifndef __REALM_KERBEROS_CONFIG_H__
+#define __REALM_KERBEROS_CONFIG_H__
+
+#include <gio/gio.h>
+
+#include "realm-ini-config.h"
+
+
+RealmIniConfig * realm_kerberos_config_new (GError **error);
+
+RealmIniConfig * realm_kerberos_config_new_with_flags (RealmIniFlags flags,
+ GError **error);
+
+gboolean configure_krb5_conf_for_domain (const gchar *realm,
+ GError **error );
+
+G_END_DECLS
+
+#endif /* __REALM_KERBEROS_CONFIG_H__ */
diff --git a/service/realm-samba.c b/service/realm-samba.c
index fe33600..e7b80a0 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -21,6 +21,7 @@
#include "realm-disco.h"
#include "realm-errors.h"
#include "realm-kerberos.h"
+#include "realm-kerberos-config.h"
#include "realm-kerberos-membership.h"
#include "realm-options.h"
#include "realm-packages.h"
@@ -210,6 +211,17 @@ on_join_do_winbind (GObject *source,
NULL);
}
+ if (error == NULL) {
+ configure_krb5_conf_for_domain (enroll->disco->kerberos_realm, &error);
+ if (error != NULL) {
+ realm_diagnostics_error (enroll->invocation, error,
+ "Failed to update Kerberos "
+ "configuration, not fatal, "
+ "please check manually");
+ g_clear_error (&error);
+ }
+ }
+
if (error == NULL) {
name = realm_kerberos_get_name (REALM_KERBEROS (self));
realm_samba_winbind_configure_async (self->config, name, enroll->options,
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index de7ce30..6b2f9f8 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -19,6 +19,7 @@
#include "realm-dbus-constants.h"
#include "realm-diagnostics.h"
#include "realm-errors.h"
+#include "realm-kerberos-config.h"
#include "realm-kerberos-membership.h"
#include "realm-options.h"
#include "realm-packages.h"
@@ -256,6 +257,17 @@ on_join_do_sssd (GObject *source,
join->options, join->use_adcli, &error);
}
+ if (error == NULL) {
+ configure_krb5_conf_for_domain (join->disco->kerberos_realm, &error);
+ if (error != NULL) {
+ realm_diagnostics_error (join->invocation, error,
+ "Failed to update Kerberos "
+ "configuration, not fatal, "
+ "please check manually");
+ g_clear_error (&error);
+ }
+ }
+
if (error == NULL) {
realm_service_enable_and_restart ("sssd", join->invocation,
on_sssd_enable_nss, g_object_ref (task));
diff --git a/service/realmd-debian.conf b/service/realmd-debian.conf
index 3e93d60..6cfdcef 100644
--- a/service/realmd-debian.conf
+++ b/service/realmd-debian.conf
@@ -1,6 +1,7 @@
# Distro specific overrides for debian
[paths]
smb.conf = /etc/samba/smb.conf
+krb5.conf = /etc/krb5.conf
#
# Normally in these packages sections we can specify a file
diff --git a/service/realmd-defaults.conf b/service/realmd-defaults.conf
index 6d7ccf8..ac4b436 100644
--- a/service/realmd-defaults.conf
+++ b/service/realmd-defaults.conf
@@ -11,6 +11,7 @@ sssd.conf = /etc/sssd/sssd.conf
adcli = /usr/sbin/adcli
ipa-client-install = /usr/sbin/ipa-client-install
pam_winbind.conf = /etc/security/pam_winbind.conf
+krb5.conf = /etc/krb5.conf
[active-directory]
default-client = sssd
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index e39fad5..46e61b1 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -1,6 +1,7 @@
# Distro specific overrides for redhat
[paths]
smb.conf = /etc/samba/smb.conf
+krb5.conf = /etc/krb5.conf
[samba-packages]
samba-common-tools = /usr/bin/net
diff --git a/service/realmd-suse.conf b/service/realmd-suse.conf
index 052b4dc..3165efa 100644
--- a/service/realmd-suse.conf
+++ b/service/realmd-suse.conf
@@ -1,6 +1,7 @@
# Distro specific overrides for SuSE
[paths]
smb.conf = /etc/samba/smb.conf
+krb5.conf = /etc/krb5.conf
[samba-packages]
samba-client = /usr/bin/net
--
2.26.2

112
0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
View File

@ -1,112 +0,0 @@
From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Dec 2016 18:25:44 +0100
Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
---
service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
index 2b3a0f8..1477ae8 100644
--- a/service/realm-kerberos-provider.c
+++ b/service/realm-kerberos-provider.c
@@ -19,6 +19,7 @@
#include "realm-kerberos-provider.h"
#include <errno.h>
+#include <string.h>
struct _RealmKerberosProvider {
RealmProvider parent;
@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
}
+typedef struct {
+ gchar *name;
+ const char *prot;
+} NameProtPair;
+
+static void
+name_prot_pair_free (gpointer data)
+{
+ NameProtPair *name_prot_pair = data;
+ g_free (name_prot_pair->name);
+ g_free (name_prot_pair);
+}
+
static void
on_kerberos_discover (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
GTask *task = G_TASK (user_data);
- const gchar *domain = g_task_get_task_data (task);
+ NameProtPair *name_prot_pair = g_task_get_task_data (task);
GError *error = NULL;
RealmDisco *disco;
GList *targets;
+ GResolver *resolver;
targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
if (targets) {
g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
- disco = realm_disco_new (domain);
- disco->kerberos_realm = g_ascii_strup (domain, -1);
+ disco = realm_disco_new (name_prot_pair->name);
+ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
g_task_return_pointer (task, disco, realm_disco_unref);
} else if (error) {
- g_debug ("Resolving %s failed: %s", domain, error->message);
+ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
g_error_free (error);
- g_task_return_pointer (task, NULL, NULL);
+
+ if (strcmp (name_prot_pair->prot, "tcp") == 0) {
+ g_task_return_pointer (task, NULL, NULL);
+ } else {
+ /* Try tcp */
+ name_prot_pair->prot = "tcp";
+ resolver = g_resolver_get_default ();
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
+ name_prot_pair->name,
+ g_task_get_cancellable (task),
+ on_kerberos_discover, g_object_ref (task));
+ g_object_unref (resolver);
+ }
}
g_object_unref (task);
@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
GTask *task;
const gchar *software;
GResolver *resolver;
- gchar *name;
+ NameProtPair *name_prot_pair;
task = g_task_new (provider, NULL, callback, user_data);
@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- name = g_hostname_to_ascii (string);
+ name_prot_pair = g_new0 (NameProtPair, 1);
+ name_prot_pair->name = g_hostname_to_ascii (string);
+ name_prot_pair->prot = "udp";
resolver = g_resolver_get_default ();
- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
+ name_prot_pair->name,
realm_invocation_get_cancellable (invocation),
on_kerberos_discover, g_object_ref (task));
- g_task_set_task_data (task, name, g_free);
+ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
g_object_unref (resolver);
}
--
2.9.3

41
0001-LDAP-don-t-close-LDAP-socket-twice.patch
View File

@ -1,41 +0,0 @@
From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 25 Nov 2016 17:35:11 +0100
Subject: [PATCH] LDAP: don't close LDAP socket twice
ldap_destroy() will call close() on the LDAP socket so with an explicit
close() before the file descriptor will be closed twice. Even worse,
since the file descriptor can be reused after the explicit call of
close() by any other thread the close() called from ldap_destroy() might
close a file descriptor used by a different thread as seen e.g. in
https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
Additionally the patch makes sure that the closed connection cannot be
used again.
https://bugzilla.redhat.com/show_bug.cgi?id=1398522
---
service/realm-ldap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 061ed61..59817fb 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
{
LdapSource *ls = (LdapSource *)source;
- /* Yeah, this is pretty rough, but we don't want blocking here */
- close (ls->sock);
ldap_destroy (ls->ldap);
+ ls->sock = -1;
+ ls->ldap = NULL;
+
if (ls->cancellable) {
g_cancellable_release_fd (ls->cancellable);
g_object_unref (ls->cancellable);
--
2.9.3

252
0001-Remove-support-for-deprecated-gtester-format.patch
View File

@ -1,252 +0,0 @@
From 5ae42c176e7bb550fc6cf10f29e75f58c733ae4f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 2 Aug 2019 12:10:43 +0200
Subject: [PATCH] Remove support for deprecated gtester format
Support for the already deprecated gtester format was remove from recent
versions of glib2 but the test still call the tab-gtester conversion
tool.
This patch removes tab-gtester and the tab format is used directly.
Related to https://gitlab.freedesktop.org/realmd/realmd/issues/21
---
Makefile.am | 3 +-
build/tap-gtester | 204 ----------------------------------------------
2 files changed, 1 insertion(+), 206 deletions(-)
delete mode 100755 build/tap-gtester
diff --git a/Makefile.am b/Makefile.am
index 27e3494..4ffd5b4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -161,7 +161,7 @@ endif
#
LOG_DRIVER = $(top_srcdir)/build/tap-driver
-LOG_COMPILER = $(top_srcdir)/build/tap-gtester
+LOG_COMPILER = sh -c '"$$0" "$$@" --tap'
VALGRIND_ARGS = --trace-children=no --quiet --error-exitcode=33 \
--suppressions=valgrind-suppressions --gen-suppressions=all \
@@ -183,7 +183,6 @@ recheck-memory: valgrind-suppressions
EXTRA_DIST += \
$(LOG_DRIVER) \
- $(LOG_COMPILER) \
$(VALGRIND_SUPPRESSIONS) \
$(NULL)
diff --git a/build/tap-gtester b/build/tap-gtester
deleted file mode 100755
index bbda266..0000000
--- a/build/tap-gtester
+++ /dev/null
@@ -1,204 +0,0 @@
-#!/usr/bin/python3
-# This can also be run with Python 2.
-
-# Copyright (C) 2014 Red Hat, Inc.
-#
-# Cockpit is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-#
-# Cockpit is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public License
-# along with Cockpit; If not, see <http://www.gnu.org/licenses/>.
-
-#
-# This is a test output compiler which produces TAP from GTest output
-# if GTest output is detected.
-#
-# Versions of glib later than 2.38.x output TAP natively when tests are
-# run with the --tap option. However we can't depend on such a recent
-# version of glib for our purposes.
-#
-# This implements the Test Anything Protocol (ie: TAP)
-# https://metacpan.org/pod/release/PETDANCE/Test-Harness-2.64/lib/Test/Harness/TAP.pod
-#
-
-import argparse
-import os
-import select
-import signal
-import subprocess
-import sys
-
-# Yes, it's dumb, but strsignal is not exposed in python
-# In addition signal numbers varify heavily from arch to arch
-def strsignal(sig):
- for name in dir(signal):
- if name.startswith("SIG") and sig == getattr(signal, name):
- return name
- return str(sig)
-
-
-class NullCompiler:
- def __init__(self, command):
- self.command = command
-
- def input(self, line):
- sys.stdout.write(line)
-
- def process(self, proc):
- while True:
- line = proc.stdout.readline()
- if not line:
- break
- self.input(line)
- proc.wait()
- return proc.returncode
-
- def run(self, proc, line=None):
- if line:
- self.input(line)
- return self.process(proc)
-
-
-class GTestCompiler(NullCompiler):
- def __init__(self, filename):
- NullCompiler.__init__(self, filename)
- self.test_num = 0
- self.test_name = None
- self.test_remaining = []
-
- def input(self, line):
- line = line.strip()
- if line.startswith("GTest: "):
- (cmd, unused, data) = line[7:].partition(": ")
- cmd = cmd.strip()
- data = data.strip()
- if cmd == "run":
- self.test_name = data
- assert self.test_name in self.test_remaining, "%s %s" % (self.test_name, repr(self.test_remaining))
- self.test_remaining.remove(self.test_name)
- self.test_num += 1
- elif cmd == "result":
- if self.test_name:
- if data == "OK":
- print("ok %d %s" % (self.test_num, self.test_name))
- if data == "FAIL":
- print("not ok %d %s" % (self.test_num, self.test_name))
- self.test_name = None
- elif cmd == "skipping":
- if "/subprocess" not in data:
- print("ok %d # skip -- %s" % (self.test_num, data))
- self.test_name = None
- elif data:
- print("# %s: %s" % (cmd, data))
- else:
- print("# %s" % cmd)
- elif line.startswith("(MSG: "):
- print("# %s" % line[6:-1])
- elif line:
- print("# %s" % line)
- sys.stdout.flush()
-
- def run(self, proc, output=""):
- # Complete retrieval of the list of tests
- output += proc.stdout.read()
- proc.wait()
- if proc.returncode:
- sys.stderr.write("tap-gtester: listing GTest tests failed: %d\n" % proc.returncode)
- return proc.returncode
- self.test_remaining = []
- for line in output.split("\n"):
- if line.startswith("/"):
- self.test_remaining.append(line.strip())
- if not self.test_remaining:
- print("Bail out! No tests found in GTest: %s" % self.command[0])
- return 0
-
- print("1..%d" % len(self.test_remaining))
-
- # First try to run all the tests in a batch
- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
- stdout=subprocess.PIPE, universal_newlines=True)
- result = self.process(proc)
- if result == 0:
- return 0
-
- if result < 0:
- sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
-
- # Now pick up any stragglers due to failures
- while True:
- # Assume that the last test failed
- if self.test_name:
- print("not ok %d %s" % (self.test_num, self.test_name))
- self.test_name = None
-
- # Run any tests which didn't get run
- if not self.test_remaining:
- break
-
- proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
- close_fds=True, stdout=subprocess.PIPE,
- universal_newlines=True)
- result = self.process(proc)
-
- # The various exit codes and signals we continue for
- if result not in [ 0, 1, -4, -5, -6, -7, -8, -11, 33 ]:
- break
-
- return result
-
-def main(argv):
- parser = argparse.ArgumentParser(description='Automake TAP compiler',
- usage="tap-gtester [--format FORMAT] command ...")
- parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
- default="auto", help='The input format to compile')
- parser.add_argument('--verbose', action='store_true',
- default=True, help='Verbose mode (ignored)')
- parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
- args = parser.parse_args(argv[1:])
-
- output = None
- format = args.format
- cmd = args.command
- if not cmd:
- sys.stderr.write("tap-gtester: specify a command to run\n")
- return 2
- if cmd[0] == '--':
- cmd.pop(0)
-
- proc = None
-
- os.environ['HARNESS_ACTIVE'] = '1'
-
- if format in ["auto", "gtest"]:
- list_cmd = cmd + ["-l", "--verbose"]
- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
- universal_newlines=True)
- output = proc.stdout.readline()
- # Smell whether we're dealing with GTest list output from first line
- if "random seed" in output or "GTest" in output or output.startswith("/"):
- format = "gtest"
- else:
- format = "tap"
- else:
- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
- universal_newlines=True)
-
- if format == "gtest":
- compiler = GTestCompiler(cmd)
- elif format == "tap":
- compiler = NullCompiler(cmd)
- else:
- assert False, "not reached"
-
- return compiler.run(proc, output)
-
-if __name__ == "__main__":
- sys.exit(main(sys.argv))
--
2.21.0

47
0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch
View File

@ -1,47 +0,0 @@
From fa6dd59c5eaabc8c7e540f2aa2ded6f785de0a13 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 20 Feb 2019 11:12:04 -0800
Subject: [PATCH] Set 'NEWEST' flag when resolving packages with PackageKit
When resolving package names via PackageKit, realmd does not set
the PK_FILTER_ENUM_NEWEST flag that asks PK to only give the
*newest available* package for each package name. So if there
are three different versions of the package available in three
repositories, realmd winds up producing an array containing the
package IDs for all three of those packages and calling
InstallPackages on all of them. I don't know if PK's behaviour
in this case is defined or predictable, but in practice in at
least one case it reliably results in one of the older package
versions being installed.
This does not seem desirable, we should always want to install
the newest available version. So let's set the NEWEST flag to
ensure this.
A possible consequence here is that, if a newer version of the
package is not installable but an older version is, we will now
fail where previously we did not. But even in that case I don't
know if we would *reliably* succeed before, and silently
installing an older version still doesn't necessarily seem like
the right thing to do.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
service/realm-packages.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/service/realm-packages.c b/service/realm-packages.c
index 5976439..0309c57 100644
--- a/service/realm-packages.c
+++ b/service/realm-packages.c
@@ -343,6 +343,7 @@ packages_resolve_async (GDBusConnection *connection,
gpointer user_data)
{
guint64 flags = 1 << 18 /* PK_FILTER_ENUM_ARCH */;
+ flags |= 1 << 16 /* PK_FILTER_ENUM_NEWEST */;
package_transaction_create ("Resolve", g_variant_new ("(t^as)", flags, package_names),
connection, cancellable, callback, user_data);
}
--
2.20.1

185
0001-Use-current-idmap-options-for-smb.conf.patch
View File

@ -1,185 +0,0 @@
From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 30 May 2018 13:10:57 +0200
Subject: [PATCH] Use current idmap options for smb.conf
Samba change some time ago the way how to configure id-mapping. With
this patch realmd will use the current supported options when creating
smb.conf.
A new option --legacy-samba-config is added to use the old options if
realmd is used with Samba 3.5 or earlier.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
---
dbus/realm-dbus-constants.h | 1 +
doc/manual/realmd.conf.xml | 17 ++++++++++++
service/realm-samba-enroll.c | 2 +-
service/realm-samba-enroll.h | 3 +++
service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
5 files changed, 72 insertions(+), 14 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index 9cd30ef..40ffa2d 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -69,6 +69,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
#define REALM_DBUS_OPTION_OS_NAME "os-name"
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
+#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 7853230..a2b577c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -192,6 +192,23 @@ automatic-install = no
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>legacy-samba-config</option></term>
+ <listitem>
+ <para>Set this to <parameter>yes</parameter> to create a Samba
+ configuration file with id-mapping options used by Samba-3.5
+ and earlier version.</para>
+
+ <informalexample>
+<programlisting language="js">
+[service]
+legacy-samba-config = no
+# legacy-samba-config = yes
+</programlisting>
+ </informalexample>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index c81aed2..76e7b79 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
g_free (join);
}
-static gchar *
+gchar *
fallback_workgroup (const gchar *realm)
{
const gchar *pos;
diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
index 84e8b2f..310ec65 100644
--- a/service/realm-samba-enroll.h
+++ b/service/realm-samba-enroll.h
@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
GError **error);
+gchar *
+fallback_workgroup (const gchar *realm);
+
G_END_DECLS
#endif /* __REALM_SAMBA_ENROLL_H__ */
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index a7ddec3..9335e26 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -21,8 +21,10 @@
#include "realm-options.h"
#include "realm-samba-config.h"
#include "realm-samba-winbind.h"
+#include "realm-samba-enroll.h"
#include "realm-settings.h"
#include "realm-service.h"
+#include "dbus/realm-dbus-constants.h"
#include <glib/gstdio.h>
@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
RealmIniConfig *pwc;
GTask *task;
GError *error = NULL;
+ gchar *workgroup = NULL;
+ gchar *idmap_config_backend = NULL;
+ gchar *idmap_config_range = NULL;
+ gchar *idmap_config_schema_mode = NULL;
g_return_if_fail (config != NULL);
g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
"template shell", realm_settings_string ("users", "default-shell"),
NULL);
- if (realm_options_automatic_mapping (options, domain_name)) {
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
- "idmap uid", "10000-2000000",
- "idmap gid", "10000-2000000",
- "idmap backend", "tdb",
- "idmap schema", NULL,
- NULL);
+ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
+ if (realm_options_automatic_mapping (options, domain_name)) {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap uid", "10000-2000000",
+ "idmap gid", "10000-2000000",
+ "idmap backend", "tdb",
+ "idmap schema", NULL,
+ NULL);
+ } else {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap uid", "500-4294967296",
+ "idmap gid", "500-4294967296",
+ "idmap backend", "ad",
+ "idmap schema", "rfc2307",
+ NULL);
+ }
} else {
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
- "idmap uid", "500-4294967296",
- "idmap gid", "500-4294967296",
- "idmap backend", "ad",
- "idmap schema", "rfc2307",
- NULL);
+ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
+ if (workgroup == NULL) {
+ workgroup = fallback_workgroup (domain_name);
+ }
+ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ g_free (workgroup);
+
+ if (realm_options_automatic_mapping (options, domain_name)) {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap config * : backend", "tdb",
+ "idmap config * : range", "10000-999999",
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
+ NULL);
+ } else {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap config * : backend", "tdb",
+ "idmap config * : range", "10000000-10999999",
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
+ NULL);
+ }
}
realm_ini_config_finish_change (config, &error);
+ g_free (idmap_config_backend);
+ g_free (idmap_config_range);
}
/* Setup pam_winbind.conf with decent defaults matching our expectations */
--
2.14.4

158
0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
View File

@ -1,158 +0,0 @@
From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 6 Feb 2017 12:25:52 +0100
Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual
page
And clean up the documentation for the various arguments.
---
doc/manual/realm.xml | 70 +++++++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 33 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 6724d80..9d9136a 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -60,7 +60,7 @@
<variablelist>
<varlistentry>
- <term><option>--install=/path</option></term>
+ <term><option>-i</option>, <option>--install=/path</option></term>
<listitem><para>Run in install mode. This makes realmd
chroot into the specified directory and place files in
appropriate locations for use during an installer. No
@@ -73,7 +73,7 @@
for input.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--verbose, -v</option></term>
+ <term><option>-v</option>, <option>--verbose</option></term>
<listitem><para>Display verbose diagnostics while doing
running commands.</para></listitem>
</varlistentry>
@@ -105,7 +105,7 @@ $ realm discover domain.example.com
<variablelist>
<varlistentry>
- <term><option>--all</option></term>
+ <term><option>-a</option>, <option>--all</option></term>
<listitem><para>Show all discovered realms (in various
configurations).</para></listitem>
</varlistentry>
@@ -116,6 +116,10 @@ $ realm discover domain.example.com
<replaceable>sssd</replaceable> or
<replaceable>winbind</replaceable>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-n</option>, <option>--name</option></term>
+ <listitem><para>Only show the names of the discovered realms.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--server-software=xxx</option></term>
<listitem><para>Only discover realms which run the
@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
in the domain already.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user=xxx</option></term>
- <listitem><para>The user name to be used to authenticate
- with when joining the machine to the realm. You will
- be prompted for a password.</para></listitem>
+ <term><option>--client-software=xxx</option></term>
+ <listitem><para>Only join realms for which we can
+ use the given client software. Possible values include
+ <replaceable>sssd</replaceable> or
+ <replaceable>winbind</replaceable>. Not all values are
+ supported for all realms. By default the client software
+ is automatically selected.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--computer-ou=OU=xxx</option></term>
@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
DSE portion of distinguished name. This is an Active
Directory specific option.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--membership-software=xxx</option></term>
+ <listitem><para>The software to use when joining to the
+ realm. Possible values include <replaceable>samba</replaceable> or
+ <replaceable>adcli</replaceable>. Not all values are
+ supported for all realms. By default the membership software
+ is automatically selected.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--no-password</option></term>
<listitem><para>Perform the join automatically without
@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
all types of realms.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--client-software=xxx</option></term>
- <listitem><para>Only join realms for which we can
- use the given client software. Possible values include
- <replaceable>sssd</replaceable> or
- <replaceable>winbind</replaceable>. Not all values are
- supported for all realms. By default the client software
- is automatically selected.</para></listitem>
+ <term><option>--os-name=xxx</option></term>
+ <listitem><para>The name of the operation system of the
+ client. When joining an AD domain the value is store in
+ the matching AD attribute.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--os-version=xxx</option></term>
+ <listitem><para>The version of the operation system of the
+ client. When joining an AD domain the value is store in
+ the matching AD attribute.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--server-software=xxx</option></term>
@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
<replaceable>ipa</replaceable>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--membership-software=xxx</option></term>
- <listitem><para>The software to use when joining to the
- realm. Possible values include <replaceable>samba</replaceable> or
- <replaceable>adcli</replaceable>. Not all values are
- supported for all realms. By default the membership software
- is automatically selected.</para></listitem>
+ <term><option>-U</option>, <option>--user=xxx</option></term>
+ <listitem><para>The user name to be used to authenticate
+ with when joining the machine to the realm. You will
+ be prompted for a password.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
principal besides the AD default user principal can be
set.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--os-name=xxx</option></term>
- <listitem><para>The name of the operation system of the
- client. When joining an AD domain the value is store in
- the matching AD attribute.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--os-version=xxx</option></term>
- <listitem><para>The version of the operation system of the
- client. When joining an AD domain the value is store in
- the matching AD attribute.</para></listitem>
- </varlistentry>
</variablelist>
</refsect1>
@@ -300,7 +304,7 @@ $ realm leave domain.example.com
for a pasword.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user</option></term>
+ <term><option>-U</option>, <option>--user</option></term>
<listitem><para>The user name to be used to authenticate
with when leaving the realm. You will be prompted for a
password. Implies <option>--remove</option>.</para></listitem>
--
2.26.2

1500
0001-doc-make-sure-cross-reference-ids-are-predictable.patch
View File

File diff suppressed because it is too large Load Diff

96
0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
View File

@ -1,96 +0,0 @@
From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 28 Oct 2016 20:27:48 +0200
Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
After adding a domain to sssd.conf add the nss and pam services
to the [sssd] block.
https://bugs.freedesktop.org/show_bug.cgi?id=98479
---
service/realm-sssd-ad.c | 3 +++
service/realm-sssd-config.c | 2 --
service/realm-sssd-ipa.c | 3 +++
tests/test-sssd-config.c | 4 ++--
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 5ed384d..5fa81ce 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
gboolean use_adcli,
GError **error)
{
+ const gchar *services[] = { "nss", "pam", NULL };
GString *realmd_tags;
const gchar *access_provider;
const gchar *shell;
@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
"ldap_sasl_authid", authid,
NULL);
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+
g_free (authid);
g_string_free (realmd_tags, TRUE);
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
index 2096afd..d4398b9 100644
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
g_strfreev (already);
/* Setup a default sssd section */
- if (!realm_ini_config_have (config, "section", "services"))
- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index b12136e..001870d 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
+ const gchar *services[] = { "nss", "pam", NULL };
GTask *task = G_TASK (user_data);
EnrollClosure *enroll = g_task_get_task_data (task);
RealmSssd *sssd = g_task_get_source_object (task);
@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
"realmd_tags", realmd_tags,
NULL);
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+
g_free (home);
}
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 59eab75..892b9d5 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -140,7 +140,7 @@ static void
test_add_domain_only (Test *test,
gconstpointer unused)
{
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
--
2.9.3

98
0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
View File

@ -1,98 +0,0 @@
From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 25 Apr 2017 07:20:17 +0200
Subject: [PATCH] service: Add "pam" and "nss" services in
realm_sssd_config_add_domain()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
realm_sssd_config_add_domain() must setup the services line in sssd.conf
otherwise SSSD won't be able to start any of its services.
It's a regression caused by 402cbab which leaves SSSD with no services
line when joining to an ad client doing "realm join ad.example".
https://bugs.freedesktop.org/show_bug.cgi?id=98479
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
---
service/realm-sssd-ad.c | 3 ++-
service/realm-sssd-config.c | 2 ++
service/realm-sssd-ipa.c | 3 ++-
tests/test-sssd-config.c | 4 ++--
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 5fa81ce..8543ca8 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
"ldap_sasl_authid", authid,
NULL);
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (ret)
+ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
g_free (authid);
g_string_free (realmd_tags, TRUE);
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
index d4398b9..140d7dc 100644
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
gchar **already;
gboolean ret;
gchar *section;
+ const gchar *services[] = { "nss", "pam", NULL };
va_list va;
gint i;
@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
g_strfreev (already);
/* Setup a default sssd section */
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index 001870d..ff1dc8a 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
"realmd_tags", realmd_tags,
NULL);
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (error == NULL)
+ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
g_free (home);
}
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 892b9d5..59eab75 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -140,7 +140,7 @@ static void
test_add_domain_only (Test *test,
gconstpointer unused)
{
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
--
2.9.3

36
0001-switch-to-authselect.patch
View File

@ -1,36 +0,0 @@
From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 19 Feb 2018 11:51:06 +0100
Subject: [PATCH] switch to authselect
---
service/realmd-redhat.conf | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
freeipa-client = /usr/sbin/ipa-client-install
[commands]
-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
winbind-enable-service = /usr/bin/systemctl enable winbind.service
winbind-disable-service = /usr/bin/systemctl disable winbind.service
winbind-restart-service = /usr/bin/systemctl restart winbind.service
winbind-stop-service = /usr/bin/systemctl stop winbind.service
-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
sssd-enable-service = /usr/bin/systemctl enable sssd.service
sssd-disable-service = /usr/bin/systemctl disable sssd.service
sssd-restart-service = /usr/bin/systemctl restart sssd.service
--
2.9.3

82
0001-tests-ignore-order-in-test_update_domain.patch
View File

@ -1,82 +0,0 @@
From b6753bd048b4012b11d60c094d1ab6ca181ee50d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 21 Feb 2019 21:16:26 +0100
Subject: [PATCH] tests: ignore order in test_update_domain
Individual options of a domain or in general for a section in an ini
file are stored by realmd in a hash table. When writing out the ini file
the options can show up in any order and the unit tests should be aware
of it.
Resolves: https://gitlab.freedesktop.org/realmd/realmd/issues/19
---
tests/test-sssd-config.c | 41 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 39 insertions(+), 2 deletions(-)
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 59eab75..8f3fec5 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -163,12 +163,49 @@ test_add_domain_only (Test *test,
g_free (output);
}
+static void check_for_test_update_domain (char *new)
+{
+ char *token;
+ char *saveptr;
+ size_t c;
+ int result = 0;
+
+ token = strtok_r (new, "\n", &saveptr);
+ g_assert_nonnull (token);
+ g_assert_cmpstr (token, ==, "[domain/one]");
+
+ for (c = 0; c < 3; c++) {
+ token = strtok_r (NULL, "\n", &saveptr);
+ g_assert_nonnull (token);
+ if (strcmp (token, "val=1") == 0) {
+ result += 1;
+ } else if (strcmp (token, "uno = 1") == 0) {
+ result += 2;
+ } else if (strcmp (token, "eins = one") == 0) {
+ result += 4;
+ } else {
+ g_assert_not_reached ();
+ }
+ }
+ g_assert_cmpint (result, ==, 7);
+
+ token = strtok_r (NULL, "\n", &saveptr);
+ g_assert_nonnull (token);
+ g_assert_cmpstr (token, ==, "[sssd]");
+
+ token = strtok_r (NULL, "\n", &saveptr);
+ g_assert_nonnull (token);
+ g_assert_cmpstr (token, ==, "domains=one");
+
+ token = strtok_r (NULL, "\n", &saveptr);
+ g_assert_null (token);
+}
+
static void
test_update_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\nuno = 1\neins = one\n[sssd]\ndomains=one";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -190,7 +227,7 @@ test_update_domain (Test *test,
g_assert_no_error (error);
g_assert (ret == TRUE);
- g_assert_cmpstr (check, ==, output);
+ check_for_test_update_domain (output);
g_free (output);
}
--
2.20.1

374
0001-tests-run-tests-with-python3.patch
View File

@ -1,374 +0,0 @@
From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 4 Jul 2018 16:41:16 +0200
Subject: [PATCH] tests: run tests with python3
To allow the test to run with python3 build/tap-driver and
build/tap-gtester are updated to the latest version provided by the
cockpit project https://github.com/cockpit-project/cockpit.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
---
build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
build/tap-gtester | 59 ++++++++++++++++++++++---------
2 files changed, 125 insertions(+), 38 deletions(-)
diff --git a/build/tap-driver b/build/tap-driver
index 42f57c8..241fd50 100755
--- a/build/tap-driver
+++ b/build/tap-driver
@@ -1,4 +1,5 @@
-#!/usr/bin/python
+#!/usr/bin/python3
+# This can also be run with Python 2.
# Copyright (C) 2013 Red Hat, Inc.
#
@@ -29,20 +30,58 @@
#
import argparse
+import fcntl
import os
import select
+import struct
import subprocess
import sys
+import termios
+import errno
+
+_PY3 = sys.version[0] >= '3'
+_str = _PY3 and str or unicode
+
+def out(data, stream=None, flush=False):
+ if not isinstance(data, bytes):
+ data = data.encode("UTF-8")
+ if not stream:
+ stream = _PY3 and sys.stdout.buffer or sys.stdout
+ while True:
+ try:
+ if data:
+ stream.write(data)
+ data = None
+ if flush:
+ stream.flush()
+ flush = False
+ break
+ except IOError as e:
+ if e.errno == errno.EAGAIN:
+ continue
+ raise
+
+def terminal_width():
+ try:
+ h, w, hp, wp = struct.unpack('HHHH',
+ fcntl.ioctl(1, termios.TIOCGWINSZ,
+ struct.pack('HHHH', 0, 0, 0, 0)))
+ return w
+ except IOError as e:
+ if e.errno != errno.ENOTTY:
+ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
+ return sys.maxsize
class Driver:
def __init__(self, args):
self.argv = args.command
self.test_name = args.test_name
- self.log = open(args.log_file, "w")
- self.log.write("# %s\n" % " ".join(sys.argv))
+ self.log = open(args.log_file, "wb")
+ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
self.trs = open(args.trs_file, "w")
self.color_tests = args.color_tests
self.expect_failure = args.expect_failure
+ self.width = terminal_width() - 9
def report(self, code, *args):
CODES = {
@@ -57,17 +96,18 @@ class Driver:
# Print out to console
if self.color_tests:
if code in CODES:
- sys.stdout.write(CODES[code])
- sys.stdout.write(code)
+ out(CODES[code])
+ out(code)
if self.color_tests:
- sys.stdout.write('\x1b[m')
- sys.stdout.write(": ")
- sys.stdout.write(self.test_name)
- sys.stdout.write(" ")
- for arg in args:
- sys.stdout.write(str(arg))
- sys.stdout.write("\n")
- sys.stdout.flush()
+ out('\x1b[m')
+ out(": ")
+ msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
+ if code == "PASS" and len(msg) > self.width:
+ out(msg[:self.width])
+ out("...")
+ else:
+ out(msg)
+ out("\n", flush=True)
# Book keeping
if code in CODES:
@@ -100,12 +140,14 @@ class Driver:
def execute(self):
try:
proc = subprocess.Popen(self.argv, close_fds=True,
+ stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
- except OSError, ex:
+ except OSError as ex:
self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
return
+ proc.stdin.close()
outf = proc.stdout.fileno()
errf = proc.stderr.fileno()
rset = [outf, errf]
@@ -113,18 +155,25 @@ class Driver:
ret = select.select(rset, [], [], 10)
if outf in ret[0]:
data = os.read(outf, 1024)
- if data == "":
+ if data == b"":
rset.remove(outf)
self.log.write(data)
self.process(data)
if errf in ret[0]:
data = os.read(errf, 1024)
- if data == "":
+ if data == b"":
rset.remove(errf)
self.log.write(data)
- sys.stderr.write(data)
+ stream = _PY3 and sys.stderr.buffer or sys.stderr
+ out(data, stream=stream, flush=True)
proc.wait()
+
+ # Make sure the test didn't change blocking output
+ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+
return proc.returncode
@@ -137,6 +186,7 @@ class TapDriver(Driver):
self.late_plan = False
self.errored = False
self.bail_out = False
+ self.skip_all_reason = None
def report(self, code, num, *args):
if num:
@@ -170,13 +220,19 @@ class TapDriver(Driver):
else:
self.result_fail(num, description)
- def consume_test_plan(self, first, last):
+ def consume_test_plan(self, line):
# Only one test plan is supported
if self.test_plan:
self.report_error("Get a second TAP test plan")
return
+ if line.lower().startswith('1..0 # skip'):
+ self.skip_all_reason = line[5:].strip()
+ self.bail_out = True
+ return
+
try:
+ (first, unused, last) = line.partition("..")
first = int(first)
last = int(last)
except ValueError:
@@ -192,7 +248,7 @@ class TapDriver(Driver):
def process(self, output):
if output:
- self.output += output
+ self.output += output.decode("UTF-8")
elif self.output:
self.output += "\n"
(ready, unused, self.output) = self.output.rpartition("\n")
@@ -202,8 +258,7 @@ class TapDriver(Driver):
elif line.startswith("not ok "):
self.consume_test_line(False, line[7:])
elif line and line[0].isdigit() and ".." in line:
- (first, unused, last) = line.partition("..")
- self.consume_test_plan(first, last)
+ self.consume_test_plan(line)
elif line.lower().startswith("bail out!"):
self.consume_bail_out(line)
@@ -213,6 +268,13 @@ class TapDriver(Driver):
failed = False
skipped = True
+ if self.skip_all_reason is not None:
+ self.result_skip("skipping:", self.skip_all_reason)
+ self.trs.write(":global-test-result: SKIP\n")
+ self.trs.write(":test-global-result: SKIP\n")
+ self.trs.write(":recheck: no\n")
+ return 0
+
# Basic collation of results
for (num, code) in self.reported.items():
if code == "ERROR":
diff --git a/build/tap-gtester b/build/tap-gtester
index 7e667d4..bbda266 100755
--- a/build/tap-gtester
+++ b/build/tap-gtester
@@ -1,4 +1,5 @@
-#!/usr/bin/python
+#!/usr/bin/python3
+# This can also be run with Python 2.
# Copyright (C) 2014 Red Hat, Inc.
#
@@ -30,9 +31,19 @@
import argparse
import os
import select
+import signal
import subprocess
import sys
+# Yes, it's dumb, but strsignal is not exposed in python
+# In addition signal numbers varify heavily from arch to arch
+def strsignal(sig):
+ for name in dir(signal):
+ if name.startswith("SIG") and sig == getattr(signal, name):
+ return name
+ return str(sig)
+
+
class NullCompiler:
def __init__(self, command):
self.command = command
@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
elif cmd == "result":
if self.test_name:
if data == "OK":
- print "ok %d %s" % (self.test_num, self.test_name)
+ print("ok %d %s" % (self.test_num, self.test_name))
if data == "FAIL":
- print "not ok %d %s", (self.test_num, self.test_name)
+ print("not ok %d %s" % (self.test_num, self.test_name))
self.test_name = None
elif cmd == "skipping":
if "/subprocess" not in data:
- print "ok %d # skip -- %s" % (self.test_num, data)
+ print("ok %d # skip -- %s" % (self.test_num, data))
self.test_name = None
elif data:
- print "# %s: %s" % (cmd, data)
+ print("# %s: %s" % (cmd, data))
else:
- print "# %s" % cmd
+ print("# %s" % cmd)
elif line.startswith("(MSG: "):
- print "# %s" % line[6:-1]
+ print("# %s" % line[6:-1])
elif line:
- print "# %s" % line
+ print("# %s" % line)
sys.stdout.flush()
def run(self, proc, output=""):
@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
if line.startswith("/"):
self.test_remaining.append(line.strip())
if not self.test_remaining:
- print "Bail out! No tests found in GTest: %s" % self.command[0]
+ print("Bail out! No tests found in GTest: %s" % self.command[0])
return 0
- print "1..%d" % len(self.test_remaining)
+ print("1..%d" % len(self.test_remaining))
# First try to run all the tests in a batch
- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
+ stdout=subprocess.PIPE, universal_newlines=True)
result = self.process(proc)
if result == 0:
return 0
+ if result < 0:
+ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
+
# Now pick up any stragglers due to failures
while True:
# Assume that the last test failed
if self.test_name:
- print "not ok %d %s" % (self.test_num, self.test_name)
+ print("not ok %d %s" % (self.test_num, self.test_name))
self.test_name = None
# Run any tests which didn't get run
@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
break
proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
- close_fds=True, stdout=subprocess.PIPE)
+ close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
result = self.process(proc)
# The various exit codes and signals we continue for
@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
return result
def main(argv):
- parser = argparse.ArgumentParser(description='Automake TAP compiler')
+ parser = argparse.ArgumentParser(description='Automake TAP compiler',
+ usage="tap-gtester [--format FORMAT] command ...")
parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
default="auto", help='The input format to compile')
parser.add_argument('--verbose', action='store_true',
default=True, help='Verbose mode (ignored)')
- parser.add_argument('command', nargs='+', help="A test command to run")
+ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
args = parser.parse_args(argv[1:])
output = None
format = args.format
cmd = args.command
+ if not cmd:
+ sys.stderr.write("tap-gtester: specify a command to run\n")
+ return 2
+ if cmd[0] == '--':
+ cmd.pop(0)
+
proc = None
os.environ['HARNESS_ACTIVE'] = '1'
if format in ["auto", "gtest"]:
list_cmd = cmd + ["-l", "--verbose"]
- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
output = proc.stdout.readline()
# Smell whether we're dealing with GTest list output from first line
if "random seed" in output or "GTest" in output or output.startswith("/"):
@@ -164,7 +188,8 @@ def main(argv):
else:
format = "tap"
else:
- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
if format == "gtest":
compiler = GTestCompiler(cmd)
--
2.14.4

93
0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
View File

@ -1,93 +0,0 @@
From 3bdf6f25923c3a3bd8404f4a1228053d6a7551b2 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 6 Feb 2017 12:32:20 +0100
Subject: [PATCH] tools: Update the usage help text of the realm commands
Add better synopsis, sort arguments appropriately, and include
missing arguments.
---
tools/realm-discover.c | 4 ++--
tools/realm-join.c | 30 +++++++++++++++---------------
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
index cec3fd0..8dde4ed 100644
--- a/tools/realm-discover.c
+++ b/tools/realm-discover.c
@@ -186,7 +186,7 @@ realm_discover (RealmClient *client,
{ NULL, }
};
- context = g_option_context_new ("realm-or-domain");
+ context = g_option_context_new ("discover REALM-OR-DOMAIN");
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
g_option_context_add_main_entries (context, option_entries, NULL);
g_option_context_add_main_entries (context, realm_global_options, NULL);
@@ -274,7 +274,7 @@ realm_list (RealmClient *client,
{ NULL, }
};
- context = g_option_context_new ("realm");
+ context = g_option_context_new ("list");
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
g_option_context_add_main_entries (context, option_entries, NULL);
g_option_context_add_main_entries (context, realm_global_options, NULL);
diff --git a/tools/realm-join.c b/tools/realm-join.c
index 8e46c20..249f502 100644
--- a/tools/realm-join.c
+++ b/tools/realm-join.c
@@ -286,28 +286,28 @@ realm_join (RealmClient *client,
gint ret = 0;
GOptionEntry option_entries[] = {
- { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
- N_("User name to use for enrollment"), NULL },
- { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
- N_("Computer OU DN to join"), NULL },
- { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
- N_("Use specific computer name instead of hostname"), NULL },
- { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
- N_("Use specific operation system name"), NULL },
- { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
- N_("Use specific operation system version"), NULL },
+ { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
+ realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software,
N_("Use specific client software"), NULL },
- { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
- N_("Use specific server software"), NULL },
+ { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
+ N_("Use specific computer name instead of hostname"), NULL },
+ { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
+ N_("Computer OU DN to join"), NULL },
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software,
N_("Use specific membership software"), NULL },
{ "no-password", 0, 0, G_OPTION_ARG_NONE, &args.no_password,
N_("Join automatically without a password"), NULL },
{ "one-time-password", 0, 0, G_OPTION_ARG_STRING, &args.one_time_password,
N_("Join using a preset one time password"), NULL },
- { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
- realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
+ { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
+ N_("Use specific operation system name"), NULL },
+ { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
+ N_("Use specific operation system version"), NULL },
+ { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
+ N_("Use specific server software"), NULL },
+ { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
+ N_("User name to use for enrollment"), NULL },
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
N_("Set the user principal for the computer account"), NULL },
{ NULL, }
@@ -315,7 +315,7 @@ realm_join (RealmClient *client,
memset (&args, 0, sizeof (args));
- context = g_option_context_new ("realm");
+ context = g_option_context_new ("join REALM");
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
group = g_option_group_new (NULL, NULL, NULL, &args, realm_join_args_clear);
--
2.26.2

113
0002-Change-qualified-names-default-for-IPA.patch
View File

@ -1,113 +0,0 @@
From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 16:44:39 +0200
Subject: [PATCH 2/3] Change qualified names default for IPA
In a FreeIPA domain it is typically expected that the IPA accounts use
sort names while accounts from trusted domains have fully qualified
names. This is automatically done by SSSD's IPA provider so there is no
need to force fully qualified names in the SSSD configuration.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1575538
---
service/realm-options.c | 9 +++++----
service/realm-options.h | 3 ++-
service/realm-samba-winbind.c | 2 +-
service/realm-sssd-ad.c | 2 +-
service/realm-sssd-ipa.c | 2 +-
5 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/service/realm-options.c b/service/realm-options.c
index bd804ea..34a209f 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
if (realm_name && !option) {
section = g_utf8_casefold (realm_name, -1);
- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
g_free (section);
}
@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
gboolean mapping;
section = g_utf8_casefold (realm_name, -1);
- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
+ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
g_free (section);
return mapping;
}
gboolean
-realm_options_qualify_names (const gchar *realm_name)
+realm_options_qualify_names (const gchar *realm_name,
+ gboolean def)
{
gchar *section;
gboolean qualify;
section = g_utf8_casefold (realm_name, -1);
- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
+ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
g_free (section);
return qualify;
diff --git a/service/realm-options.h b/service/realm-options.h
index 7a1355e..b71d219 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
gboolean realm_options_automatic_mapping (GVariant *options,
const gchar *realm_name);
-gboolean realm_options_qualify_names (const gchar *realm_name);
+gboolean realm_options_qualify_names (const gchar *realm_name,
+ gboolean def);
gboolean realm_options_check_domain_name (const gchar *domain_name);
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index 9335e26..61988eb 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
"winbind enum groups", "no",
"winbind offline logon", "yes",
"winbind refresh tickets", "yes",
- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
"template shell", realm_settings_string ("users", "default-shell"),
NULL);
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 8543ca8..de7ce30 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
gchar *home;
home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
- qualify = realm_options_qualify_names (disco->domain_name);
+ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
shell = realm_settings_string ("users", "default-shell");
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
realmd_tags = g_string_new ("");
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index ff1dc8a..5029f6b 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
realm_sssd_config_update_domain (config, domain, &error,
"cache_credentials", "True",
- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
"krb5_store_password_if_offline", "True",
"default_shell", shell,
"fallback_homedir", home,
--
2.17.1

74
0002-Use-startTLS-with-FreeIPA.patch
View File

@ -1,74 +0,0 @@
From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 3 Jul 2020 17:18:27 +0200
Subject: [PATCH 2/4] Use startTLS with FreeIPA
FreeIPA is planning to required a minimal security strength factor (ssf)
in an upcoming version. This basically means that communication should
be encrypted. The most straight forward way is use TLS by doing a
StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
since the initial release we will call StartTLS unconditionally but try
without if it fails.
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
---
service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
service/realm-ldap.c | 4 +++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
index 3100650..7614071 100644
--- a/service/realm-disco-rootdse.c
+++ b/service/realm-disco-rootdse.c
@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
LDAP *ldap)
{
const char *attrs[] = { "info", "associatedDomain", NULL };
+ int ret;
+ int ldap_opt_val;
clo->request = NULL;
clo->result = result_domain_info;
+ /* Trying to setup a TLS tunnel in the case the IPA server requires an
+ * encrypted connected. Trying without in case of an error. Since we
+ * most probably do not have the IPA CA certificate we will not check
+ * the server certificate. */
+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
+ if (ret != LDAP_OPT_SUCCESS) {
+ g_debug ("Failed to disable certificate checking, trying without");
+ }
+
+ ldap_opt_val = 0;
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
+ if (ret != LDAP_OPT_SUCCESS) {
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
+ }
+
+ ret = ldap_start_tls_s (ldap, NULL, NULL);
+ if (ret != LDAP_SUCCESS) {
+ g_debug ("Failed to setup TLS tunnel, trying without");
+ }
+
return search_ldap (task, clo, ldap, clo->default_naming_context,
LDAP_SCOPE_BASE, NULL, attrs);
}
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 59817fb..7831b5b 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
+ url = g_strdup_printf ("ldap://%s:%d", addrname, port);
+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
+ g_free (url);
g_free (native);
--
2.26.2

32
0002-configure-do-not-inherit-DISTRO-from-the-environment.patch
View File

@ -1,32 +0,0 @@
From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 28 Nov 2019 18:51:30 +0100
Subject: [PATCH 2/7] configure: do not inherit DISTRO from the environment
The argument of the --with-distro configure option is stored in the
variable DISTRO. If DISTRO is already set in the build environment it
should not be used hence DISTRO must be cleared by the configure script
if not set by --with-distro.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396
---
configure.ac | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e335247..a424a49 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,7 +31,8 @@ AC_ARG_WITH([distro],
[AS_HELP_STRING([--with-distro],
[Configure for a specific distribution (eg: redhat)]
)],
- [DISTRO=$withval])
+ [DISTRO=$withval],
+ [DISTRO=])
if test -z $DISTRO; then
AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"])
--
2.25.1

69
0002-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
View File

@ -1,69 +0,0 @@
From cf40987b7f847be70ef3a5a0fa359116c0259477 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:19:09 +0100
Subject: [PATCH 2/7] service: add REALM_DBUS_OPTION_USE_LDAPS and
realm_get_use_ldaps
Add a new option to the realmd service to use ldaps where possible and
supported.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
dbus/realm-dbus-constants.h | 1 +
service/realm-options.c | 17 +++++++++++++++++
service/realm-options.h | 2 ++
3 files changed, 20 insertions(+)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index 40ffa2d..0bd7a5d 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -70,6 +70,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_OS_NAME "os-name"
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
+#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/service/realm-options.c b/service/realm-options.c
index 34a209f..d42eb7c 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -199,3 +199,20 @@ realm_options_ad_specific (GVariant *options,
return g_strdup (value);
}
+
+gboolean realm_option_use_ldaps (GVariant *options)
+{
+ gchar *use_ldaps_str;
+
+ use_ldaps_str = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_USE_LDAPS);
+ if (use_ldaps_str != NULL
+ && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
+ || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
+ g_free (use_ldaps_str);
+ return TRUE;
+ }
+ g_free (use_ldaps_str);
+
+ return FALSE;
+}
diff --git a/service/realm-options.h b/service/realm-options.h
index b71d219..bc13cd7 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -48,6 +48,8 @@ const gchar * realm_options_computer_name (GVariant *options,
const gchar * realm_options_ad_specific (GVariant *options,
const gchar *option_name);
+gboolean realm_option_use_ldaps (GVariant *options);
+
G_END_DECLS
#endif /* __REALM_OPTIONS_H__ */
--
2.26.2

25
0002-tools-remove-duplicated-va_start.patch
View File

@ -1,25 +0,0 @@
From 6b41b3292bb826d90fd7986e4a66b20b6fb658b3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Sep 2018 10:39:13 +0200
Subject: [PATCH 2/7] tools: remove duplicated va_start()
---
tools/realm.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/realm.c b/tools/realm.c
index ed8ab3e..4d76a94 100644
--- a/tools/realm.c
+++ b/tools/realm.c
@@ -52,8 +52,6 @@ realm_print_error (const gchar *format,
GString *message;
va_list va;
- va_start (va, format);
-
message = g_string_new ("");
g_string_append_printf (message, "%s: ", g_get_prgname ());
--
2.25.1

76
0003-discover-try-to-get-domain-name-from-hostname.patch
View File

@ -1,76 +0,0 @@
From 5e28cf702ad338e399f8fff0b3fa18736a297318 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 21 Aug 2018 13:09:20 +0200
Subject: [PATCH 3/3] discover: try to get domain name from hostname
If there is no domain name returned by DHCP check if the hostname
contains a domain part and use this to discover a realm.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
---
service/realm-provider.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/service/realm-provider.c b/service/realm-provider.c
index d647c7a..258e8e1 100644
--- a/service/realm-provider.c
+++ b/service/realm-provider.c
@@ -28,6 +28,8 @@
#include <glib/gi18n.h>
#include <gio/gio.h>
+#include <errno.h>
+
#define TIMEOUT_SECONDS 15
G_DEFINE_TYPE (RealmProvider, realm_provider, G_TYPE_DBUS_OBJECT_SKELETON);
@@ -181,6 +183,25 @@ on_discover_complete (GObject *source,
return_discover_result (method, realms, relevance, error);
}
+static gchar *
+get_domain_from_hostname (void)
+{
+ gchar hostname[HOST_NAME_MAX + 1];
+ gchar *dot;
+
+ if (gethostname (hostname, sizeof (hostname)) < 0) {
+ g_warning ("Couldn't get the computer host name: %s", g_strerror (errno));
+ return NULL;
+ }
+
+ dot = strchr (hostname, '.');
+ if (dot != NULL) {
+ return g_strdup (dot + 1);
+ }
+
+ return NULL;
+}
+
static void
on_discover_default (GObject *source,
GAsyncResult *result,
@@ -195,6 +216,10 @@ on_discover_default (GObject *source,
g_clear_error (&error);
}
+ if (method->string == NULL) {
+ method->string = get_domain_from_hostname ();
+ }
+
if (method->string) {
g_strstrip (method->string);
if (g_str_equal (method->string, "")) {
@@ -210,7 +235,8 @@ on_discover_default (GObject *source,
on_discover_complete, method);
} else {
- realm_diagnostics_info (method->invocation, "No default domain received via DHCP");
+ realm_diagnostics_info (method->invocation,
+ "No default domain received via DHCP or given by hostname");
return_discover_result (method, NULL, 0, NULL);
}
}
--
2.17.1

75
0003-doc-extend-user-principal-section.patch
View File

@ -1,75 +0,0 @@
From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:10:03 +0100
Subject: [PATCH 3/7] doc: extend user-principal section
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814
---
doc/manual/realm.xml | 21 +++++++++++++++++++--
doc/manual/realmd.conf.xml | 15 ++++++++++-----
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 7b73331..55a7640 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -238,10 +238,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
</varlistentry>
<varlistentry>
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
- <listitem><para>Set the userPrincipalName field of the
+ <listitem><para>Set the
+ <option>userPrincipalName</option> field of the
computer account to this kerberos principal. If you omit
the value for this option, then a principal will be set
- in the form of <literal>host/shortname@REALM</literal></para></listitem>
+ based on the defaults of the membership software.</para>
+ <para>AD makes a distinction between user and service
+ principals. Only with user principals you can request a
+ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user
+ principals can be used with the <command>kinit</command>
+ command. By default the user principal and the canonical
+ principal name of an AD computer account is
+ <code>shortname$@AD.DOMAIN</code>, where shortname is
+ the NetBIOS name which is limited to 15 characters.</para>
+ <para>If there are applications which are not aware of
+ the AD default and are using a hard-coded default
+ principal the <option>--user-principal</option> can be
+ used to make AD aware of this principal. Please note
+ that <option>userPrincipalName</option> is a single
+ value LDAP attribute, i.e. only one alternative user
+ principal besides the AD default user principal can be
+ set.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--os-name=xxx</option></term>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index f0b0879..a26a60c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -365,12 +365,17 @@ computer-name = SERVER01
</listitem>
</varlistentry>
<varlistentry>
- <term><option>user-prinicpal</option></term>
+ <term><option>user-principal</option></term>
<listitem>
- <para>Set the <option>user-prinicpal</option> to <code>yes</code>
- to create <option>userPrincipalName</option> attributes for the
- computer account in the realm, in the form
- <code>host/computer@REALM</code></para>
+ <para>Set the <option>user-principal</option> to <code>yes</code>
+ to create <option>userPrincipalName</option> attribute for the
+ computer accounts in the realm. The exact value depends on the
+ defaults of the used membership software. To have full control
+ over the value please use the
+ <option>--user-principal</option> option of the
+ <command>realm</command> command, see
+ <citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> for details.</para>
<informalexample>
<programlisting language="js">
--
2.25.1

271
0003-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
View File

@ -1,271 +0,0 @@
From 20adfff6c0db657d302bd96f986f2e79a8b2d791 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:20:46 +0100
Subject: [PATCH 3/7] service: allow to use ldaps for rootDSE lookup
Let the realmd service use ldaps for the rootDSE lookup when requested.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-disco-dns.c | 10 +++++++---
service/realm-disco-dns.h | 1 +
service/realm-disco-domain.c | 8 +++++++-
service/realm-disco-domain.h | 1 +
service/realm-disco-mscldap.c | 2 +-
service/realm-disco-rootdse.c | 3 ++-
service/realm-disco-rootdse.h | 1 +
service/realm-ldap.c | 5 ++++-
service/realm-ldap.h | 1 +
service/realm-samba-provider.c | 5 ++++-
service/realm-sssd-provider.c | 5 ++++-
11 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/service/realm-disco-dns.c b/service/realm-disco-dns.c
index 446010c..77d5034 100644
--- a/service/realm-disco-dns.c
+++ b/service/realm-disco-dns.c
@@ -32,6 +32,7 @@ typedef struct {
GQueue addresses;
GQueue targets;
gint current_port;
+ gboolean use_ldaps;
gint returned;
DiscoPhase phase;
GResolver *resolver;
@@ -180,7 +181,7 @@ return_or_resolve (RealmDiscoDns *self,
target = g_queue_pop_head (&self->targets);
if (target) {
- self->current_port = g_srv_target_get_port (target);
+ self->current_port = self->use_ldaps ? 636 : g_srv_target_get_port (target);
g_resolver_lookup_by_name_async (self->resolver, g_srv_target_get_hostname (target),
g_task_get_cancellable (task), on_name_resolved,
g_object_ref (task));
@@ -201,7 +202,7 @@ return_or_resolve (RealmDiscoDns *self,
g_resolver_lookup_by_name_async (self->resolver, self->name,
g_task_get_cancellable (task), on_name_resolved,
g_object_ref (task));
- self->current_port = 389;
+ self->current_port = self->use_ldaps ? 636 : 389;
self->phase = PHASE_HOST;
break;
case PHASE_HOST:
@@ -251,6 +252,7 @@ realm_disco_dns_class_init (RealmDiscoDnsClass *klass)
GSocketAddressEnumerator *
realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation)
{
RealmDiscoDns *self;
@@ -262,12 +264,14 @@ realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
self = g_object_new (REALM_TYPE_DISCO_DNS, NULL);
self->name = g_hostname_to_ascii (input);
+ self->use_ldaps = use_ldaps;
self->invocation = g_object_ref (invocation);
/* If is an IP, skip resolution */
if (g_hostname_is_ip_address (input)) {
inet = g_inet_address_new_from_string (input);
- g_queue_push_head (&self->addresses, g_inet_socket_address_new (inet, 389));
+ g_queue_push_head (&self->addresses,
+ g_inet_socket_address_new (inet, use_ldaps ? 636 : 389));
g_object_unref (inet);
self->phase = PHASE_HOST;
} else {
diff --git a/service/realm-disco-dns.h b/service/realm-disco-dns.h
index a51777f..5b20fe9 100644
--- a/service/realm-disco-dns.h
+++ b/service/realm-disco-dns.h
@@ -26,6 +26,7 @@ typedef enum {
G_BEGIN_DECLS
GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation);
RealmDiscoDnsHint realm_disco_dns_get_hint (GSocketAddressEnumerator *enumerator);
diff --git a/service/realm-disco-domain.c b/service/realm-disco-domain.c
index 3f0ccb5..fdda8f6 100644
--- a/service/realm-disco-domain.c
+++ b/service/realm-disco-domain.c
@@ -37,6 +37,7 @@ typedef struct _Callback {
typedef struct {
GObject parent;
gchar *input;
+ gboolean use_ldaps;
GCancellable *cancellable;
GDBusMethodInvocation *invocation;
GSocketAddressEnumerator *enumerator;
@@ -206,6 +207,7 @@ on_discover_next_address (GObject *source,
realm_diagnostics_info (self->invocation, "Performing LDAP DSE lookup on: %s", string);
realm_disco_rootdse_async (address, explicit_host,
+ self->use_ldaps,
self->invocation, self->cancellable,
on_discover_rootdse, g_object_ref (self));
self->outstanding++;
@@ -248,6 +250,7 @@ on_cancel_propagate (GCancellable *source,
void
realm_disco_domain_async (const gchar *string,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -267,8 +270,11 @@ realm_disco_domain_async (const gchar *string,
if (self == NULL) {
self = g_object_new (REALM_TYPE_DISCO_DOMAIN, NULL);
self->input = g_strdup (string);
+ self->use_ldaps = use_ldaps;
self->invocation = g_object_ref (invocation);
- self->enumerator = realm_disco_dns_enumerate_servers (string, invocation);
+ self->enumerator = realm_disco_dns_enumerate_servers (string,
+ use_ldaps,
+ invocation);
g_hash_table_insert (discover_cache, self->input, self);
g_assert (!self->completed);
diff --git a/service/realm-disco-domain.h b/service/realm-disco-domain.h
index 27dcc6c..02d4998 100644
--- a/service/realm-disco-domain.h
+++ b/service/realm-disco-domain.h
@@ -24,6 +24,7 @@
G_BEGIN_DECLS
void realm_disco_domain_async (const gchar *string,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
index d3d3c10..2504904 100644
--- a/service/realm-disco-mscldap.c
+++ b/service/realm-disco-mscldap.c
@@ -348,7 +348,7 @@ realm_disco_mscldap_async (GSocketAddress *address,
return;
}
- clo->source = realm_ldap_connect_anonymous (address, protocol, cancellable);
+ clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
g_object_ref (task), g_object_unref);
g_source_attach (clo->source, g_task_get_context (task));
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
index 7614071..4ed19e5 100644
--- a/service/realm-disco-rootdse.c
+++ b/service/realm-disco-rootdse.c
@@ -452,6 +452,7 @@ on_ldap_io (LDAP *ldap,
void
realm_disco_rootdse_async (GSocketAddress *address,
const gchar *explicit_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GCancellable *cancellable,
GAsyncReadyCallback callback,
@@ -473,7 +474,7 @@ realm_disco_rootdse_async (GSocketAddress *address,
g_task_set_task_data (task, clo, closure_free);
clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
- cancellable);
+ use_ldaps, cancellable);
g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
g_object_ref (task), g_object_unref);
g_source_attach (clo->source, g_task_get_context (task));
diff --git a/service/realm-disco-rootdse.h b/service/realm-disco-rootdse.h
index e024c84..7b21960 100644
--- a/service/realm-disco-rootdse.h
+++ b/service/realm-disco-rootdse.h
@@ -21,6 +21,7 @@
void realm_disco_rootdse_async (GSocketAddress *address,
const gchar *explicit_server,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GCancellable *cancellable,
GAsyncReadyCallback callback,
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 7831b5b..28c5c8a 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -183,6 +183,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
GSource *
realm_ldap_connect_anonymous (GSocketAddress *address,
GSocketProtocol protocol,
+ gboolean use_ldaps,
GCancellable *cancellable)
{
GSource *source;
@@ -238,7 +239,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
- url = g_strdup_printf ("ldap://%s:%d", addrname, port);
+ url = g_strdup_printf ("%s://%s:%d",
+ use_ldaps ? "ldaps" : "ldap",
+ addrname, port);
rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
g_free (url);
diff --git a/service/realm-ldap.h b/service/realm-ldap.h
index 263f72a..0f9f40e 100644
--- a/service/realm-ldap.h
+++ b/service/realm-ldap.h
@@ -37,6 +37,7 @@ typedef GIOCondition (* RealmLdapCallback) (LDAP *ldap,
GSource * realm_ldap_connect_anonymous (GSocketAddress *address,
GSocketProtocol protocol,
+ gboolean use_ldaps,
GCancellable *cancellable);
void realm_ldap_set_condition (GSource *source,
diff --git a/service/realm-samba-provider.c b/service/realm-samba-provider.c
index 9b489ce..de9f5e6 100644
--- a/service/realm-samba-provider.c
+++ b/service/realm-samba-provider.c
@@ -27,6 +27,7 @@
#include "realm-samba-enroll.h"
#include "realm-samba-provider.h"
#include "realm-samba-winbind.h"
+#include "realm-options.h"
#include <glib/gstdio.h>
@@ -121,7 +122,9 @@ realm_samba_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- realm_disco_domain_async (string, invocation,
+ realm_disco_domain_async (string,
+ realm_option_use_ldaps (options),
+ invocation,
on_ad_discover, g_object_ref (task));
}
diff --git a/service/realm-sssd-provider.c b/service/realm-sssd-provider.c
index 7ac0645..db183c0 100644
--- a/service/realm-sssd-provider.c
+++ b/service/realm-sssd-provider.c
@@ -26,6 +26,7 @@
#include "realm-sssd-ipa.h"
#include "realm-sssd-provider.h"
#include "realm-sssd-config.h"
+#include "realm-options.h"
#include <glib/gstdio.h>
@@ -140,7 +141,9 @@ realm_sssd_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- realm_disco_domain_async (string, invocation, on_kerberos_discover,
+ realm_disco_domain_async (string,
+ realm_option_use_ldaps (options),
+ invocation, on_kerberos_discover,
g_object_ref (task));
}
--
2.26.2

33
0003-service-remove-dead-code.patch
View File

@ -1,33 +0,0 @@
From 4cd0cc0ace4a346444dd34e7f3c6a23fd654fef4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Sep 2018 11:00:13 +0200
Subject: [PATCH 3/7] service: remove dead code
---
service/realm-samba.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/service/realm-samba.c b/service/realm-samba.c
index 5cf2aa8..e2a3608 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -180,7 +180,6 @@ on_join_do_winbind (GObject *source,
GTask *task = G_TASK (user_data);
EnrollClosure *enroll = g_task_get_task_data (task);
RealmSamba *self = g_task_get_source_object (task);
- GHashTable *settings = NULL;
GError *error = NULL;
const gchar *name;
const gchar *computer_name;
@@ -215,8 +214,6 @@ on_join_do_winbind (GObject *source,
g_task_return_error (task, error);
}
- if (settings)
- g_hash_table_unref (settings);
g_object_unref (task);
}
--
2.25.1

32
0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
View File

@ -1,32 +0,0 @@
From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 Aug 2020 11:18:17 +0200
Subject: [PATCH 3/4] service: use net ads join with -k for user join as well
The NTLM authentication used by 'net ads join' does only support crypto
algorithms which e.g. are not allowed by FIPS. It would be better to
tell 'net ads join' to try Kerberos first before falling back to NTLM by
adding the '-k' option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
---
service/realm-samba-enroll.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index f5edca3..3f86c51 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -372,7 +372,8 @@ begin_join (GTask *task,
} else if (join->user_name) {
begin_net_process (join, join->password_input,
on_join_do_keytab, g_object_ref (task),
- "-U", join->user_name, "ads", "join", join->disco->domain_name,
+ "-U", join->user_name,
+ "-k", "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
--
2.26.2

26
0004-doc-fix-discover-name-only.patch
View File

@ -1,26 +0,0 @@
From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:49:15 +0100
Subject: [PATCH 4/7] doc: fix discover name-only
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
---
doc/manual/realmd.conf.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index a26a60c..fc6a785 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
<informalexample>
<screen>
-$ <command>realm discover --name DOMAIN.example.com</command>
+$ <command>realm discover --name-only DOMAIN.example.com</command>
domain.example.com
...
</screen>
--
2.25.1

186
0004-service-add-ldaps-support-when-using-adcli.patch
View File

@ -1,186 +0,0 @@
From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:28:52 +0100
Subject: [PATCH 4/7] service: add ldaps support when using adcli
Call adcli with the --use-ldaps option if the realmd service is
requested to do so.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-adcli-enroll.c | 10 ++++++++++
service/realm-adcli-enroll.h | 2 ++
service/realm-samba.c | 11 +++++++++--
service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++-
4 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index 05947fa..2731283 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -68,6 +68,7 @@ void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
g_ptr_array_add (args, "--domain-realm");
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
server_arg = g_inet_address_to_string (address);
@@ -218,6 +223,7 @@ void
realm_adcli_enroll_delete_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
g_ptr_array_add (args, "--domain-realm");
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
server_arg = g_inet_address_to_string (address);
diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
index 855b2f7..3f535d0 100644
--- a/service/realm-adcli-enroll.h
+++ b/service/realm-adcli-enroll.h
@@ -29,6 +29,7 @@ G_BEGIN_DECLS
void realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
@@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result,
void realm_adcli_enroll_delete_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
diff --git a/service/realm-samba.c b/service/realm-samba.c
index e7b80a0..7aa5416 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -257,7 +257,8 @@ on_install_do_join (GObject *source,
}
static gboolean
-validate_membership_options (GVariant *options,
+validate_membership_options (EnrollClosure *enroll,
+ GVariant *options,
GError **error)
{
const gchar *software;
@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options,
}
}
+ if (realm_option_use_ldaps (options)) {
+ realm_diagnostics_info (enroll->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying without.",
+ software);
+ }
return TRUE;
}
@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership,
g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED,
_("Already joined to a domain"));
- } else if (!validate_membership_options (options, &error)) {
+ } else if (!validate_membership_options (enroll, options, &error)) {
g_task_return_error (task, error);
} else {
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 6b2f9f8..00a9093 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -98,6 +98,7 @@ typedef struct {
GVariant *options;
RealmDisco *disco;
gboolean use_adcli;
+ gboolean use_ldaps;
const gchar **packages;
} JoinClosure;
@@ -294,6 +295,7 @@ on_install_do_join (GObject *source,
realm_adcli_enroll_join_async (join->disco,
join->cred,
join->options,
+ join->use_ldaps,
join->invocation,
on_join_do_sssd,
g_object_ref (task));
@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join,
return FALSE;
}
+ /*
+ * Check if ldaps should be used and if membership software supports
+ * it.
+ */
+ join->use_ldaps = realm_option_use_ldaps (options);
+ if (join->use_ldaps &&
+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
+ realm_diagnostics_info (join->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying "
+ "without.", software);
+ }
+
/*
* If we are enrolling with a user password, then we have to use samba,
* adcli only supports admin passwords.
@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
GTask *task;
LeaveClosure *leave;
gchar *tags;
+ gboolean use_ldaps = FALSE;
task = g_task_new (self, NULL, callback, user_data);
@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
leave->invocation = g_object_ref (invocation);
leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
g_task_set_task_data (task, leave, leave_closure_free);
+
+ use_ldaps = realm_option_use_ldaps (options);
if (leave->use_adcli) {
- realm_adcli_enroll_delete_async (disco, cred, options, invocation,
+ realm_adcli_enroll_delete_async (disco, cred, options,
+ use_ldaps, invocation,
on_leave_do_deconfigure, g_object_ref (task));
} else {
+ if (use_ldaps) {
+ realm_diagnostics_info (leave->invocation,
+ "Membership software does "
+ "not support ldaps, trying "
+ "without.");
+ }
realm_samba_enroll_leave_async (disco, cred, options, invocation,
on_leave_do_deconfigure, g_object_ref (task));
}
--
2.26.2

36
0004-service-check-return-value-of-fcntl.patch
View File

@ -1,36 +0,0 @@
From f4636827818d514ebc2f73df2a55b22e7bc8ab89 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Sep 2018 11:00:30 +0200
Subject: [PATCH 4/7] service: check return value of fcntl()
---
service/realm-command.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/service/realm-command.c b/service/realm-command.c
index 2fe02ab..5257caa 100644
--- a/service/realm-command.c
+++ b/service/realm-command.c
@@ -361,6 +361,7 @@ on_unix_process_child_setup (gpointer user_data)
int *child_fds = user_data;
long val;
guint i;
+ int ret;
/*
* Become a process leader in order to close the controlling terminal.
@@ -378,7 +379,10 @@ on_unix_process_child_setup (gpointer user_data)
for (i = 0; i < NUM_FDS; i++) {
if (child_fds[i] >= 0) {
val = fcntl (child_fds[i], F_GETFD);
- fcntl (child_fds[i], F_SETFD, val & ~FD_CLOEXEC);
+ ret = fcntl (child_fds[i], F_SETFD, val & ~FD_CLOEXEC);
+ if (ret != 0) {
+ /* ignore */
+ }
}
}
}
--
2.25.1

167
0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch
View File

@ -1,167 +0,0 @@
From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 12 Aug 2020 12:58:27 +0200
Subject: [PATCH 4/4] service: use 'additional dns hostnames' with net ads join
With newer versions of Samba the net ads join does not add services
principals with the configured host name anymore but added the new
option 'additional dns hostnames' for this.
realmd will try to figure out a fully-qualified host name and use it
with the new option if it is from a different domain.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912
---
service/realm-disco.c | 1 +
service/realm-disco.h | 1 +
service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++-
service/realm-samba.c | 6 ++++
4 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/service/realm-disco.c b/service/realm-disco.c
index ab06939..a12be50 100644
--- a/service/realm-disco.c
+++ b/service/realm-disco.c
@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data)
g_free (disco->explicit_netbios);
g_free (disco->kerberos_realm);
g_free (disco->workgroup);
+ g_free (disco->dns_fqdn);
if (disco->server_address)
g_object_unref (disco->server_address);
g_free (disco);
diff --git a/service/realm-disco.h b/service/realm-disco.h
index 5f3e5e9..35532d2 100644
--- a/service/realm-disco.h
+++ b/service/realm-disco.h
@@ -30,6 +30,7 @@ typedef struct {
gchar *explicit_server;
gchar *explicit_netbios;
GSocketAddress *server_address;
+ gchar *dns_fqdn;
} RealmDisco;
#define REALM_TYPE_DISCO (realm_disco_get_type ())
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 3f86c51..5624a08 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -33,6 +33,9 @@
#include <errno.h>
#include <fcntl.h>
#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
typedef struct {
GDBusMethodInvocation *invocation;
@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm)
return g_utf8_strup (realm, pos - realm);
}
+static char *
+try_to_get_fqdn (void)
+{
+ char hostname[HOST_NAME_MAX + 1];
+ gchar *fqdn = NULL;
+ int ret;
+ struct addrinfo *res;
+ struct addrinfo hints;
+
+ ret = gethostname (hostname, sizeof (hostname));
+ if (ret < 0) {
+ return NULL;
+ }
+
+ if (strchr (hostname, '.') == NULL) {
+ memset (&hints, 0, sizeof (struct addrinfo));
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_CANONNAME;
+
+ ret = getaddrinfo (hostname, NULL, &hints, &res);
+ if (ret != 0) {
+ return NULL;
+ }
+
+ /* Only use a fully-qualified name */
+ if (strchr (res->ai_canonname, '.') != NULL) {
+ fqdn = g_strdup (res->ai_canonname);
+ }
+
+ freeaddrinfo (res);
+
+ } else {
+ fqdn = g_strdup (hostname);
+ }
+
+ return fqdn;
+}
+
static JoinClosure *
join_closure_init (GTask *task,
RealmDisco *disco,
@@ -95,6 +136,8 @@ join_closure_init (GTask *task,
const gchar *explicit_computer_name = NULL;
const gchar *authid = NULL;
gchar *name_from_keytab = NULL;
+ gchar *fqdn = NULL;
+ gchar *fqdn_dom = NULL;
join = g_new0 (JoinClosure, 1);
join->disco = realm_disco_ref (disco);
@@ -124,7 +167,7 @@ join_closure_init (GTask *task,
"netbios name", authid,
NULL);
- /*
+ /*
* Samba complains if we don't set a 'workgroup' setting for the realm we're
* going to join. If we didn't yet manage to lookup the workgroup, then go ahead
* and assume that the first domain component is the workgroup name.
@@ -144,6 +187,18 @@ join_closure_init (GTask *task,
g_free (workgroup);
}
+ /* Add the fully-qualified DNS hostname as additional name if it is from
+ * a different domain. */
+ fqdn = try_to_get_fqdn ();
+ if (fqdn != NULL && join->disco->domain_name != NULL
+ && (fqdn_dom = strchr (fqdn, '.')) != NULL
+ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) {
+ disco->dns_fqdn = g_strdup (fqdn);
+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
+ "additional dns hostnames", disco->dns_fqdn, NULL);
+ }
+ g_free (fqdn);
+
/* Write out the config file for use by various net commands */
join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL);
temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR);
diff --git a/service/realm-samba.c b/service/realm-samba.c
index 4940b38..fe33600 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source,
NULL);
}
+ if (error == NULL && enroll->disco->dns_fqdn != NULL) {
+ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
+ "additional dns hostnames", enroll->disco->dns_fqdn,
+ NULL);
+ }
if (error == NULL) {
name = realm_kerberos_get_name (REALM_KERBEROS (self));
@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self,
if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
"workgroup", NULL,
"realm", NULL,
+ "additional dns hostnames", NULL,
"security", "user",
NULL)) {
g_task_return_error (task, error);
--
2.26.2

46
0005-doc-add-see-also-to-man-pages.patch
View File

@ -1,46 +0,0 @@
From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:49:51 +0100
Subject: [PATCH 5/7] doc: add see also to man pages
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
---
doc/manual/realm.xml | 7 +++++++
doc/manual/realmd.conf.xml | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 55a7640..e5d4608 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -440,4 +440,11 @@ $ realm deny --all
</refsect1>
+<refsect1 id='realm_see_also'>
+ <title>SEE ALSO</title>
+
+ <para><citerefentry><refentrytitle>realmd.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
+</refsect1>
+
</refentry>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index fc6a785..1592291 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -471,4 +471,11 @@ fully-qualified-names = no
</variablelist>
</refsect1>
+<refsect1 id='realmd_conf_see_also'>
+ <title>SEE ALSO</title>
+
+ <para><citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry></para>
+</refsect1>
+
</refentry>
--
2.25.1

39
0005-service-avoid-dereference-of-a-null-pointer.patch
View File

@ -1,39 +0,0 @@
From 7a1711b180a746ba574bdbfc814ec706a474cda8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Sep 2018 11:07:03 +0200
Subject: [PATCH 5/7] service: avoid dereference of a null pointer
---
service/realm-kerberos.c | 2 +-
service/realm-provider.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 252e256..a8b3553 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -720,7 +720,7 @@ realm_kerberos_get_disco (RealmKerberos *self)
if (!disco->kerberos_realm)
disco->kerberos_realm = g_strdup (realm_kerberos_get_realm_name (self));
klass = REALM_KERBEROS_GET_CLASS (self);
- if (klass->discover_myself)
+ if (klass && klass->discover_myself)
(klass->discover_myself) (self, disco);
self->pv->disco = disco;
}
diff --git a/service/realm-provider.c b/service/realm-provider.c
index 258e8e1..6d7cf96 100644
--- a/service/realm-provider.c
+++ b/service/realm-provider.c
@@ -450,7 +450,7 @@ realm_provider_get_realms (RealmProvider *self)
g_return_val_if_fail (REALM_IS_PROVIDER (self), NULL);
klass = REALM_PROVIDER_GET_CLASS (self);
- g_return_val_if_fail (klass->get_realms != NULL, NULL);
+ g_return_val_if_fail (klass != NULL && klass->get_realms != NULL, NULL);
return (klass->get_realms) (self);
}
--
2.25.1

88
0005-service-do-not-copy-option-values-to-avoid-memory-le.patch
View File

@ -1,88 +0,0 @@
From 7daf5993995baad0f5c7f7ae3822dae37eb9f46f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 16:44:23 +0100
Subject: [PATCH 5/7] service: do not copy option values to avoid memory leaks
---
service/realm-adcli-enroll.c | 15 ++++++++-------
service/realm-options.c | 8 +++-----
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index 2731283..e0d752b 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -80,7 +80,8 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
GBytes *input = NULL;
const gchar *upn;
GPtrArray *args;
- const gchar *os;
+ const gchar *os_n = NULL;
+ const gchar *os_v = NULL;
gchar *ccache_arg = NULL;
gchar *upn_arg = NULL;
gchar *server_arg = NULL;
@@ -144,16 +145,16 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
g_ptr_array_add (args, (gpointer)computer_ou);
}
- os = realm_options_ad_specific (options, "os-name");
- if (os != NULL && !g_str_equal (os, "")) {
+ os_n = realm_options_ad_specific (options, "os-name");
+ if (os_n != NULL && !g_str_equal (os_n, "")) {
g_ptr_array_add (args, "--os-name");
- g_ptr_array_add (args, (gpointer)os);
+ g_ptr_array_add (args, (gpointer)os_n);
}
- os = realm_options_ad_specific (options, "os-version");
- if (os != NULL && !g_str_equal (os, "")) {
+ os_v = realm_options_ad_specific (options, "os-version");
+ if (os_v != NULL && !g_str_equal (os_v, "")) {
g_ptr_array_add (args, "--os-version");
- g_ptr_array_add (args, (gpointer)os);
+ g_ptr_array_add (args, (gpointer)os_v);
}
switch (cred->type) {
diff --git a/service/realm-options.c b/service/realm-options.c
index d42eb7c..4ebd6c0 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -179,7 +179,7 @@ realm_options_computer_name (GVariant *options,
g_free (section);
}
- return g_strdup (computer_name);
+ return computer_name;
}
const gchar *
@@ -197,22 +197,20 @@ realm_options_ad_specific (GVariant *options,
value = realm_settings_value ("active-directory", option_name);
}
- return g_strdup (value);
+ return value;
}
gboolean realm_option_use_ldaps (GVariant *options)
{
- gchar *use_ldaps_str;
+ const gchar *use_ldaps_str;
use_ldaps_str = realm_options_ad_specific (options,
REALM_DBUS_OPTION_USE_LDAPS);
if (use_ldaps_str != NULL
&& ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
|| g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
- g_free (use_ldaps_str);
return TRUE;
}
- g_free (use_ldaps_str);
return FALSE;
}
--
2.26.2

104
0006-doc-extend-description-of-config-handling.patch
View File

@ -1,104 +0,0 @@
From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 21:57:02 +0100
Subject: [PATCH 6/7] doc: extend description of config handling
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005
---
doc/manual/Makefile.am | 8 ++++++++
doc/manual/realmd.conf.xml | 15 +++++++++++----
doc/privatedir.xml.in | 1 +
4 files changed, 21 insertions(+), 4 deletions(-)
create mode 100644 doc/privatedir.xml.in
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
index 8b33fdd..9812c45 100644
--- a/doc/manual/Makefile.am
+++ b/doc/manual/Makefile.am
@@ -1,14 +1,20 @@
+XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc
man8_MANS += \
doc/manual/realm.8
man5_MANS += \
doc/manual/realmd.conf.5
+$(man5_MANS): doc/privatedir.xml
+
MAN_IN_FILES = \
$(man8_MANS:.8=.xml) \
$(man5_MANS:.5=.xml) \
$(NULL)
+doc/privatedir.xml: doc/privatedir.xml.in
+ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@
+
MANUAL_DOCBOOK = doc/manual/realmd-docs.xml
MANUAL_INCLUDES = \
@@ -41,6 +47,7 @@ MANUAL_XSLT = \
$(NULL)
EXTRA_DIST += \
+ doc/privatedir.xml.in \
$(MANUAL_DOCBOOK) \
$(MANUAL_INCLUDES) \
$(MAN_IN_FILES) \
@@ -50,6 +57,7 @@ EXTRA_DIST += \
CLEANFILES += \
realmd-org.freedesktop.realmd.generated \
+ doc/privatedir.xml \
$(DBUS_DOC_GENERATED) \
$(DBUS_ESCAPED) \
$(man8_MANS) \
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 1592291..9062252 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -1,6 +1,9 @@
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+[
+<!ENTITY privatedir SYSTEM "privatedir.xml">
+]>
<refentry id="realmd-conf">
@@ -35,7 +38,9 @@
to act in specific ways. This is done by placing settings in a
<filename>/etc/realmd.conf</filename>. This file does not exist by
default. The syntax of this file is the same as an INI file or
- Desktop Entry file.</para>
+ Desktop Entry file. If the file is changed and
+ <command>realmd</command> is running <command>realmd</command> must be
+ restarted to read the new values.</para>
<para>In general, settings in this file only apply at the point of
joining a domain or realm. Once the realm has been setup the settings
@@ -46,8 +51,10 @@
<para>Only specify the settings you wish to override in the
<filename>/etc/realmd.conf</filename> file. Settings not specified will
- be loaded from their packaged defaults. Only override the settings
- below. You may find other settings if you look through the
+ be loaded from their packaged defaults which can be found in
+ <filename>&privatedir;/realmd-defaults.conf</filename> and
+ <filename>&privatedir;/realmd-distro.conf</filename>. Only override the
+ settings below. You may find other settings if you look through the
<command>realmd</command> source code. However these are not guaranteed
to remain stable.</para>
diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in
new file mode 100644
index 0000000..7f71afe
--- /dev/null
+++ b/doc/privatedir.xml.in
@@ -0,0 +1 @@
+@privatedir@
\ No newline at end of file
--
2.25.1

24
0006-service-avoid-dereferencing-a-NULL-pointer.patch
View File

@ -1,24 +0,0 @@
From 9675cc5b6318f848ddf7237d50d02606e16d8003 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Sep 2018 11:17:07 +0200
Subject: [PATCH 6/7] service: avoid dereferencing a NULL pointer
---
service/realm-kerberos.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index a8b3553..3294932 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -251,6 +251,7 @@ is_credential_supported (RealmKerberosMembershipIface *iface,
gboolean found = FALSE;
gint i;
+ g_assert (iface != NULL);
g_assert (iface->join_creds != NULL);
g_assert (iface->leave_creds != NULL);
--
2.25.1

305
0006-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
View File

@ -1,305 +0,0 @@
From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 17:22:13 +0100
Subject: [PATCH 6/7] tools: add --use-ldaps option for discover, join and
leave
Add --use-ldaps option to the realm command to be able to ask the realmd
service to use ldaps where possible.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++
doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
tools/realm-client.c | 2 ++
tools/realm-client.h | 1 +
tools/realm-discover.c | 7 ++++++-
tools/realm-join.c | 6 +++++-
tools/realm-leave.c | 15 +++++++++++----
7 files changed, 80 insertions(+), 6 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index e5d4608..01af62e 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -134,6 +134,11 @@ $ realm discover domain.example.com
Possible values include <replaceable>samba</replaceable> or
<replaceable>adcli</replaceable>. </para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
principal besides the AD default user principal can be
set.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>Use the ldaps port when connecting to AD
+ where possible. In general this option is not needed
+ because <command>realmd</command> itself only read
+ public information from the Active Directory domain
+ controller which is available anonymously. The
+ supported membership software products will use
+ encrypted connections protected with GSS-SPNEGO/GSSAPI
+ which offers a comparable level of security than ldaps.
+ This option is only needed if the standard LDAP port
+ (389/tcp) is blocked by a firewall and only the LDAPS
+ port (636/tcp) is available.</para>
+
+ <para>If this option is set to
+ <parameter>yes</parameter> <command>realmd</command>
+ will use the ldaps port when reading the rootDSE and
+ call the <command>adcli</command> membership software
+ with the option <option>--use-ldaps</option>. The Samba
+ base membership currently offers only deprecated ways
+ to enable ldaps. Support will be added in
+ <command>realmd</command> when a new way is available.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -326,6 +355,11 @@ $ realm leave domain.example.com
with when leaving the realm. You will be prompted for a
password. Implies <option>--remove</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 97d2e8d..72b706c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -141,6 +141,27 @@ domain.example.com
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>use-ldaps</option></term>
+ <listitem><para>Use the ldaps port when connecting to AD where possible.
+ In general this option is not needed because <command>realmd</command>
+ itself only read public information from the Active Directory domain
+ controller which is available anonymously. The supported membership
+ software products will use encrypted connections protected with
+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than
+ ldaps. This option is only needed if the standard LDAP port (389/tcp)
+ is blocked by a firewall and only the LDAPS port (636/tcp) is
+ available.</para>
+
+ <para>If this option is set to <parameter>yes</parameter>
+ <command>realmd</command> will use the ldaps port when reading the
+ rootDSE and call the <command>adcli</command> membership software with
+ the option <option>--use-ldaps</option>. The Samba base membership
+ currently offers only deprecated ways to enable ldaps. Support will be
+ added in <command>realmd</command> when a new way is available.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>os-name</option></term>
<listitem><para>(see below)</para></listitem>
diff --git a/tools/realm-client.c b/tools/realm-client.c
index 2f102db..c386e64 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
GList *
realm_client_discover (RealmClient *self,
const gchar *string,
+ gboolean use_ldaps,
const gchar *client_software,
const gchar *server_software,
const gchar *membership_software,
@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
NULL);
/* Start actual operation */
diff --git a/tools/realm-client.h b/tools/realm-client.h
index 5ecf2de..e9e50cd 100644
--- a/tools/realm-client.h
+++ b/tools/realm-client.h
@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien
GList * realm_client_discover (RealmClient *self,
const gchar *string,
+ gboolean use_ldaps,
const gchar *client_software,
const gchar *server_software,
const gchar *membership_software,
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
index 8dde4ed..c0acd79 100644
--- a/tools/realm-discover.c
+++ b/tools/realm-discover.c
@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
const gchar *string,
gboolean all,
gboolean name_only,
+ gboolean use_ldaps,
const gchar *server_software,
const gchar *client_software,
const gchar *membership_software)
@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
GList *realms;
GList *l;
- realms = realm_client_discover (client, string, client_software,
+ realms = realm_client_discover (client, string, use_ldaps, client_software,
server_software, membership_software,
REALM_DBUS_REALM_INTERFACE, NULL, &error);
@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
GError *error = NULL;
gboolean arg_all = FALSE;
gboolean arg_name_only = FALSE;
+ gboolean arg_use_ldaps = FALSE;
gint result = 0;
gint ret;
gint i;
@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
} else if (argc == 1) {
result = perform_discover (client, NULL, arg_all,
arg_name_only,
+ arg_use_ldaps,
arg_server_software,
arg_client_software,
arg_membership_software);
@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
for (i = 1; i < argc; i++) {
ret = perform_discover (client, argv[i], arg_all,
arg_name_only,
+ arg_use_ldaps,
arg_server_software,
arg_client_software,
arg_membership_software);
diff --git a/tools/realm-join.c b/tools/realm-join.c
index 249f502..dbe6197 100644
--- a/tools/realm-join.c
+++ b/tools/realm-join.c
@@ -179,6 +179,7 @@ typedef struct {
gchar *user_principal;
gboolean automatic_id_mapping_set;
gboolean automatic_id_mapping;
+ gboolean use_ldaps;
} RealmJoinArgs;
static void
@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
GList *realms;
gint ret;
- realms = realm_client_discover (client, string, args->client_software,
+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
args->server_software, args->membership_software,
REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
&had_mismatched, &error);
@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
REALM_DBUS_OPTION_OS_VERSION, args->os_version,
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
args->automatic_id_mapping_set ?
REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
args->automatic_id_mapping,
@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
N_("User name to use for enrollment"), NULL },
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
N_("Set the user principal for the computer account"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
+ N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
diff --git a/tools/realm-leave.c b/tools/realm-leave.c
index 45a9c46..c88a110 100644
--- a/tools/realm-leave.c
+++ b/tools/realm-leave.c
@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
static int
perform_user_leave (RealmClient *client,
+ gboolean use_ldaps,
RealmDbusKerberosMembership *membership,
const gchar *user_name)
{
@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
return 1;
}
- options = realm_build_options(NULL, NULL);
+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
+ NULL);
ret = call_leave (membership, credentials, options, &error);
if (error != NULL)
@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
static int
perform_leave (RealmClient *client,
const gchar *realm_name,
+ gboolean use_ldaps,
gboolean remove,
const gchar *user_name,
const gchar *client_software,
@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
if (!remove)
ret = perform_deconfigure (client, realm);
else
- ret = perform_user_leave (client, membership, user_name);
+ ret = perform_user_leave (client, use_ldaps, membership,
+ user_name);
g_object_unref (membership);
g_object_unref (realm);
@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
gchar *arg_server_software = NULL;
GError *error = NULL;
const gchar *realm_name;
+ gboolean arg_use_ldaps = FALSE;
gint ret = 0;
GOptionEntry option_entries[] = {
@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
N_("Use specific server software"), NULL },
{ "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
} else {
realm_name = argc < 2 ? NULL : argv[1];
- ret = perform_leave (client, realm_name, arg_remove, arg_user,
- arg_client_software, arg_server_software);
+ ret = perform_leave (client, realm_name, arg_use_ldaps,
+ arg_remove, arg_user, arg_client_software,
+ arg_server_software);
}
g_free (arg_user);
--
2.26.2

56
0007-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
View File

@ -1,56 +0,0 @@
From 8cddf81199e96c7edc701bcb7ca782d7bcddbddd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 19:24:40 +0100
Subject: [PATCH 7/7] ldap: generate proper ldap uri for IPv6 addresses
When using IPv6 addresses the address must be put into brackets.
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
---
service/realm-ldap.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 28c5c8a..2076d1e 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -190,6 +190,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
LdapSource *ls;
gchar *addrname;
GInetSocketAddress *inet;
+ GSocketFamily family;
struct berval cred;
Sockbuf *sb = NULL;
gsize native_len;
@@ -204,6 +205,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
inet = G_INET_SOCKET_ADDRESS (address);
addrname = g_inet_address_to_string (g_inet_socket_address_get_address (inet));
port = g_inet_socket_address_get_port (inet);
+ family = g_inet_address_get_family (g_inet_socket_address_get_address (inet));
if (port == 0)
port = 389;
@@ -239,9 +241,17 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
- url = g_strdup_printf ("%s://%s:%d",
- use_ldaps ? "ldaps" : "ldap",
- addrname, port);
+ if (family == G_SOCKET_FAMILY_IPV4) {
+ url = g_strdup_printf ("%s://%s:%d",
+ use_ldaps ? "ldaps" : "ldap",
+ addrname, port);
+ } else if (family == G_SOCKET_FAMILY_IPV6) {
+ url = g_strdup_printf ("%s://[%s]:%d",
+ use_ldaps ? "ldaps" : "ldap",
+ addrname, port);
+ } else {
+ url = NULL;
+ }
rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
g_free (url);
--
2.26.2

30
0007-service-use-kerberos-method-secrets-and-keytab.patch
View File

@ -1,30 +0,0 @@
From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 21 Feb 2020 14:06:16 +0100
Subject: [PATCH 7/7] service: use "kerberos method" "secrets and keytab"
When using Samba with Winbind the host password stored in secrets.tdb is
still important so the "secrets and keytab" should be the preferred
"kerberos method".
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195
---
service/realm-samba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/service/realm-samba.c b/service/realm-samba.c
index e2a3608..4940b38 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source,
"template shell", realm_settings_string ("users", "default-shell"),
"netbios name", computer_name,
"password server", enroll->disco->explicit_server,
- "kerberos method", "system keytab",
+ "kerberos method", "secrets and keytab",
NULL);
}
--
2.25.1

108
realmd.spec
View File

@ -1,85 +1,28 @@
Name: realmd
Version: 0.16.3
Release: 28%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: https://freedesktop.org/software/realmd/
Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch
Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
Patch5: 0001-switch-to-authselect.patch
Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch
Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
Patch9: 0001-tests-run-tests-with-python3.patch
Patch10: 0001-Fix-issues-found-by-Coverity.patch
Patch11: 0002-Change-qualified-names-default-for-IPA.patch
Patch12: 0003-discover-try-to-get-domain-name-from-hostname.patch
Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch
Patch14: 0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch
# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1675879
Patch15: 0001-tests-ignore-order-in-test_update_domain.patch
# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1736578
Patch16: 0001-Remove-support-for-deprecated-gtester-format.patch
# Sync with upstream
Patch17: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch
Patch18: 0002-tools-remove-duplicated-va_start.patch
Patch19: 0003-service-remove-dead-code.patch
Patch20: 0004-service-check-return-value-of-fcntl.patch
Patch21: 0005-service-avoid-dereference-of-a-null-pointer.patch
Patch22: 0006-service-avoid-dereferencing-a-NULL-pointer.patch
Patch23: 0001-Add-missing-xsl-file-to-Makefile.am.patch
Patch24: 0002-configure-do-not-inherit-DISTRO-from-the-environment.patch
Patch25: 0003-doc-extend-user-principal-section.patch
Patch26: 0004-doc-fix-discover-name-only.patch
Patch27: 0005-doc-add-see-also-to-man-pages.patch
Patch28: 0006-doc-extend-description-of-config-handling.patch
Patch29: 0007-service-use-kerberos-method-secrets-and-keytab.patch
# Sync with upstream
Patch30: 0001-Fix-for-ini-config-test-issue.patch
Patch31: 0002-Use-startTLS-with-FreeIPA.patch
Patch32: 0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
Patch33: 0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch
# Sync with upstream
Patch34: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
Patch35: 0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
Patch36: 0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
Patch37: 0002-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
Patch38: 0003-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
Patch39: 0004-service-add-ldaps-support-when-using-adcli.patch
Patch40: 0005-service-do-not-copy-option-values-to-avoid-memory-le.patch
Patch41: 0006-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
Patch42: 0007-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
Name: realmd
Version: 0.17.0
Release: 1%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: https://gitlab.freedesktop.org/realmd/realmd
Source0: https://gitlab.freedesktop.org/sbose/realmd/uploads/b13a87292762bdad3ecbfe65bbb57211/realmd-%{version}.tar.gz
BuildRequires: make
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: intltool pkgconfig
BuildRequires: gettext-devel
BuildRequires: glib2-devel >= 2.32.0
BuildRequires: openldap-devel
BuildRequires: polkit-devel
BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: python3
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: intltool pkgconfig
BuildRequires: gettext-devel
BuildRequires: glib2-devel >= 2.32.0
BuildRequires: openldap-devel
BuildRequires: polkit-devel
BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: python3
Requires: authselect
Requires: polkit
Requires: authselect
Requires: polkit
%description
realmd is a DBus system service which manages discovery and enrollment in realms
@ -87,7 +30,7 @@ and domains like Active Directory or IPA. The control center uses realmd as the
back end to 'join' a domain simply and automatically configure things correctly.
%package devel-docs
Summary: Developer documentation files for %{name}
Summary: Developer documentation files for %{name}
%description devel-docs
The %{name}-devel package contains developer documentation for developing
@ -116,7 +59,7 @@ make install DESTDIR=%{buildroot}
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
%{_prefix}/lib/realmd/realmd
%{_libexecdir}/realmd
%{_prefix}/lib/realmd/realmd-defaults.conf
%{_prefix}/lib/realmd/realmd-distro.conf
%{_unitdir}/realmd.service
@ -131,6 +74,9 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Fri Feb 19 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-1
- Updated to upstream 0.17.0
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
a8b3bf5692c4255298ae962a0c8813fa realmd-0.16.3.tar.gz
SHA512 (realmd-0.17.0.tar.gz) = 1bde6d97abc7c9b792889f9a35a17e0551af049865facd7db1a35981971a2c0ae1f60ab578d66f8662b33238936472d8afe3ec6b90dd9e148846b318d6f0a82b