rpms/realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import realmd-0.16.3-18.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-23 22:58:02 +00:00 committed by Andrew Lukoshko
commit a7a6867afc
24 changed files with 3718 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/realmd-0.16.3.tar.gz

1
.realmd.metadata Normal file
View File

@ -0,0 +1 @@
0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz

113
SOURCES/0001-Change-qualified-names-default-for-IPA.patch Normal file
View File

@ -0,0 +1,113 @@
From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 16:44:39 +0200
Subject: [PATCH] Change qualified names default for IPA
In a FreeIPA domain it is typically expected that the IPA accounts use
sort names while accounts from trusted domains have fully qualified
names. This is automatically done by SSSD's IPA provider so there is no
need to force fully qualified names in the SSSD configuration.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
---
service/realm-options.c | 9 +++++----
service/realm-options.h | 3 ++-
service/realm-samba-winbind.c | 2 +-
service/realm-sssd-ad.c | 2 +-
service/realm-sssd-ipa.c | 2 +-
5 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/service/realm-options.c b/service/realm-options.c
index bd804ea..34a209f 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
if (realm_name && !option) {
section = g_utf8_casefold (realm_name, -1);
- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
g_free (section);
}
@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
gboolean mapping;
section = g_utf8_casefold (realm_name, -1);
- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
+ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
g_free (section);
return mapping;
}
gboolean
-realm_options_qualify_names (const gchar *realm_name)
+realm_options_qualify_names (const gchar *realm_name,
+ gboolean def)
{
gchar *section;
gboolean qualify;
section = g_utf8_casefold (realm_name, -1);
- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
+ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
g_free (section);
return qualify;
diff --git a/service/realm-options.h b/service/realm-options.h
index 7a1355e..b71d219 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
gboolean realm_options_automatic_mapping (GVariant *options,
const gchar *realm_name);
-gboolean realm_options_qualify_names (const gchar *realm_name);
+gboolean realm_options_qualify_names (const gchar *realm_name,
+ gboolean def);
gboolean realm_options_check_domain_name (const gchar *domain_name);
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index 9335e26..61988eb 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
"winbind enum groups", "no",
"winbind offline logon", "yes",
"winbind refresh tickets", "yes",
- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
"template shell", realm_settings_string ("users", "default-shell"),
NULL);
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 8543ca8..de7ce30 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
gchar *home;
home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
- qualify = realm_options_qualify_names (disco->domain_name);
+ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
shell = realm_settings_string ("users", "default-shell");
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
realmd_tags = g_string_new ("");
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index ff1dc8a..5029f6b 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
realm_sssd_config_update_domain (config, domain, &error,
"cache_credentials", "True",
- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
"krb5_store_password_if_offline", "True",
"default_shell", shell,
"fallback_homedir", home,
--
2.17.1

150
SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch Normal file
View File

@ -0,0 +1,150 @@
From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 31 May 2018 16:16:08 +0200
Subject: [PATCH] Find NetBIOS name in keytab while leaving
If realmd is used with Samba as membership software, i.e. Samba's net
utility, the NetBIOS name must be known when leaving a domain. The most
reliable way to find it is by searching the keytab for NAME$@REALM type
entries and use the NAME as the NetBIOS name.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
---
service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
service/realm-kerberos.h | 2 ++
service/realm-samba-enroll.c | 13 ++++++---
3 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 54d1ed7..d6d109f 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
return ret;
}
+
+gchar *
+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
+{
+ krb5_error_code code;
+ krb5_keytab keytab = NULL;
+ krb5_context ctx;
+ krb5_kt_cursor cursor = NULL;
+ krb5_keytab_entry entry;
+ krb5_principal realm_princ = NULL;
+ gchar *princ_name = NULL;
+ gchar *netbios_name = NULL;
+ krb5_data *name_data;
+
+ code = krb5_init_context (&ctx);
+ if (code != 0) {
+ return NULL;
+ }
+
+ princ_name = g_strdup_printf ("user@%s", realm_name);
+ code = krb5_parse_name (ctx, princ_name, &realm_princ);
+ g_free (princ_name);
+
+ if (code == 0) {
+ code = krb5_kt_default (ctx, &keytab);
+ }
+
+ if (code == 0) {
+ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
+ }
+
+ if (code == 0) {
+ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
+ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
+ name_data = krb5_princ_component (ctx, entry.principal, 0);
+ if (name_data != NULL
+ && name_data->length > 0
+ && name_data->data[name_data->length - 1] == '$') {
+ netbios_name = g_strndup (name_data->data, name_data->length - 1);
+ if (netbios_name == NULL) {
+ code = krb5_kt_free_entry (ctx, &entry);
+ warn_if_krb5_failed (ctx, code);
+ break;
+ }
+ }
+ }
+ code = krb5_kt_free_entry (ctx, &entry);
+ warn_if_krb5_failed (ctx, code);
+ }
+ }
+
+ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
+ warn_if_krb5_failed (ctx, code);
+
+ code = krb5_kt_close (ctx, keytab);
+ warn_if_krb5_failed (ctx, code);
+
+ krb5_free_principal (ctx, realm_princ);
+
+ krb5_free_context (ctx);
+
+ return netbios_name;
+
+}
diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
index 0447e4d..58cfe07 100644
--- a/service/realm-kerberos.h
+++ b/service/realm-kerberos.h
@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
GError **error);
+gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
+
const gchar * realm_kerberos_get_name (RealmKerberos *self);
const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 76e7b79..03f56d0 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -85,7 +85,8 @@ static JoinClosure *
join_closure_init (GTask *task,
RealmDisco *disco,
GVariant *options,
- GDBusMethodInvocation *invocation)
+ GDBusMethodInvocation *invocation,
+ gboolean do_join)
{
JoinClosure *join;
gchar *workgroup;
@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
else if (disco->explicit_netbios)
authid = disco->explicit_netbios;
+ /* try to get the NetBIOS name from the keytab as last option while
+ * leaving the domain */
+ if (authid == NULL && !do_join) {
+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
+ }
+
join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
"security", "ads",
@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
g_return_if_fail (cred != NULL);
task = g_task_new (NULL, NULL, callback, user_data);
- join = join_closure_init (task, disco, options, invocation);
+ join = join_closure_init (task, disco, options, invocation, TRUE);
explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
if (explicit_computer_name != NULL) {
realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
JoinClosure *join;
task = g_task_new (NULL, NULL, callback, user_data);
- join = join_closure_init (task, disco, options, invocation);
+ join = join_closure_init (task, disco, options, invocation, FALSE);
switch (cred->type) {
case REALM_CREDENTIAL_PASSWORD:
--
2.14.4

42
SOURCES/0001-Fix-issues-found-by-Coverity.patch Normal file
View File

@ -0,0 +1,42 @@
From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 14:09:48 +0200
Subject: [PATCH] Fix issues found by Coverity
---
service/realm-kerberos.c | 5 ++++-
service/realm-packages.c | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index d6d109f..252e256 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
if (name == NULL)
break;
value = va_arg (va, const gchar *);
- g_return_if_fail (value != NULL);
+ if (value == NULL) {
+ va_end (va);
+ g_return_if_reached ();
+ }
values[0] = g_variant_new_string (name);
values[1] = g_variant_new_string (value);
diff --git a/service/realm-packages.c b/service/realm-packages.c
index 9a6984c..5976439 100644
--- a/service/realm-packages.c
+++ b/service/realm-packages.c
@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
g_ptr_array_add (packages, NULL);
*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
} else {
- g_ptr_array_free (files, TRUE);
+ g_ptr_array_free (packages, TRUE);
}
if (result_files) {
--
2.17.1

24
SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch Normal file
View File

@ -0,0 +1,24 @@
From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Jul 2016 19:06:29 +0200
Subject: [PATCH] Fix man page reference in systemd service file
---
dbus/realmd.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
index b3bcf7a..64c1090 100644
--- a/dbus/realmd.service.in
+++ b/dbus/realmd.service.in
@@ -1,6 +1,6 @@
[Unit]
Description=Realm and Domain Configuration
-Documentation=man:realmd(8)
+Documentation=man:realm(8)
[Service]
Type=dbus
--
2.7.4

62
SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch Normal file
View File

@ -0,0 +1,62 @@
From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Sep 2018 13:04:47 +0200
Subject: [PATCH] IPA: do not call sssd-enable-logins
It is expected that ipa-client-install will do all PAM and NSS
configuration. To avoid changing IPA default realmd will not try to
update the related configuration.
---
service/realm-sssd-ipa.c | 24 +-----------------------
1 file changed, 1 insertion(+), 23 deletions(-)
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index 5029f6b..70f8b0e 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
g_free (enroll);
}
-static void
-on_enable_nss_done (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
-{
- GTask *task = G_TASK (user_data);
- GError *error = NULL;
- gint status;
-
- status = realm_command_run_finish (result, NULL, &error);
- if (error == NULL && status != 0)
- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
- _("Enabling SSSD in nsswitch.conf and PAM failed."));
- if (error != NULL)
- g_task_return_error (task, error);
- else
- g_task_return_boolean (task, TRUE);
- g_object_unref (task);
-}
-
static void
on_restart_done (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
GTask *task = G_TASK (user_data);
- EnrollClosure *enroll = g_task_get_task_data (task);
RealmSssd *sssd = g_task_get_source_object (task);
GError *error = NULL;
realm_service_enable_and_restart_finish (result, &error);
if (error == NULL) {
realm_sssd_update_properties (sssd);
- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
- on_enable_nss_done, g_object_ref (task));
+ g_task_return_boolean (task, TRUE);
} else {
g_task_return_error (task, error);
}
--
2.17.1

112
SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch Normal file
View File

@ -0,0 +1,112 @@
From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Dec 2016 18:25:44 +0100
Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
---
service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
index 2b3a0f8..1477ae8 100644
--- a/service/realm-kerberos-provider.c
+++ b/service/realm-kerberos-provider.c
@@ -19,6 +19,7 @@
#include "realm-kerberos-provider.h"
#include <errno.h>
+#include <string.h>
struct _RealmKerberosProvider {
RealmProvider parent;
@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
}
+typedef struct {
+ gchar *name;
+ const char *prot;
+} NameProtPair;
+
+static void
+name_prot_pair_free (gpointer data)
+{
+ NameProtPair *name_prot_pair = data;
+ g_free (name_prot_pair->name);
+ g_free (name_prot_pair);
+}
+
static void
on_kerberos_discover (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
GTask *task = G_TASK (user_data);
- const gchar *domain = g_task_get_task_data (task);
+ NameProtPair *name_prot_pair = g_task_get_task_data (task);
GError *error = NULL;
RealmDisco *disco;
GList *targets;
+ GResolver *resolver;
targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
if (targets) {
g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
- disco = realm_disco_new (domain);
- disco->kerberos_realm = g_ascii_strup (domain, -1);
+ disco = realm_disco_new (name_prot_pair->name);
+ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
g_task_return_pointer (task, disco, realm_disco_unref);
} else if (error) {
- g_debug ("Resolving %s failed: %s", domain, error->message);
+ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
g_error_free (error);
- g_task_return_pointer (task, NULL, NULL);
+
+ if (strcmp (name_prot_pair->prot, "tcp") == 0) {
+ g_task_return_pointer (task, NULL, NULL);
+ } else {
+ /* Try tcp */
+ name_prot_pair->prot = "tcp";
+ resolver = g_resolver_get_default ();
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
+ name_prot_pair->name,
+ g_task_get_cancellable (task),
+ on_kerberos_discover, g_object_ref (task));
+ g_object_unref (resolver);
+ }
}
g_object_unref (task);
@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
GTask *task;
const gchar *software;
GResolver *resolver;
- gchar *name;
+ NameProtPair *name_prot_pair;
task = g_task_new (provider, NULL, callback, user_data);
@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
g_task_return_pointer (task, NULL, NULL);
} else {
- name = g_hostname_to_ascii (string);
+ name_prot_pair = g_new0 (NameProtPair, 1);
+ name_prot_pair->name = g_hostname_to_ascii (string);
+ name_prot_pair->prot = "udp";
resolver = g_resolver_get_default ();
- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
+ name_prot_pair->name,
realm_invocation_get_cancellable (invocation),
on_kerberos_discover, g_object_ref (task));
- g_task_set_task_data (task, name, g_free);
+ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
g_object_unref (resolver);
}
--
2.9.3

41
SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch Normal file
View File

@ -0,0 +1,41 @@
From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 25 Nov 2016 17:35:11 +0100
Subject: [PATCH] LDAP: don't close LDAP socket twice
ldap_destroy() will call close() on the LDAP socket so with an explicit
close() before the file descriptor will be closed twice. Even worse,
since the file descriptor can be reused after the explicit call of
close() by any other thread the close() called from ldap_destroy() might
close a file descriptor used by a different thread as seen e.g. in
https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
Additionally the patch makes sure that the closed connection cannot be
used again.
https://bugzilla.redhat.com/show_bug.cgi?id=1398522
---
service/realm-ldap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 061ed61..59817fb 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
{
LdapSource *ls = (LdapSource *)source;
- /* Yeah, this is pretty rough, but we don't want blocking here */
- close (ls->sock);
ldap_destroy (ls->ldap);
+ ls->sock = -1;
+ ls->ldap = NULL;
+
if (ls->cancellable) {
g_cancellable_release_fd (ls->cancellable);
g_object_unref (ls->cancellable);
--
2.9.3

185
SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch Normal file
View File

@ -0,0 +1,185 @@
From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 30 May 2018 13:10:57 +0200
Subject: [PATCH] Use current idmap options for smb.conf
Samba change some time ago the way how to configure id-mapping. With
this patch realmd will use the current supported options when creating
smb.conf.
A new option --legacy-samba-config is added to use the old options if
realmd is used with Samba 3.5 or earlier.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
---
dbus/realm-dbus-constants.h | 1 +
doc/manual/realmd.conf.xml | 17 ++++++++++++
service/realm-samba-enroll.c | 2 +-
service/realm-samba-enroll.h | 3 +++
service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
5 files changed, 72 insertions(+), 14 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index 9cd30ef..40ffa2d 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -69,6 +69,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
#define REALM_DBUS_OPTION_OS_NAME "os-name"
#define REALM_DBUS_OPTION_OS_VERSION "os-version"
+#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 7853230..a2b577c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -192,6 +192,23 @@ automatic-install = no
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>legacy-samba-config</option></term>
+ <listitem>
+ <para>Set this to <parameter>yes</parameter> to create a Samba
+ configuration file with id-mapping options used by Samba-3.5
+ and earlier version.</para>
+
+ <informalexample>
+<programlisting language="js">
+[service]
+legacy-samba-config = no
+# legacy-samba-config = yes
+</programlisting>
+ </informalexample>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index c81aed2..76e7b79 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
g_free (join);
}
-static gchar *
+gchar *
fallback_workgroup (const gchar *realm)
{
const gchar *pos;
diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
index 84e8b2f..310ec65 100644
--- a/service/realm-samba-enroll.h
+++ b/service/realm-samba-enroll.h
@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
GError **error);
+gchar *
+fallback_workgroup (const gchar *realm);
+
G_END_DECLS
#endif /* __REALM_SAMBA_ENROLL_H__ */
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index a7ddec3..9335e26 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -21,8 +21,10 @@
#include "realm-options.h"
#include "realm-samba-config.h"
#include "realm-samba-winbind.h"
+#include "realm-samba-enroll.h"
#include "realm-settings.h"
#include "realm-service.h"
+#include "dbus/realm-dbus-constants.h"
#include <glib/gstdio.h>
@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
RealmIniConfig *pwc;
GTask *task;
GError *error = NULL;
+ gchar *workgroup = NULL;
+ gchar *idmap_config_backend = NULL;
+ gchar *idmap_config_range = NULL;
+ gchar *idmap_config_schema_mode = NULL;
g_return_if_fail (config != NULL);
g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
"template shell", realm_settings_string ("users", "default-shell"),
NULL);
- if (realm_options_automatic_mapping (options, domain_name)) {
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
- "idmap uid", "10000-2000000",
- "idmap gid", "10000-2000000",
- "idmap backend", "tdb",
- "idmap schema", NULL,
- NULL);
+ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
+ if (realm_options_automatic_mapping (options, domain_name)) {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap uid", "10000-2000000",
+ "idmap gid", "10000-2000000",
+ "idmap backend", "tdb",
+ "idmap schema", NULL,
+ NULL);
+ } else {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap uid", "500-4294967296",
+ "idmap gid", "500-4294967296",
+ "idmap backend", "ad",
+ "idmap schema", "rfc2307",
+ NULL);
+ }
} else {
- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
- "idmap uid", "500-4294967296",
- "idmap gid", "500-4294967296",
- "idmap backend", "ad",
- "idmap schema", "rfc2307",
- NULL);
+ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
+ if (workgroup == NULL) {
+ workgroup = fallback_workgroup (domain_name);
+ }
+ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
+ g_free (workgroup);
+
+ if (realm_options_automatic_mapping (options, domain_name)) {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap config * : backend", "tdb",
+ "idmap config * : range", "10000-999999",
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
+ NULL);
+ } else {
+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+ "idmap config * : backend", "tdb",
+ "idmap config * : range", "10000000-10999999",
+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
+ NULL);
+ }
}
realm_ini_config_finish_change (config, &error);
+ g_free (idmap_config_backend);
+ g_free (idmap_config_range);
}
/* Setup pam_winbind.conf with decent defaults matching our expectations */
--
2.14.4

32
SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch Normal file
View File

@ -0,0 +1,32 @@
From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 28 Nov 2019 18:51:30 +0100
Subject: [PATCH] configure: do not inherit DISTRO from the environment
The argument of the --with-distro configure option is stored in the
variable DISTRO. If DISTRO is already set in the build environment it
should not be used hence DISTRO must be cleared by the configure script
if not set by --with-distro.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396
---
configure.ac | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e335247..a424a49 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,7 +31,8 @@ AC_ARG_WITH([distro],
[AS_HELP_STRING([--with-distro],
[Configure for a specific distribution (eg: redhat)]
)],
- [DISTRO=$withval])
+ [DISTRO=$withval],
+ [DISTRO=])
if test -z $DISTRO; then
AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"])
--
2.21.0

158
SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch Normal file
View File

@ -0,0 +1,158 @@
From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 6 Feb 2017 12:25:52 +0100
Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual
page
And clean up the documentation for the various arguments.
---
doc/manual/realm.xml | 70 +++++++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 33 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 6724d80..9d9136a 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -60,7 +60,7 @@
<variablelist>
<varlistentry>
- <term><option>--install=/path</option></term>
+ <term><option>-i</option>, <option>--install=/path</option></term>
<listitem><para>Run in install mode. This makes realmd
chroot into the specified directory and place files in
appropriate locations for use during an installer. No
@@ -73,7 +73,7 @@
for input.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--verbose, -v</option></term>
+ <term><option>-v</option>, <option>--verbose</option></term>
<listitem><para>Display verbose diagnostics while doing
running commands.</para></listitem>
</varlistentry>
@@ -105,7 +105,7 @@ $ realm discover domain.example.com
<variablelist>
<varlistentry>
- <term><option>--all</option></term>
+ <term><option>-a</option>, <option>--all</option></term>
<listitem><para>Show all discovered realms (in various
configurations).</para></listitem>
</varlistentry>
@@ -116,6 +116,10 @@ $ realm discover domain.example.com
<replaceable>sssd</replaceable> or
<replaceable>winbind</replaceable>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-n</option>, <option>--name</option></term>
+ <listitem><para>Only show the names of the discovered realms.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--server-software=xxx</option></term>
<listitem><para>Only discover realms which run the
@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
in the domain already.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user=xxx</option></term>
- <listitem><para>The user name to be used to authenticate
- with when joining the machine to the realm. You will
- be prompted for a password.</para></listitem>
+ <term><option>--client-software=xxx</option></term>
+ <listitem><para>Only join realms for which we can
+ use the given client software. Possible values include
+ <replaceable>sssd</replaceable> or
+ <replaceable>winbind</replaceable>. Not all values are
+ supported for all realms. By default the client software
+ is automatically selected.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--computer-ou=OU=xxx</option></term>
@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
DSE portion of distinguished name. This is an Active
Directory specific option.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--membership-software=xxx</option></term>
+ <listitem><para>The software to use when joining to the
+ realm. Possible values include <replaceable>samba</replaceable> or
+ <replaceable>adcli</replaceable>. Not all values are
+ supported for all realms. By default the membership software
+ is automatically selected.</para></listitem>
+ </varlistentry>
<varlistentry>
<term><option>--no-password</option></term>
<listitem><para>Perform the join automatically without
@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
all types of realms.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--client-software=xxx</option></term>
- <listitem><para>Only join realms for which we can
- use the given client software. Possible values include
- <replaceable>sssd</replaceable> or
- <replaceable>winbind</replaceable>. Not all values are
- supported for all realms. By default the client software
- is automatically selected.</para></listitem>
+ <term><option>--os-name=xxx</option></term>
+ <listitem><para>The name of the operation system of the
+ client. When joining an AD domain the value is store in
+ the matching AD attribute.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--os-version=xxx</option></term>
+ <listitem><para>The version of the operation system of the
+ client. When joining an AD domain the value is store in
+ the matching AD attribute.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--server-software=xxx</option></term>
@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
<replaceable>ipa</replaceable>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--membership-software=xxx</option></term>
- <listitem><para>The software to use when joining to the
- realm. Possible values include <replaceable>samba</replaceable> or
- <replaceable>adcli</replaceable>. Not all values are
- supported for all realms. By default the membership software
- is automatically selected.</para></listitem>
+ <term><option>-U</option>, <option>--user=xxx</option></term>
+ <listitem><para>The user name to be used to authenticate
+ with when joining the machine to the realm. You will
+ be prompted for a password.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
the value for this option, then a principal will be set
in the form of <literal>host/shortname@REALM</literal></para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--os-name=xxx</option></term>
- <listitem><para>The name of the operation system of the
- client. When joining an AD domain the value is store in
- the matching AD attribute.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--os-version=xxx</option></term>
- <listitem><para>The version of the operation system of the
- client. When joining an AD domain the value is store in
- the matching AD attribute.</para></listitem>
- </varlistentry>
</variablelist>
</refsect1>
@@ -300,7 +304,7 @@ $ realm leave domain.example.com
for a pasword.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user</option></term>
+ <term><option>-U</option>, <option>--user</option></term>
<listitem><para>The user name to be used to authenticate
with when leaving the realm. You will be prompted for a
password. Implies <option>--remove</option>.</para></listitem>
--
2.21.0

104
SOURCES/0001-doc-extend-description-of-config-handling.patch Normal file
View File

@ -0,0 +1,104 @@
From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 21:57:02 +0100
Subject: [PATCH] doc: extend description of config handling
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005
---
doc/manual/Makefile.am | 8 ++++++++
doc/manual/realmd.conf.xml | 15 +++++++++++----
doc/privatedir.xml.in | 1 +
4 files changed, 21 insertions(+), 4 deletions(-)
create mode 100644 doc/privatedir.xml.in
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
index 8b33fdd..9812c45 100644
--- a/doc/manual/Makefile.am
+++ b/doc/manual/Makefile.am
@@ -1,14 +1,20 @@
+XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc
man8_MANS += \
doc/manual/realm.8
man5_MANS += \
doc/manual/realmd.conf.5
+$(man5_MANS): doc/privatedir.xml
+
MAN_IN_FILES = \
$(man8_MANS:.8=.xml) \
$(man5_MANS:.5=.xml) \
$(NULL)
+doc/privatedir.xml: doc/privatedir.xml.in
+ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@
+
MANUAL_DOCBOOK = doc/manual/realmd-docs.xml
MANUAL_INCLUDES = \
@@ -41,6 +47,7 @@ MANUAL_XSLT = \
$(NULL)
EXTRA_DIST += \
+ doc/privatedir.xml.in \
$(MANUAL_DOCBOOK) \
$(MANUAL_INCLUDES) \
$(MAN_IN_FILES) \
@@ -50,6 +57,7 @@ EXTRA_DIST += \
CLEANFILES += \
realmd-org.freedesktop.realmd.generated \
+ doc/privatedir.xml \
$(DBUS_DOC_GENERATED) \
$(DBUS_ESCAPED) \
$(man8_MANS) \
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 1592291..9062252 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -1,6 +1,9 @@
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+[
+<!ENTITY privatedir SYSTEM "privatedir.xml">
+]>
<refentry id="realmd-conf">
@@ -35,7 +38,9 @@
to act in specific ways. This is done by placing settings in a
<filename>/etc/realmd.conf</filename>. This file does not exist by
default. The syntax of this file is the same as an INI file or
- Desktop Entry file.</para>
+ Desktop Entry file. If the file is changed and
+ <command>realmd</command> is running <command>realmd</command> must be
+ restarted to read the new values.</para>
<para>In general, settings in this file only apply at the point of
joining a domain or realm. Once the realm has been setup the settings
@@ -46,8 +51,10 @@
<para>Only specify the settings you wish to override in the
<filename>/etc/realmd.conf</filename> file. Settings not specified will
- be loaded from their packaged defaults. Only override the settings
- below. You may find other settings if you look through the
+ be loaded from their packaged defaults which can be found in
+ <filename>&privatedir;/realmd-defaults.conf</filename> and
+ <filename>&privatedir;/realmd-distro.conf</filename>. Only override the
+ settings below. You may find other settings if you look through the
<command>realmd</command> source code. However these are not guaranteed
to remain stable.</para>
diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in
new file mode 100644
index 0000000..7f71afe
--- /dev/null
+++ b/doc/privatedir.xml.in
@@ -0,0 +1 @@
+@privatedir@
\ No newline at end of file
--
2.21.0

75
SOURCES/0001-doc-extend-user-principal-section.patch Normal file
View File

@ -0,0 +1,75 @@
From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:10:03 +0100
Subject: [PATCH] doc: extend user-principal section
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814
---
doc/manual/realm.xml | 21 +++++++++++++++++++--
doc/manual/realmd.conf.xml | 15 ++++++++++-----
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 7b73331..55a7640 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
</varlistentry>
<varlistentry>
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
- <listitem><para>Set the userPrincipalName field of the
+ <listitem><para>Set the
+ <option>userPrincipalName</option> field of the
computer account to this kerberos principal. If you omit
the value for this option, then a principal will be set
- in the form of <literal>host/shortname@REALM</literal></para></listitem>
+ based on the defaults of the membership software.</para>
+ <para>AD makes a distinction between user and service
+ principals. Only with user principals you can request a
+ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user
+ principals can be used with the <command>kinit</command>
+ command. By default the user principal and the canonical
+ principal name of an AD computer account is
+ <code>shortname$@AD.DOMAIN</code>, where shortname is
+ the NetBIOS name which is limited to 15 characters.</para>
+ <para>If there are applications which are not aware of
+ the AD default and are using a hard-coded default
+ principal the <option>--user-principal</option> can be
+ used to make AD aware of this principal. Please note
+ that <option>userPrincipalName</option> is a single
+ value LDAP attribute, i.e. only one alternative user
+ principal besides the AD default user principal can be
+ set.</para></listitem>
</varlistentry>
</variablelist>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index f0b0879..a26a60c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -365,12 +365,17 @@ computer-name = SERVER01
</listitem>
</varlistentry>
<varlistentry>
- <term><option>user-prinicpal</option></term>
+ <term><option>user-principal</option></term>
<listitem>
- <para>Set the <option>user-prinicpal</option> to <code>yes</code>
- to create <option>userPrincipalName</option> attributes for the
- computer account in the realm, in the form
- <code>host/computer@REALM</code></para>
+ <para>Set the <option>user-principal</option> to <code>yes</code>
+ to create <option>userPrincipalName</option> attribute for the
+ computer accounts in the realm. The exact value depends on the
+ defaults of the used membership software. To have full control
+ over the value please use the
+ <option>--user-principal</option> option of the
+ <command>realm</command> command, see
+ <citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> for details.</para>
<informalexample>
<programlisting language="js">
--
2.21.0

26
SOURCES/0001-doc-fix-discover-name-only.patch Normal file
View File

@ -0,0 +1,26 @@
From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:49:15 +0100
Subject: [PATCH 1/2] doc: fix discover name-only
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
---
doc/manual/realmd.conf.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index a26a60c..fc6a785 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
<informalexample>
<screen>
-$ <command>realm discover --name DOMAIN.example.com</command>
+$ <command>realm discover --name-only DOMAIN.example.com</command>
domain.example.com
...
</screen>
--
2.21.0

1500
SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch Normal file
View File

File diff suppressed because it is too large Load Diff

96
SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch Normal file
View File

@ -0,0 +1,96 @@
From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 28 Oct 2016 20:27:48 +0200
Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
After adding a domain to sssd.conf add the nss and pam services
to the [sssd] block.
https://bugs.freedesktop.org/show_bug.cgi?id=98479
---
service/realm-sssd-ad.c | 3 +++
service/realm-sssd-config.c | 2 --
service/realm-sssd-ipa.c | 3 +++
tests/test-sssd-config.c | 4 ++--
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 5ed384d..5fa81ce 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
gboolean use_adcli,
GError **error)
{
+ const gchar *services[] = { "nss", "pam", NULL };
GString *realmd_tags;
const gchar *access_provider;
const gchar *shell;
@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
"ldap_sasl_authid", authid,
NULL);
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+
g_free (authid);
g_string_free (realmd_tags, TRUE);
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
index 2096afd..d4398b9 100644
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
g_strfreev (already);
/* Setup a default sssd section */
- if (!realm_ini_config_have (config, "section", "services"))
- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index b12136e..001870d 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
GAsyncResult *result,
gpointer user_data)
{
+ const gchar *services[] = { "nss", "pam", NULL };
GTask *task = G_TASK (user_data);
EnrollClosure *enroll = g_task_get_task_data (task);
RealmSssd *sssd = g_task_get_source_object (task);
@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
"realmd_tags", realmd_tags,
NULL);
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+
g_free (home);
}
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 59eab75..892b9d5 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -140,7 +140,7 @@ static void
test_add_domain_only (Test *test,
gconstpointer unused)
{
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
--
2.9.3

98
SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch Normal file
View File

@ -0,0 +1,98 @@
From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 25 Apr 2017 07:20:17 +0200
Subject: [PATCH] service: Add "pam" and "nss" services in
realm_sssd_config_add_domain()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
realm_sssd_config_add_domain() must setup the services line in sssd.conf
otherwise SSSD won't be able to start any of its services.
It's a regression caused by 402cbab which leaves SSSD with no services
line when joining to an ad client doing "realm join ad.example".
https://bugs.freedesktop.org/show_bug.cgi?id=98479
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
---
service/realm-sssd-ad.c | 3 ++-
service/realm-sssd-config.c | 2 ++
service/realm-sssd-ipa.c | 3 ++-
tests/test-sssd-config.c | 4 ++--
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 5fa81ce..8543ca8 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
"ldap_sasl_authid", authid,
NULL);
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (ret)
+ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
g_free (authid);
g_string_free (realmd_tags, TRUE);
diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
index d4398b9..140d7dc 100644
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
gchar **already;
gboolean ret;
gchar *section;
+ const gchar *services[] = { "nss", "pam", NULL };
va_list va;
gint i;
@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
g_strfreev (already);
/* Setup a default sssd section */
+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
if (!realm_ini_config_have (config, "sssd", "config_file_version"))
realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index 001870d..ff1dc8a 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
"realmd_tags", realmd_tags,
NULL);
- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (error == NULL)
+ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
g_free (home);
}
diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
index 892b9d5..59eab75 100644
--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@ test_add_domain (Test *test,
gconstpointer unused)
{
const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
@@ -140,7 +140,7 @@ static void
test_add_domain_only (Test *test,
gconstpointer unused)
{
- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
GError *error = NULL;
gchar *output;
gboolean ret;
--
2.9.3

30
SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch Normal file
View File

@ -0,0 +1,30 @@
From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 21 Feb 2020 14:06:16 +0100
Subject: [PATCH] service: use "kerberos method" "secrets and keytab"
When using Samba with Winbind the host password stored in secrets.tdb is
still important so the "secrets and keytab" should be the preferred
"kerberos method".
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195
---
service/realm-samba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/service/realm-samba.c b/service/realm-samba.c
index e2a3608..4940b38 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source,
"template shell", realm_settings_string ("users", "default-shell"),
"netbios name", computer_name,
"password server", enroll->disco->explicit_server,
- "kerberos method", "system keytab",
+ "kerberos method", "secrets and keytab",
NULL);
}
--
2.24.1

36
SOURCES/0001-switch-to-authselect.patch Normal file
View File

@ -0,0 +1,36 @@
From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 19 Feb 2018 11:51:06 +0100
Subject: [PATCH] switch to authselect
---
service/realmd-redhat.conf | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
freeipa-client = /usr/sbin/ipa-client-install
[commands]
-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
winbind-enable-service = /usr/bin/systemctl enable winbind.service
winbind-disable-service = /usr/bin/systemctl disable winbind.service
winbind-restart-service = /usr/bin/systemctl restart winbind.service
winbind-stop-service = /usr/bin/systemctl stop winbind.service
-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
sssd-enable-service = /usr/bin/systemctl enable sssd.service
sssd-disable-service = /usr/bin/systemctl disable sssd.service
sssd-restart-service = /usr/bin/systemctl restart sssd.service
--
2.9.3

374
SOURCES/0001-tests-run-tests-with-python3.patch Normal file
View File

@ -0,0 +1,374 @@
From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 4 Jul 2018 16:41:16 +0200
Subject: [PATCH] tests: run tests with python3
To allow the test to run with python3 build/tap-driver and
build/tap-gtester are updated to the latest version provided by the
cockpit project https://github.com/cockpit-project/cockpit.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
---
build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
build/tap-gtester | 59 ++++++++++++++++++++++---------
2 files changed, 125 insertions(+), 38 deletions(-)
diff --git a/build/tap-driver b/build/tap-driver
index 42f57c8..241fd50 100755
--- a/build/tap-driver
+++ b/build/tap-driver
@@ -1,4 +1,5 @@
-#!/usr/bin/python
+#!/usr/bin/python3
+# This can also be run with Python 2.
# Copyright (C) 2013 Red Hat, Inc.
#
@@ -29,20 +30,58 @@
#
import argparse
+import fcntl
import os
import select
+import struct
import subprocess
import sys
+import termios
+import errno
+
+_PY3 = sys.version[0] >= '3'
+_str = _PY3 and str or unicode
+
+def out(data, stream=None, flush=False):
+ if not isinstance(data, bytes):
+ data = data.encode("UTF-8")
+ if not stream:
+ stream = _PY3 and sys.stdout.buffer or sys.stdout
+ while True:
+ try:
+ if data:
+ stream.write(data)
+ data = None
+ if flush:
+ stream.flush()
+ flush = False
+ break
+ except IOError as e:
+ if e.errno == errno.EAGAIN:
+ continue
+ raise
+
+def terminal_width():
+ try:
+ h, w, hp, wp = struct.unpack('HHHH',
+ fcntl.ioctl(1, termios.TIOCGWINSZ,
+ struct.pack('HHHH', 0, 0, 0, 0)))
+ return w
+ except IOError as e:
+ if e.errno != errno.ENOTTY:
+ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
+ return sys.maxsize
class Driver:
def __init__(self, args):
self.argv = args.command
self.test_name = args.test_name
- self.log = open(args.log_file, "w")
- self.log.write("# %s\n" % " ".join(sys.argv))
+ self.log = open(args.log_file, "wb")
+ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
self.trs = open(args.trs_file, "w")
self.color_tests = args.color_tests
self.expect_failure = args.expect_failure
+ self.width = terminal_width() - 9
def report(self, code, *args):
CODES = {
@@ -57,17 +96,18 @@ class Driver:
# Print out to console
if self.color_tests:
if code in CODES:
- sys.stdout.write(CODES[code])
- sys.stdout.write(code)
+ out(CODES[code])
+ out(code)
if self.color_tests:
- sys.stdout.write('\x1b[m')
- sys.stdout.write(": ")
- sys.stdout.write(self.test_name)
- sys.stdout.write(" ")
- for arg in args:
- sys.stdout.write(str(arg))
- sys.stdout.write("\n")
- sys.stdout.flush()
+ out('\x1b[m')
+ out(": ")
+ msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
+ if code == "PASS" and len(msg) > self.width:
+ out(msg[:self.width])
+ out("...")
+ else:
+ out(msg)
+ out("\n", flush=True)
# Book keeping
if code in CODES:
@@ -100,12 +140,14 @@ class Driver:
def execute(self):
try:
proc = subprocess.Popen(self.argv, close_fds=True,
+ stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
- except OSError, ex:
+ except OSError as ex:
self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
return
+ proc.stdin.close()
outf = proc.stdout.fileno()
errf = proc.stderr.fileno()
rset = [outf, errf]
@@ -113,18 +155,25 @@ class Driver:
ret = select.select(rset, [], [], 10)
if outf in ret[0]:
data = os.read(outf, 1024)
- if data == "":
+ if data == b"":
rset.remove(outf)
self.log.write(data)
self.process(data)
if errf in ret[0]:
data = os.read(errf, 1024)
- if data == "":
+ if data == b"":
rset.remove(errf)
self.log.write(data)
- sys.stderr.write(data)
+ stream = _PY3 and sys.stderr.buffer or sys.stderr
+ out(data, stream=stream, flush=True)
proc.wait()
+
+ # Make sure the test didn't change blocking output
+ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
+
return proc.returncode
@@ -137,6 +186,7 @@ class TapDriver(Driver):
self.late_plan = False
self.errored = False
self.bail_out = False
+ self.skip_all_reason = None
def report(self, code, num, *args):
if num:
@@ -170,13 +220,19 @@ class TapDriver(Driver):
else:
self.result_fail(num, description)
- def consume_test_plan(self, first, last):
+ def consume_test_plan(self, line):
# Only one test plan is supported
if self.test_plan:
self.report_error("Get a second TAP test plan")
return
+ if line.lower().startswith('1..0 # skip'):
+ self.skip_all_reason = line[5:].strip()
+ self.bail_out = True
+ return
+
try:
+ (first, unused, last) = line.partition("..")
first = int(first)
last = int(last)
except ValueError:
@@ -192,7 +248,7 @@ class TapDriver(Driver):
def process(self, output):
if output:
- self.output += output
+ self.output += output.decode("UTF-8")
elif self.output:
self.output += "\n"
(ready, unused, self.output) = self.output.rpartition("\n")
@@ -202,8 +258,7 @@ class TapDriver(Driver):
elif line.startswith("not ok "):
self.consume_test_line(False, line[7:])
elif line and line[0].isdigit() and ".." in line:
- (first, unused, last) = line.partition("..")
- self.consume_test_plan(first, last)
+ self.consume_test_plan(line)
elif line.lower().startswith("bail out!"):
self.consume_bail_out(line)
@@ -213,6 +268,13 @@ class TapDriver(Driver):
failed = False
skipped = True
+ if self.skip_all_reason is not None:
+ self.result_skip("skipping:", self.skip_all_reason)
+ self.trs.write(":global-test-result: SKIP\n")
+ self.trs.write(":test-global-result: SKIP\n")
+ self.trs.write(":recheck: no\n")
+ return 0
+
# Basic collation of results
for (num, code) in self.reported.items():
if code == "ERROR":
diff --git a/build/tap-gtester b/build/tap-gtester
index 7e667d4..bbda266 100755
--- a/build/tap-gtester
+++ b/build/tap-gtester
@@ -1,4 +1,5 @@
-#!/usr/bin/python
+#!/usr/bin/python3
+# This can also be run with Python 2.
# Copyright (C) 2014 Red Hat, Inc.
#
@@ -30,9 +31,19 @@
import argparse
import os
import select
+import signal
import subprocess
import sys
+# Yes, it's dumb, but strsignal is not exposed in python
+# In addition signal numbers varify heavily from arch to arch
+def strsignal(sig):
+ for name in dir(signal):
+ if name.startswith("SIG") and sig == getattr(signal, name):
+ return name
+ return str(sig)
+
+
class NullCompiler:
def __init__(self, command):
self.command = command
@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
elif cmd == "result":
if self.test_name:
if data == "OK":
- print "ok %d %s" % (self.test_num, self.test_name)
+ print("ok %d %s" % (self.test_num, self.test_name))
if data == "FAIL":
- print "not ok %d %s", (self.test_num, self.test_name)
+ print("not ok %d %s" % (self.test_num, self.test_name))
self.test_name = None
elif cmd == "skipping":
if "/subprocess" not in data:
- print "ok %d # skip -- %s" % (self.test_num, data)
+ print("ok %d # skip -- %s" % (self.test_num, data))
self.test_name = None
elif data:
- print "# %s: %s" % (cmd, data)
+ print("# %s: %s" % (cmd, data))
else:
- print "# %s" % cmd
+ print("# %s" % cmd)
elif line.startswith("(MSG: "):
- print "# %s" % line[6:-1]
+ print("# %s" % line[6:-1])
elif line:
- print "# %s" % line
+ print("# %s" % line)
sys.stdout.flush()
def run(self, proc, output=""):
@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
if line.startswith("/"):
self.test_remaining.append(line.strip())
if not self.test_remaining:
- print "Bail out! No tests found in GTest: %s" % self.command[0]
+ print("Bail out! No tests found in GTest: %s" % self.command[0])
return 0
- print "1..%d" % len(self.test_remaining)
+ print("1..%d" % len(self.test_remaining))
# First try to run all the tests in a batch
- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
+ stdout=subprocess.PIPE, universal_newlines=True)
result = self.process(proc)
if result == 0:
return 0
+ if result < 0:
+ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
+
# Now pick up any stragglers due to failures
while True:
# Assume that the last test failed
if self.test_name:
- print "not ok %d %s" % (self.test_num, self.test_name)
+ print("not ok %d %s" % (self.test_num, self.test_name))
self.test_name = None
# Run any tests which didn't get run
@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
break
proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
- close_fds=True, stdout=subprocess.PIPE)
+ close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
result = self.process(proc)
# The various exit codes and signals we continue for
@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
return result
def main(argv):
- parser = argparse.ArgumentParser(description='Automake TAP compiler')
+ parser = argparse.ArgumentParser(description='Automake TAP compiler',
+ usage="tap-gtester [--format FORMAT] command ...")
parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
default="auto", help='The input format to compile')
parser.add_argument('--verbose', action='store_true',
default=True, help='Verbose mode (ignored)')
- parser.add_argument('command', nargs='+', help="A test command to run")
+ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
args = parser.parse_args(argv[1:])
output = None
format = args.format
cmd = args.command
+ if not cmd:
+ sys.stderr.write("tap-gtester: specify a command to run\n")
+ return 2
+ if cmd[0] == '--':
+ cmd.pop(0)
+
proc = None
os.environ['HARNESS_ACTIVE'] = '1'
if format in ["auto", "gtest"]:
list_cmd = cmd + ["-l", "--verbose"]
- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
output = proc.stdout.readline()
# Smell whether we're dealing with GTest list output from first line
if "random seed" in output or "GTest" in output or output.startswith("/"):
@@ -164,7 +188,8 @@ def main(argv):
else:
format = "tap"
else:
- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
+ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
+ universal_newlines=True)
if format == "gtest":
compiler = GTestCompiler(cmd)
--
2.14.4

46
SOURCES/0002-doc-add-see-also-to-man-pages.patch Normal file
View File

@ -0,0 +1,46 @@
From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Nov 2019 18:49:51 +0100
Subject: [PATCH 2/2] doc: add see also to man pages
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
---
doc/manual/realm.xml | 7 +++++++
doc/manual/realmd.conf.xml | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 55a7640..e5d4608 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -440,4 +440,11 @@ $ realm deny --all
</refsect1>
+<refsect1 id='realm_see_also'>
+ <title>SEE ALSO</title>
+
+ <para><citerefentry><refentrytitle>realmd.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
+</refsect1>
+
</refentry>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index fc6a785..1592291 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -471,4 +471,11 @@ fully-qualified-names = no
</variablelist>
</refsect1>
+<refsect1 id='realmd_conf_see_also'>
+ <title>SEE ALSO</title>
+
+ <para><citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry></para>
+</refsect1>
+
</refentry>
--
2.21.0

13
SOURCES/ipa-packages.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index da2de55..856b36d 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -20,7 +20,7 @@ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
adcli = /usr/sbin/adcli
[ipa-packages]
-freeipa-client = /usr/sbin/ipa-client-install
+ipa-client = /usr/sbin/ipa-client-install
[commands]
winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"

399
SPECS/realmd.spec Normal file
View File

@ -0,0 +1,399 @@
Name: realmd
Version: 0.16.3
Release: 18%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/realmd/
Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch
Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
Patch5: 0001-switch-to-authselect.patch
Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch
Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
Patch9: 0001-tests-run-tests-with-python3.patch
Patch10: ipa-packages.patch
Patch11: 0001-Fix-issues-found-by-Coverity.patch
Patch12: 0001-Change-qualified-names-default-for-IPA.patch
Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch
# rhbz#1747454 - rebuild fails if DISTRO variable is exported
Patch14: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
# rhbz#1747452 - realmd.conf user-principal RFE and clarification (plus dependencies)
Patch15: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
Patch16: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch
Patch17: 0001-doc-extend-user-principal-section.patch
# rhbz#1747457 - realmd.conf documentation incorrect
Patch18: 0001-doc-fix-discover-name-only.patch
Patch19: 0002-doc-add-see-also-to-man-pages.patch
# rhbz#1747456 - Document realmd.conf and how realmd reads the configuration
Patch20: 0001-doc-extend-description-of-config-handling.patch
# rhbz#1801195
Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: intltool pkgconfig
BuildRequires: gettext-devel
BuildRequires: glib2-devel >= 2.32.0
BuildRequires: openldap-devel
BuildRequires: polkit-devel
BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: %{_bindir}/python3
Requires: authselect
Requires: polkit
%description
realmd is a DBus system service which manages discovery and enrollment in realms
and domains like Active Directory or IPA. The control center uses realmd as the
back end to 'join' a domain simply and automatically configure things correctly.
%package devel-docs
Summary: Developer documentation files for %{name}
%description devel-docs
The %{name}-devel package contains developer documentation for developing
applications that use %{name}.
%define _hardened_build 1
%prep
%autosetup -p1
%build
autoreconf -fi
%configure --disable-silent-rules
make %{?_smp_mflags}
%check
make check
%install
make install DESTDIR=%{buildroot}
%find_lang realmd
%files -f realmd.lang
%doc AUTHORS COPYING NEWS README
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
%{_prefix}/lib/realmd/realmd
%{_prefix}/lib/realmd/realmd-defaults.conf
%{_prefix}/lib/realmd/realmd-distro.conf
%{_unitdir}/realmd.service
%{_datadir}/dbus-1/system-services/org.freedesktop.realmd.service
%{_datadir}/polkit-1/actions/org.freedesktop.realmd.policy
%{_mandir}/man8/realm.8.gz
%{_mandir}/man5/realmd.conf.5.gz
%{_localstatedir}/cache/realmd/
%files devel-docs
%doc %{_datadir}/doc/realmd/
%doc ChangeLog
%changelog
* Fri Feb 21 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-18
- Fix kerberos method
Resolves: rhbz#1801195
* Sun Dec 01 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-17
- rebuild fails if DISTRO variable is exported
Resolves: rhbz#1747454
- realmd.conf user-principal RFE and clarification
Resolves: rhbz#1747452
- realmd.conf documentation incorrect
Resolves: rhbz#1747457
- Document realmd.conf and how realmd reads the configuration
Resolves: rhbz#1747456
* Thu Sep 27 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-16
- Do not call authselect for IPA domains
Resolves: rhbz#1633572
* Wed Aug 22 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults
Resolves: rhbz#1619162
* Tue Aug 14 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-14
- Fix python BuildRequires
Resolves: rhbz#1615564
- Add RHEL specific patch for IPA
Resolves: rhbz#1615320
- Fix issues found by Coverity
Resolves: rhbz#1602677
* Wed Jul 04 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-13
- Add latests patches from RHEL7
- Add polkit runtime dependency
Resolves: rhbz#1577179
- Drop python2 build dependency
Resolves: rhbz#1595813
- Fix documentation reference in systemd unit file
Resolves: rhbz#1596325
* Sun Mar 18 2018 René Genz <liebundartig@freenet.de> - 0.16.3-12
- use correct authselect syntax for *-disable-logins to fix rhbz#1558245
- Iryna Shcherbina <ishcherb@redhat.com>
Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Thu Mar 01 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-11
- Require authselect instead of authconfig, related: rhbz#1537246
* Tue Feb 20 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-10
- added BuildRequires gcc
- Use authselect instead of authconfig, related: rhbz#1537246
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Sep 05 2017 Petr Pisar <ppisar@redhat.com> - 0.16.3-8
- Update all m4 macros to prevent from mismatching between Automake versions
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Apr 25 2017 Sumit Bose <sbose@redhat.com> - 0.16.3-5
- Resolves: rhbz#1445017
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 19 2017 Merlin Mathesius <mmathesi@redhat.com> - 0.16.3-3
- Add BuildRequires: python to fix FTBFS (BZ#1415000).
* Tue Dec 13 2016 Sumit Bose <sbose@redhat.com> - 0.16.3-2
- Resolves: rhbz#1401605
* Wed Nov 30 2016 Sumit Bose <sbose@redhat.com> - 0.16.3-1
- Updated to upstream 0.16.3 plus patches from git master
* Fri Jun 03 2016 Sumit Bose <sbose@redhat.com> - 0.16.2-5
- properly apply patch for rhbz#1330766
- Resolves: rhbz#1330766
* Wed May 18 2016 Sumit Bose <sbose@redhat.com> - 0.16.2-4
- Resolves: rhbz#1330766
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Sep 11 2015 Stef Walter <stefw@redhat.com> - 0.16.2-2
- Fixed --computer-ou regression
- Show message when installing packages
* Fri Jul 31 2015 Stef Walter <stefw@redhat.com> - 0.16.2-1
- Updated to upstream 0.16.2
- Install to $prefix/lib instead of $libdir
- Resolves: rhbz#1246741
* Tue Jul 14 2015 Stef Walter <stefw@redhat.com> - 0.16.1-1
- Updated to upstream 0.16.1
- Resolves: rhbz#1231128
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.16.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Apr 14 2015 Stef Walter <stefw@redhat.com> - 0.16.0-1
- Updated to upstream 0.16.0
- Resolves: rhbz#1205753
- Resolves: rhbz#1142190
- Resolves: rhbz#1061091
- Resolves: rhbz#1205752
* Thu Apr 09 2015 Stephen Gallagher <sgallagh@redhat.com> - 0.15.2-2
- Resolves: rhbz#1210483
* Mon Oct 06 2014 Stef Walter <stefw@redhat.com> - 0.15.2-1
- Update to upstream 0.15.2
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.15.1-2
- Move ChangeLog to devel-docs. NEWS is probably riveting enough for users
* Fri May 23 2014 Stef Walter <stefw@redhat.com> - 0.15.1-1
- Update to upstream 0.15.1
- Remove the packagekit patch that's now integrated upstream
* Thu Jan 30 2014 Richard Hughes <rhughes@redhat.com> - 0.15.0-2
- Rebuild for libpackagekit-glib soname bump
* Tue Jan 07 2014 Stef Walter <stefw@redhat.com> - 0.15.0-1
- Update to upstream 0.15.0 release, fixing various bugs
* Mon Sep 09 2013 Stef Walter <stefw@redhat.com> - 0.14.6-1
- Update to upstream 0.14.6 point release
- Set 'kerberos method = system keytab' in smb.conf properly
- Limit Netbios name to 15 chars when joining AD domain
* Thu Aug 15 2013 Stef Walter <stefw@redhat.com> - 0.14.5-1
- Update to upstream 0.14.5 point release
- Fix regression conflicting --unattended and -U as in --user args
- Pass discovered server address to adcli tool
* Wed Aug 07 2013 Stef Walter <stefw@redhot.com> - 0.14.4-1
- Update to upstream 0.14.4 point release
- Fix up the [sssd] section in sssd.conf if it's screwed up
- Add an --unattended argument to realm command line client
- Clearer 'realm permit' manual page example
* Wed Aug 07 2013 Stef Walter <stefw@redhot.com> - 0.14.3-1
- Update to upstream 0.14.3 point release
- Populate LoginFormats correctly [#961442]
- Documentation clarifications
- Set sssd.conf default_shell per domain
- Notify in terminal output when installing packages
- If joined via adcli, delete computer with adcli too [#961244]
- If input is not a tty, read from stdin without getpass() [#983153]
- Configure pam_winbind.conf appropriately [#983153]
- Refer to FreeIPA as IPA
- Support use of kerberos ccache to join when winbind
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Jul 15 2013 Stef Walter <stefw@redhat.com> - 0.14.2-4
- Build with verbose automake output
* Tue Jun 11 2013 Stef Walter <stefw@redhat.com> - 0.14.2-3
- Run test suite when building the package
- Fix rpmlint errors
* Thu Jun 06 2013 Stef Walter <stefw@redhat.com> - 0.14.2-2
- Install oddjobd and oddjob-mkhomedir when joining domains [#969441]
* Mon May 27 2013 Stef Walter <stefw@redhat.com> - 0.14.2-1
- Update to upstream 0.14.2 version
- Discover FreeIPA 3.0 with AD trust correctly [#966148]
- Only allow joining one realm by default [#966650]
- Enable the oddjobd service after joining a domain [#964971]
- Remove sssd.conf allow lists when permitting all [#965760]
- Add dependency on authconfig [#964675]
- Remove glib-networking dependency now that we no longer use SSL.
* Mon May 13 2013 Stef Walter <stefw@redhat.com> - 0.14.1-1
- Update to upstream 0.14.1 version
- Fix crasher/regression using passwords with joins [#961435]
- Make second Ctrl-C just quit realm tool [#961325]
- Fix critical warning when leaving IPA realm [#961320]
- Don't print out journalctl command in obvious situations [#961230]
- Document the --all option to 'realm discover' [#961279]
- No need to require sssd-tools package [#961254]
- Enable services even in install mode [#960887]
- Use the AD domain name in sssd.conf directly [#960270]
- Fix critical warning when service Release() method [#961385]
* Mon May 06 2013 Stef Walter <stefw@redhat.com> - 0.14.0-1
- Work around broken krb5 with empty passwords [#960001]
- Add manual page for realmd.conf [#959357]
- Update to upstream 0.14.0 version
* Thu May 02 2013 Stef Walter <stefw@redhat.com> - 0.13.91-1
- Fix regression when using one time password [#958667]
- Support for permitting logins by group [#887675]
* Mon Apr 29 2013 Stef Walter <stefw@redhat.com> - 0.13.90-1
- Add option to disable package-kit installs [#953852]
- Add option to use unqualified names [#953825]
- Better discovery of domains [#953153]
- Concept of managing parts of the system [#914892]
- Fix problems with cache directory [#913457]
- Clearly explain when realm cannot be joined [#878018]
- Many other upstream enhancements and fixes
* Wed Apr 17 2013 Stef Walter <stefw@redhat.com> - 0.13.3-2
- Add missing glib-networking dependency, currently used
for FreeIPA discovery [#953151]
* Wed Apr 17 2013 Stef Walter <stefw@redhat.com> - 0.13.3-1
- Update for upstream 0.13.3 version
- Add dependency on systemd for installing service file
* Tue Apr 16 2013 Stef Walter <stefw@redhat.com> - 0.13.2-2
- Fix problem with sssd not starting after joining
* Mon Feb 18 2013 Stef Walter <stefw@redhat.com> - 0.13.2-1
- Update to upstream 0.13.2 version
* Mon Feb 18 2013 Stef Walter <stefw@redhat.com> - 0.13.1-1
- Update to upstream 0.13.1 version for bug fixes
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Nov 12 2012 Stef Walter <stefw@redhat.com> - 0.12-1
- Update to upstream 0.12 version for bug fixes
* Tue Oct 30 2012 Stef Walter <stefw@redhat.com> - 0.11-1
- Update to upstream 0.11 version
* Sat Oct 20 2012 Stef Walter <stefw@redhat.com> - 0.10-1
- Update to upstream 0.10 version
* Wed Oct 17 2012 Stef Walter <stefw@redhat.com> - 0.9-1
- Update to upstream 0.9 version
* Wed Sep 19 2012 Stef Walter <stefw@redhat.com> - 0.8-2
- Add openldap-devel build requirement
* Wed Sep 19 2012 Stef Walter <stefw@redhat.com> - 0.8-1
- Update to upstream 0.8 version
- Add support for translations
* Mon Aug 20 2012 Stef Walter <stefw@redhat.com> - 0.7-2
- Build requires gtk-doc
* Mon Aug 20 2012 Stef Walter <stefw@redhat.com> - 0.7-1
- Update to upstream 0.7 version
- Remove files no longer present in upstream version
- Put documentation in its own realmd-devel-docs subpackage
- Update upstream URLs
* Mon Aug 6 2012 Stef Walter <stefw@redhat.com> - 0.6-1
- Update to upstream 0.6 version
* Tue Jul 17 2012 Stef Walter <stefw@redhat.com> - 0.5-2
- Remove missing SssdIpa.service file from the files list.
This file will return upstream in 0.6
* Tue Jul 17 2012 Stef Walter <stefw@redhat.com> - 0.5-1
- Update to upstream 0.5 version
* Tue Jun 19 2012 Stef Walter <stefw@redhat.com> - 0.4-1
- Update to upstream 0.4 version
- Cleanup various rpmlint warnings
* Tue Jun 19 2012 Stef Walter <stefw@redhat.com> - 0.3-2
- Add doc files
- Own directories
- Remove obsolete parts of spec file
- Remove explicit dependencies
- Updated License line to LGPLv2+
* Tue Jun 19 2012 Stef Walter <stefw@redhat.com> - 0.3
- Build fixes
* Mon Jun 18 2012 Stef Walter <stefw@redhat.com> - 0.2
- Initial RPM