import realmd-0.16.3-25.el8

SOURCES/0001-ldap-add-socket-timeout.patch

@@ -0,0 +1,78 @@
+From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 24 Nov 2021 17:25:18 +0100
+Subject: [PATCH] ldap: add socket timeout
+
+During the discovery phase realmd tries to open LDAP connections to
+multiple DC addresses returned by DNS. When cleaning up we have to call
+ldap_destroy() to release the resources allocated for the LDAP context.
+ldap_destroy() tries to send a LDAP unbind request independent of the
+connection state. If the related address is block by a firewall or a not
+properly routed IPv6 address there might be no reply on the TCP level
+and the request might be stuck for quite some tome in the kernel.
+
+To avoid the unexpected long delays will block realmd this patch lowers
+the timeout considerably to 5s. As multiple other timeouts this value is
+currently hardcoded.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
+---
+ service/realm-ldap.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
+index bdfb96c..f7b6d13 100644
+--- a/service/realm-ldap.c
++++ b/service/realm-ldap.c
+@@ -22,6 +22,7 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#include <netinet/tcp.h>
+ 
+ #include <errno.h>
+ 
+@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
+ 
+ /* Not included in ldap.h but documented */
+ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
++#define LDAP_SOCKET_TIMEOUT 5
+ 
+ GSource *
+ realm_ldap_connect_anonymous (GSocketAddress *address,
+@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ 	int opt_rc;
+ 	int ldap_opt_val;
+ 	const char *errmsg = NULL;
++	struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
++	unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
+ 
+ 	g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
+ 
+@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ 		if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
+ 			g_warning ("couldn't set to blocking");
+ 
++		/* Lower the kernel defaults which might be minutes to hours */
++		rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
++		                 &tv, sizeof (tv));
++		if (rc != 0) {
++			g_warning ("couldn't set SO_RCVTIMEO");
++		}
++		rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
++		                 &tv, sizeof (tv));
++		if (rc != 0) {
++			g_warning ("couldn't set SO_SNDTIMEO");
++		}
++		rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
++		                 &milli, sizeof (milli));
++		if (rc != 0) {
++			g_warning ("couldn't set TCP_USER_TIMEOUT");
++		}
++
+ 		if (family == G_SOCKET_FAMILY_IPV4) {
+ 			url = g_strdup_printf ("%s://%s:%d",
+ 			                       use_ldaps ? "ldaps" : "ldap",
+-- 
+2.34.1
+

SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch

@@ -0,0 +1,128 @@
+From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Dec 2021 15:32:32 +0100
+Subject: [PATCH] samba: use new Samba-4.15 command line options
+
+Samba-4.15 changed a couple of command line options of the net utility.
+This patch adds a configure option to select the new or the old style.
+If the option is not used configure tries to call the net utility to
+check for the options. If this fails the old style is used.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
+---
+ configure.ac                 | 34 ++++++++++++++++++++++++++++++++++
+ service/realm-samba-enroll.c | 18 +++++++++++++-----
+ 2 files changed, 47 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ea51f92..ddc25d0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
+ AC_SUBST(LDAP_LIBS)
+ AC_SUBST(LDAP_CFLAGS)
+ 
++# -------------------------------------------------------------------
++# Samba
++
++AC_ARG_WITH(new-samba-cli-options,
++	AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
++	               [Use new command line options introduced with Samba-4.15,
++	                if not provided the output of 'net help' is checked or old
++	                style options are used]))
++
++if test "$with_new_samba_cli_options" = "no"; then
++	AC_MSG_RESULT([Using old Samba command line options])
++elif test "$with_new_samba_cli_options" = "yes"; then
++	AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
++	                   [Use new command line options introduced with Samba-4.15])
++	AC_MSG_RESULT([Using new Samba command line options])
++else
++	AC_PATH_PROG([SAMBA_NET], [net])
++	if test ! -x "$SAMBA_NET"; then
++		AC_MSG_NOTICE([Could not find Samba's net utility, ]
++		              [assuming old style command line options, ]
++		              [please install the net utility for proper detection.])
++	else
++		AC_MSG_CHECKING([for --debug-stdout option of net])
++		if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
++			AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
++			                   [Use new command line options introduced with Samba-4.15])
++			AC_MSG_RESULT([yes])
++		else
++			AC_MSG_RESULT([no])
++		fi
++	fi
++fi
++
++
+ # -------------------------------------------------------------------
+ # Directories
+ 
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index 5624a08..8b2ee38 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -37,6 +37,14 @@
+ #include <sys/socket.h>
+ #include <netdb.h>
+ 
++#ifdef WITH_NEW_SAMBA_CLI_OPTS
++#define SMBCLI_KERBEROS "--use-kerberos=required"
++#define SMBCLI_CONF "--configfile"
++#else
++#define SMBCLI_KERBEROS "-k"
++#define SMBCLI_CONF "-s"
++#endif
++
+ typedef struct {
+ 	GDBusMethodInvocation *invocation;
+ 	gchar *join_args[8];
+@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
+ 	/* Use our custom smb.conf */
+ 	g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
+ 	if (join->custom_smb_conf) {
+-		g_ptr_array_add (args, "-s");
++		g_ptr_array_add (args, SMBCLI_CONF);
+ 		g_ptr_array_add (args, join->custom_smb_conf);
+ 	}
+ 
+@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
+ 	} else {
+ 		begin_net_process (join, NULL,
+ 		                   on_keytab_do_finish, g_object_ref (task),
+-		                   "-k", "ads", "keytab", "create", NULL);
++		                   SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
+ 	}
+ 
+ 	g_object_unref (task);
+@@ -428,7 +436,7 @@ begin_join (GTask *task,
+ 		begin_net_process (join, join->password_input,
+ 		                   on_join_do_keytab, g_object_ref (task),
+ 		                   "-U", join->user_name,
+-		                   "-k", "ads", "join", join->disco->domain_name,
++		                   SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
+ 		                   join->join_args[0], join->join_args[1],
+ 		                   join->join_args[2], join->join_args[3],
+ 		                   join->join_args[4], NULL);
+@@ -437,7 +445,7 @@ begin_join (GTask *task,
+ 	} else {
+ 		begin_net_process (join, NULL,
+ 		                   on_join_do_keytab, g_object_ref (task),
+-		                   "-k", "ads", "join", join->disco->domain_name,
++		                   SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
+ 		                   join->join_args[0], join->join_args[1],
+ 		                   join->join_args[2], join->join_args[3],
+ 		                   join->join_args[4], NULL);
+@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
+ 		join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
+ 		begin_net_process (join, NULL,
+ 		                   on_leave_complete, g_object_ref (task),
+-		                   "-k", "ads", "leave", NULL);
++		                   SMBCLI_KERBEROS, "ads", "leave", NULL);
+ 		break;
+ 	default:
+ 		g_return_if_reached ();
+-- 
+2.33.1
+

SOURCES/0001-syslog-avoid-duplicate-log-messages.patch

@@ -0,0 +1,38 @@
+From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 25 Nov 2021 14:36:10 +0100
+Subject: [PATCH] syslog: avoid duplicate log messages
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
+---
+ service/realm-diagnostics.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
+index 850b2e3..6aa5288 100644
+--- a/service/realm-diagnostics.c
++++ b/service/realm-diagnostics.c
+@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
+ 	while ((ptr = memchr (at, '\n', length)) != NULL) {
+ 		*ptr = '\0';
+ 		if (line_buffer && line_buffer->len > 0) {
++#ifdef WITH_JOURNAL
++			/* Call realm_daemon_syslog directly to add
++			 * REALMD_OPERATION to the jounrnal */
+ 			realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
++#else
+ 			g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
++#endif
+ 			g_string_set_size (line_buffer, 0);
+ 		} else {
++#ifdef WITH_JOURNAL
+ 			realm_daemon_syslog (operation, log_level, "%s", at);
++#else
+ 			g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
++#endif
+ 		}
+ 
+ 		*ptr = '\n';
+-- 
+2.33.1
+

SPECS/realmd.spec

@@ -1,6 +1,6 @@
 Name:		realmd
 Version:	0.16.3
-Release:	23%{?dist}
+Release:	25%{?dist}
 Summary:	Kerberos realm enrollment service
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/realmd/
@@ -67,6 +67,16 @@ Patch36:	0003-service-make-TLS-check-more-releaxed.patch
 Patch37:	0001-doc-add-computer-name-to-realm-man-page.patch
 Patch38:	0001-build-add-with-vendor-error-message-configure-option.patch
 
+# rhbz#2024248 - realmd logs are duplicated
+Patch39:	0001-syslog-avoid-duplicate-log-messages.patch
+
+# rhbz#2028528 - realm join needs to updated to use the command line options of
+#                Samba's net command
+Patch40:	0001-samba-use-new-Samba-4.15-command-line-options.patch
+
+# rhbz#2037864 - realmd operations hang if a DC is unreachable
+Patch41:	0001-ldap-add-socket-timeout.patch
+
 BuildRequires:	gcc
 BuildRequires:	automake
 BuildRequires:	autoconf
@@ -79,10 +89,14 @@ BuildRequires:	krb5-devel
 BuildRequires:	systemd-devel
 BuildRequires:	libxslt
 BuildRequires:	xmlto
+BuildRequires:	samba-common-tools
 BuildRequires:	%{_bindir}/python3
 
 Requires:	authselect
 Requires:	polkit
+# This build will use Samba's new command line options so it cannot be used
+# with older versions of Samba.
+Conflicts:	samba-common-tools < 4.15
 
 %description
 realmd is a DBus system service which manages discovery and enrollment in realms
@@ -104,6 +118,7 @@ applications that use %{name}.
 %build
 autoreconf -fi
 %configure --disable-silent-rules \
+    --with-new-samba-cli-options=yes \
 %if 0%{?rhel}
     --with-vendor-error-message='Please check\n    https://red.ht/support_rhel_ad \nto get help for common issues.' \
 %endif
@@ -149,6 +164,15 @@ make install DESTDIR=%{buildroot}
 %doc ChangeLog
 
 %changelog
+* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
+- add LDAP socket timeout
+ Resolves: rhbz#2037864
+
+* Wed Dec 15 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-24
+- Avoid duplicated log messages and use Samba's new CLI options
+  Resolves: rhbz#2024248
+  Resolves: rhbz#2028528
+
 * Tue May 11 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-23
 - Add restart macro and vendor message to spec file
   Resolves: rhbz#1926046