allow multiple names and _srv_ ad_server option

Resolves: jira#SSSD-6077
2023-12-05 12:22:14 +01:00 · 2023-12-05 12:22:14 +01:00 · d170c40689
commit d170c40689
parent d822665e9e
4 changed files with 197 additions and 1 deletions
--- a/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
+++ b/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
@ -0,0 +1,74 @@
+From 19923985b69ccd5f2a33a067bfc3ed020889377e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 13 Jun 2023 18:02:52 +0200
+Subject: [PATCH 1/3] service: allow multiple names and _srv_ ad_server option
+
+realmd checks if the 'ad_server' option is set in sssd.conf before
+calling adcli to remove the host from the AD server. If set the value is
+used as value for dcli's '--domain-controller' option. But if multiple
+names are set in sssd.conf this currently fails because the whole string
+is used.
+
+With this patch the 'ad_server' option is properly evaluated and only
+the first domain controller name is used.
+---
+ service/realm-sssd-ad.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 2817e73..096b6c5 100644
+--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
+@@ -649,6 +649,40 @@ realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
+ 	return g_task_propagate_boolean (G_TASK (result), error);
+ }
+ 
+static gchar *get_ad_server_from_config (RealmKerberos *realm)
+{
+	RealmSssd *sssd = REALM_SSSD (realm);
+	RealmIniConfig *config;
+	const gchar *section;
+	gchar **servers;
+	gchar *tmp;
+	size_t c;
+	gchar *value = NULL;
+
+	config = realm_sssd_get_config (sssd);
+	section = realm_sssd_get_config_section (sssd);
+
+	if (section == NULL) {
+		return NULL;
+	}
+
+	servers = realm_ini_config_get_list (config, section, "ad_server", ",");
+	/* Only use the first server defined given in 'ad_server' and ignore
+	 * '_srv_'. */
+	if (servers != NULL) {
+		for (c = 0; servers[c] != NULL; c++) {
+			tmp = g_strstrip (servers[c]);
+			if (strcasecmp ("_srv_", tmp) != 0) {
+				value = g_strdup (tmp);
+				break;
+			}
+		}
+		g_strfreev (servers);
+	}
+
+	return value;
+}
+
+ static void
+ realm_sssd_ad_discover_myself (RealmKerberos *realm,
+                                RealmDisco *disco)
+@@ -665,7 +699,7 @@ realm_sssd_ad_discover_myself (RealmKerberos *realm,
+ 	if (section == NULL)
+ 		return;
+ 
+-	value = realm_ini_config_get (config, section, "ad_server");
+	value = get_ad_server_from_config (realm);
+ 	g_free (disco->explicit_server);
+ 	disco->explicit_server = value;
+ 
+-- 
+2.43.0
+
--- a/0002-service-fix-error-message-when-removing-host-from-AD.patch
+++ b/0002-service-fix-error-message-when-removing-host-from-AD.patch
@ -0,0 +1,88 @@
+From d691c679c1531b3eb457c494141bafdc4e0bc692 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 1 Dec 2023 12:14:06 +0100
+Subject: [PATCH 2/3] service: fix error message when removing host from AD
+
+If there is an error while trying to remove the host from AD with the
+help of adcli the error message talks about "joining" which might be
+irritating when figuring out the reason for the failure. This patch
+adds a better message when leaving the domain.
+---
+ service/realm-adcli-enroll.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
+index e0d752b..c913987 100644
+--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
+@@ -25,9 +25,10 @@
+ #include "realm-settings.h"
+ 
+ static void
+-on_join_process (GObject *source,
+-                 GAsyncResult *result,
+-                 gpointer user_data)
+on_join_leave_process (GObject *source,
+                       GAsyncResult *result,
+                       gpointer user_data,
+                       gboolean is_join)
+ {
+ 	GTask *task = G_TASK (user_data);
+ 	GError *error = NULL;
+@@ -39,15 +40,18 @@ on_join_process (GObject *source,
+ 		switch (status) {
+ 		case 2: /* ADCLI_ERR_UNEXPECTED */
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
+-			             "Internal unexpected error joining the domain");
+			             is_join ? "Internal unexpected error joining the domain"
+			                     : "Internal unexpected error removing host from the domain");
+ 			break;
+ 		case 6: /* ADCLI_ERR_CREDENTIALS */
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
+-			             "Insufficient permissions to join the domain");
+			             is_join ? "Insufficient permissions to join the domain"
+			                     : "Insufficient permissions to remove the host from the domain");
+ 			break;
+ 		default:
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_FAILED,
+-			             "Failed to join the domain");
+			             is_join ? "Failed to join the domain"
+			                     : "Failed to remove the host from the domain");
+ 			break;
+ 		}
+ 	}
+@@ -64,6 +68,22 @@ on_join_process (GObject *source,
+ 	g_object_unref (task);
+ }
+ 
+static void
+on_join_process (GObject *source,
+                 GAsyncResult *result,
+                 gpointer user_data)
+{
+	on_join_leave_process (source, result, user_data, TRUE);
+}
+
+static void
+on_leave_process (GObject *source,
+                  GAsyncResult *result,
+                  gpointer user_data)
+{
+	on_join_leave_process (source, result, user_data, FALSE);
+}
+
+ void
+ realm_adcli_enroll_join_async (RealmDisco *disco,
+                                RealmCredential *cred,
+@@ -290,7 +310,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
+ 	g_ptr_array_add (args, NULL);
+ 
+ 	realm_command_runv_async ((gchar **)args->pdata, environ, input,
+-	                          invocation, on_join_process,
+	                          invocation, on_leave_process,
+ 	                          g_object_ref (task));
+ 
+ 	g_ptr_array_free (args, TRUE);
+-- 
+2.43.0
+
--- a/0003-doc-fix-reference-in-realmd.conf-man-page.patch
+++ b/0003-doc-fix-reference-in-realmd.conf-man-page.patch
@ -0,0 +1,26 @@
+From 56aedbceec3e6ff0d6142a16ca0c343c523b6d7a Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 1 Dec 2023 13:07:10 +0100
+Subject: [PATCH 3/3] doc: fix reference in realmd.conf man page
+
+---
+ doc/manual/realmd.conf.xml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index 72b706c..ad17639 100644
+--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
+@@ -110,7 +110,8 @@ default-client = sssd
+ 		</para>
+ 
+ 		<para>Some callers of <command>realmd</command> such as the
+-		<link linkend="realm"><command>realm</command></link>
+		<citerefentry><refentrytitle>realm</refentrytitle>
+		<manvolnum>8</manvolnum></citerefentry>
+ 		command line tool allow specifying which client software should
+ 		be used. Others, such as GNOME Control Center, simplify choose
+ 		the default.</para>
+-- 
+2.43.0
+
--- a/realmd.spec
+++ b/realmd.spec
@ -1,11 +1,15 @@
 Name:    realmd
 Version: 0.17.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Kerberos realm enrollment service
 License: LGPL-2.1-or-later
 URL:     https://gitlab.freedesktop.org/realmd/realmd
 Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz

+Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
+Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
+Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
+
 BuildRequires: make
 BuildRequires: gcc
 BuildRequires: automake
@ -91,6 +95,10 @@ make check
 %doc ChangeLog

 %changelog
+* Fri Dec 01 2023 Sumit Bose <sbose@redhat.com> - 0.17.1-5
+- allow multiple names and _srv_ ad_server option
+  Resolves: jira#SSSD-6077
+
 * Wed Oct 18 2023 Sumit Bose <sbose@redhat.com> - 0.17.1-4
 - migrated to SPDX license