rpms
/
realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:352aaa9d3b95e69d9ee1fdcb5757ab5d3c450dcc
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:c8s
rpms:imports/c8/realmd-0.17.1-2.el8
rpms:imports/c9/realmd-0.17.1-2.el9
rpms:imports/c8/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.1-1.el9
rpms:imports/c9-beta/realmd-0.17.1-1.el9
rpms:imports/c8-beta/realmd-0.17.1-1.el8
rpms:imports/c8s/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.0-9.el9
rpms:imports/c8/realmd-0.16.3-25.el8
rpms:imports/c8-beta/realmd-0.16.3-25.el8
rpms:imports/c9-beta/realmd-0.17.0-9.el9
rpms:imports/c8s/realmd-0.16.3-25.el8
rpms:imports/c8s/realmd-0.16.3-24.el8
rpms:imports/c9-beta/realmd-0.17.0-7.el9
rpms:imports/c8/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-22.el8
rpms:imports/c8-beta/realmd-0.16.3-18.el8
rpms:imports/c8-beta/realmd-0.16.3-17.el8
rpms:imports/c8-beta/realmd-0.16.3-16.el8
rpms:imports/c8s/realmd-0.16.3-23.el8
rpms:imports/c8s/realmd-0.16.3-22.el8
rpms:imports/c8s/realmd-0.16.3-20.el8
rpms:imports/c8s/realmd-0.16.3-19.el8
rpms:imports/c8s/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-22.el8
rpms:imports/c8/realmd-0.16.3-19.el8
rpms:imports/c8/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-16.el8
...
compare: rpms:8db6342224487ef26a576dc3afbd8578c670f378
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:c8s
rpms:imports/c8/realmd-0.17.1-2.el8
rpms:imports/c9/realmd-0.17.1-2.el9
rpms:imports/c8/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.1-1.el9
rpms:imports/c9-beta/realmd-0.17.1-1.el9
rpms:imports/c8-beta/realmd-0.17.1-1.el8
rpms:imports/c8s/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.0-9.el9
rpms:imports/c8/realmd-0.16.3-25.el8
rpms:imports/c8-beta/realmd-0.16.3-25.el8
rpms:imports/c9-beta/realmd-0.17.0-9.el9
rpms:imports/c8s/realmd-0.16.3-25.el8
rpms:imports/c8s/realmd-0.16.3-24.el8
rpms:imports/c9-beta/realmd-0.17.0-7.el9
rpms:imports/c8/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-22.el8
rpms:imports/c8-beta/realmd-0.16.3-18.el8
rpms:imports/c8-beta/realmd-0.16.3-17.el8
rpms:imports/c8-beta/realmd-0.16.3-16.el8
rpms:imports/c8s/realmd-0.16.3-23.el8
rpms:imports/c8s/realmd-0.16.3-22.el8
rpms:imports/c8s/realmd-0.16.3-20.el8
rpms:imports/c8s/realmd-0.16.3-19.el8
rpms:imports/c8s/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-22.el8
rpms:imports/c8/realmd-0.16.3-19.el8
rpms:imports/c8/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-16.el8

2 Commits
352aaa9d3b ... 8db6342224

Author SHA1 Message Date
Sumit Bose 8db6342224 Fixes for 9.4 2024-02-21 04:15:36 +00:00
Sumit Bose 85a962c524 Update to upstream release 0.17.1 
Resolves: rhbz#2129050, rhbz#2133839
 2022-10-14 10:08:30 +02:00
15 changed files with 287 additions and 478 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -7,3 +7,4 @@
/realmd-0.16.2.tar.gz
/realmd-0.16.3.tar.gz
/realmd-0.17.0.tar.gz
/realmd-0.17.1.tar.gz

1
.realmd.metadata Normal file
View File

@ -0,0 +1 @@
681f7f532daa62a08f2f2d6c9d4a1a04c4c793a3 realmd-0.17.1.tar.gz

61
0001-build-add-with-vendor-error-message-configure-option.patch
View File

@ -1,61 +0,0 @@
From 4ef597d15df246f4121266aaf3e291e3f06f6f4a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Mar 2021 17:57:07 +0100
Subject: [PATCH 1/2] build: add --with-vendor-error-message configure option
With the new configure option --with-vendor-error-message a packager or
a distribution can add a message if realmd returns with an error.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386
---
configure.ac | 15 +++++++++++++++
tools/realm.c | 7 +++++++
2 files changed, 22 insertions(+)
diff --git a/configure.ac b/configure.ac
index ee067d9..05ec1bf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,6 +51,21 @@ fi
AC_SUBST(DISTRO)
+# -----------------------------------------------------------------------------
+# Vendor error message
+
+AC_ARG_WITH([vendor-error-message],
+ [AS_HELP_STRING([--with-vendor-error-message=ARG],
+ [Add a vendor specific error message shown if a realm command fails]
+ )],
+ [AS_IF([test "x$withval" != "x"],
+ [AC_DEFINE_UNQUOTED([VENDOR_MSG],
+ ["$withval"],
+ [Vendor specific error message])],
+ [AC_MSG_ERROR([--with-vendor-error-message requires an argument])]
+ )],
+ [])
+
# -----------------------------------------------------------------------------
# Basic tools
diff --git a/tools/realm.c b/tools/realm.c
index 1530f09..8fdca16 100644
--- a/tools/realm.c
+++ b/tools/realm.c
@@ -287,6 +287,13 @@ main (int argc,
ret = (realm_commands[i].function) (client, argc, argv);
g_object_unref (client);
+#ifdef VENDOR_MSG
+ if (ret != 0) {
+ g_printerr (VENDOR_MSG"\n");
+ }
+
+#endif
+
break;
}
}
--
2.30.2

36
0001-doc-add-computer-name-to-realm-man-page.patch
View File

@ -1,36 +0,0 @@
From 05100771ea6bd775caae705bb53f76a0816f3b81 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 May 2021 11:13:06 +0200
Subject: [PATCH] doc: add computer-name to realm man page
---
doc/manual/realm.xml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 9160a8a..b4dc27c 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
supported for all realms. By default the membership software
is automatically selected.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--computer-name=xxx</option></term>
+ <listitem>
+ <para>This option only applies to Active
+ Directory realms. Specify this option to
+ override the default name used when creating
+ the computer account. The system's FQDN will
+ still be saved in the dNSHostName attribute.</para>
+ <para>Specify the name as a string of 15 or
+ fewer characters that is a valid NetBIOS
+ computer name.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>--no-password</option></term>
<listitem><para>Perform the join automatically without
--
2.31.1

78
0001-ldap-add-socket-timeout.patch
View File

@ -1,78 +0,0 @@
From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 24 Nov 2021 17:25:18 +0100
Subject: [PATCH] ldap: add socket timeout
During the discovery phase realmd tries to open LDAP connections to
multiple DC addresses returned by DNS. When cleaning up we have to call
ldap_destroy() to release the resources allocated for the LDAP context.
ldap_destroy() tries to send a LDAP unbind request independent of the
connection state. If the related address is block by a firewall or a not
properly routed IPv6 address there might be no reply on the TCP level
and the request might be stuck for quite some tome in the kernel.
To avoid the unexpected long delays will block realmd this patch lowers
the timeout considerably to 5s. As multiple other timeouts this value is
currently hardcoded.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
---
service/realm-ldap.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index bdfb96c..f7b6d13 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -22,6 +22,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <netinet/tcp.h>
#include <errno.h>
@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
/* Not included in ldap.h but documented */
int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
+#define LDAP_SOCKET_TIMEOUT 5
GSource *
realm_ldap_connect_anonymous (GSocketAddress *address,
@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
int opt_rc;
int ldap_opt_val;
const char *errmsg = NULL;
+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
+ /* Lower the kernel defaults which might be minutes to hours */
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
+ &tv, sizeof (tv));
+ if (rc != 0) {
+ g_warning ("couldn't set SO_RCVTIMEO");
+ }
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
+ &tv, sizeof (tv));
+ if (rc != 0) {
+ g_warning ("couldn't set SO_SNDTIMEO");
+ }
+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
+ &milli, sizeof (milli));
+ if (rc != 0) {
+ g_warning ("couldn't set TCP_USER_TIMEOUT");
+ }
+
if (family == G_SOCKET_FAMILY_IPV4) {
url = g_strdup_printf ("%s://%s:%d",
use_ldaps ? "ldaps" : "ldap",
--
2.34.1

128
0001-samba-use-new-Samba-4.15-command-line-options.patch
View File

@ -1,128 +0,0 @@
From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Dec 2021 15:32:32 +0100
Subject: [PATCH] samba: use new Samba-4.15 command line options
Samba-4.15 changed a couple of command line options of the net utility.
This patch adds a configure option to select the new or the old style.
If the option is not used configure tries to call the net utility to
check for the options. If this fails the old style is used.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
---
configure.ac | 34 ++++++++++++++++++++++++++++++++++
service/realm-samba-enroll.c | 18 +++++++++++++-----
2 files changed, 47 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index ea51f92..ddc25d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
+# -------------------------------------------------------------------
+# Samba
+
+AC_ARG_WITH(new-samba-cli-options,
+ AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
+ [Use new command line options introduced with Samba-4.15,
+ if not provided the output of 'net help' is checked or old
+ style options are used]))
+
+if test "$with_new_samba_cli_options" = "no"; then
+ AC_MSG_RESULT([Using old Samba command line options])
+elif test "$with_new_samba_cli_options" = "yes"; then
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
+ [Use new command line options introduced with Samba-4.15])
+ AC_MSG_RESULT([Using new Samba command line options])
+else
+ AC_PATH_PROG([SAMBA_NET], [net])
+ if test ! -x "$SAMBA_NET"; then
+ AC_MSG_NOTICE([Could not find Samba's net utility, ]
+ [assuming old style command line options, ]
+ [please install the net utility for proper detection.])
+ else
+ AC_MSG_CHECKING([for --debug-stdout option of net])
+ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
+ [Use new command line options introduced with Samba-4.15])
+ AC_MSG_RESULT([yes])
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+fi
+
+
# -------------------------------------------------------------------
# Directories
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 5624a08..8b2ee38 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -37,6 +37,14 @@
#include <sys/socket.h>
#include <netdb.h>
+#ifdef WITH_NEW_SAMBA_CLI_OPTS
+#define SMBCLI_KERBEROS "--use-kerberos=required"
+#define SMBCLI_CONF "--configfile"
+#else
+#define SMBCLI_KERBEROS "-k"
+#define SMBCLI_CONF "-s"
+#endif
+
typedef struct {
GDBusMethodInvocation *invocation;
gchar *join_args[8];
@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
/* Use our custom smb.conf */
g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
if (join->custom_smb_conf) {
- g_ptr_array_add (args, "-s");
+ g_ptr_array_add (args, SMBCLI_CONF);
g_ptr_array_add (args, join->custom_smb_conf);
}
@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
} else {
begin_net_process (join, NULL,
on_keytab_do_finish, g_object_ref (task),
- "-k", "ads", "keytab", "create", NULL);
+ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
}
g_object_unref (task);
@@ -428,7 +436,7 @@ begin_join (GTask *task,
begin_net_process (join, join->password_input,
on_join_do_keytab, g_object_ref (task),
"-U", join->user_name,
- "-k", "ads", "join", join->disco->domain_name,
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
@@ -437,7 +445,7 @@ begin_join (GTask *task,
} else {
begin_net_process (join, NULL,
on_join_do_keytab, g_object_ref (task),
- "-k", "ads", "join", join->disco->domain_name,
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
begin_net_process (join, NULL,
on_leave_complete, g_object_ref (task),
- "-k", "ads", "leave", NULL);
+ SMBCLI_KERBEROS, "ads", "leave", NULL);
break;
default:
g_return_if_reached ();
--
2.34.1

74
0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch Normal file
View File

@ -0,0 +1,74 @@
From 19923985b69ccd5f2a33a067bfc3ed020889377e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 13 Jun 2023 18:02:52 +0200
Subject: [PATCH 1/3] service: allow multiple names and _srv_ ad_server option
realmd checks if the 'ad_server' option is set in sssd.conf before
calling adcli to remove the host from the AD server. If set the value is
used as value for dcli's '--domain-controller' option. But if multiple
names are set in sssd.conf this currently fails because the whole string
is used.
With this patch the 'ad_server' option is properly evaluated and only
the first domain controller name is used.
---
service/realm-sssd-ad.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 2817e73..096b6c5 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -649,6 +649,40 @@ realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
return g_task_propagate_boolean (G_TASK (result), error);
}
+static gchar *get_ad_server_from_config (RealmKerberos *realm)
+{
+ RealmSssd *sssd = REALM_SSSD (realm);
+ RealmIniConfig *config;
+ const gchar *section;
+ gchar **servers;
+ gchar *tmp;
+ size_t c;
+ gchar *value = NULL;
+
+ config = realm_sssd_get_config (sssd);
+ section = realm_sssd_get_config_section (sssd);
+
+ if (section == NULL) {
+ return NULL;
+ }
+
+ servers = realm_ini_config_get_list (config, section, "ad_server", ",");
+ /* Only use the first server defined given in 'ad_server' and ignore
+ * '_srv_'. */
+ if (servers != NULL) {
+ for (c = 0; servers[c] != NULL; c++) {
+ tmp = g_strstrip (servers[c]);
+ if (strcasecmp ("_srv_", tmp) != 0) {
+ value = g_strdup (tmp);
+ break;
+ }
+ }
+ g_strfreev (servers);
+ }
+
+ return value;
+}
+
static void
realm_sssd_ad_discover_myself (RealmKerberos *realm,
RealmDisco *disco)
@@ -665,7 +699,7 @@ realm_sssd_ad_discover_myself (RealmKerberos *realm,
if (section == NULL)
return;
- value = realm_ini_config_get (config, section, "ad_server");
+ value = get_ad_server_from_config (realm);
g_free (disco->explicit_server);
disco->explicit_server = value;
--
2.43.0

36
0001-switch-to-authselect.patch
View File

@ -1,36 +0,0 @@
From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 19 Feb 2018 11:51:06 +0100
Subject: [PATCH] switch to authselect
---
service/realmd-redhat.conf | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
freeipa-client = /usr/sbin/ipa-client-install
[commands]
-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
winbind-enable-service = /usr/bin/systemctl enable winbind.service
winbind-disable-service = /usr/bin/systemctl disable winbind.service
winbind-restart-service = /usr/bin/systemctl restart winbind.service
winbind-stop-service = /usr/bin/systemctl stop winbind.service
-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
sssd-enable-service = /usr/bin/systemctl enable sssd.service
sssd-disable-service = /usr/bin/systemctl disable sssd.service
sssd-restart-service = /usr/bin/systemctl restart sssd.service
--
2.9.3

38
0001-syslog-avoid-duplicate-log-messages.patch
View File

@ -1,38 +0,0 @@
From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 25 Nov 2021 14:36:10 +0100
Subject: [PATCH] syslog: avoid duplicate log messages
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
---
service/realm-diagnostics.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
index 850b2e3..6aa5288 100644
--- a/service/realm-diagnostics.c
+++ b/service/realm-diagnostics.c
@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
while ((ptr = memchr (at, '\n', length)) != NULL) {
*ptr = '\0';
if (line_buffer && line_buffer->len > 0) {
+#ifdef WITH_JOURNAL
+ /* Call realm_daemon_syslog directly to add
+ * REALMD_OPERATION to the jounrnal */
realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
+#else
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
+#endif
g_string_set_size (line_buffer, 0);
} else {
+#ifdef WITH_JOURNAL
realm_daemon_syslog (operation, log_level, "%s", at);
+#else
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
+#endif
}
*ptr = '\n';
--
2.34.1

69
0001-tools-fix-ccache-handling-for-leave-operation.patch Normal file
View File

@ -0,0 +1,69 @@
From f648ae06012d1de137f12095d1bd7aaacb382042 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Jan 2024 09:18:20 +0100
Subject: [PATCH] tools: fix ccache handling for leave operation
krb5_cc_initialize() must be called before anything can be written into
a ccache.
While checking the available credential types the order/preference was
not respected.
Resolves: https://issues.redhat.com/browse/SSSD-6420
---
tools/realm-client.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/tools/realm-client.c b/tools/realm-client.c
index c386e64..06420ea 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -498,13 +498,16 @@ are_credentials_supported (GVariant *supported,
GVariantIter iter;
const gchar *type;
const gchar *owner;
-
- g_variant_iter_init (&iter, supported);
- while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
- if (g_strcmp0 (credential_type_1, type) == 0 ||
- g_strcmp0 (credential_type_2, type) == 0) {
- *ret_owner = owner;
- return type;
+ const gchar *list[] = {credential_type_1, credential_type_2, NULL};
+ size_t c;
+
+ for (c = 0; list[c] != NULL; c++) {
+ g_variant_iter_init (&iter, supported);
+ while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
+ if (g_strcmp0 (list[c], type) == 0) {
+ *ret_owner = owner;
+ return type;
+ }
}
}
@@ -622,8 +625,6 @@ copy_to_ccache (krb5_context krb5,
memset (&mcred, 0, sizeof (mcred));
mcred.client = principal;
mcred.server = server;
- mcred.times.starttime = g_get_real_time () / G_TIME_SPAN_MILLISECOND;
- mcred.times.endtime = mcred.times.starttime;
code = krb5_cc_retrieve_cred (krb5, def_ccache, KRB5_TC_MATCH_TIMES,
&mcred, &creds);
@@ -639,6 +640,12 @@ copy_to_ccache (krb5_context krb5,
return FALSE;
}
+ code = krb5_cc_initialize (krb5, ccache, creds.client);
+ if (code != 0) {
+ g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
+ return FALSE;
+ }
+
code = krb5_cc_store_cred (krb5, ccache, &creds);
krb5_free_cred_contents (krb5, &creds);
--
2.43.0

77
0002-configure-update-some-macros-for-autoconf-2.71.patch
View File

@ -1,77 +0,0 @@
From cff19e9044e3f389a14fbc5e98366a31107d4a02 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 6 Apr 2021 15:23:54 +0200
Subject: [PATCH 2/2] configure: update some macros for autoconf-2.71
---
configure.ac | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/configure.ac b/configure.ac
index 05ec1bf..4dac5a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_PREREQ(2.63)
+AC_PREREQ([2.63])
AC_INIT([realmd], [0.17.0],
[https://gitlab.freedesktop.org/realmd/realmd/-/issues],
@@ -69,8 +69,7 @@ AC_ARG_WITH([vendor-error-message],
# -----------------------------------------------------------------------------
# Basic tools
-AC_GNU_SOURCE
-AC_ISC_POSIX
+AC_USE_SYSTEM_EXTENSIONS
AC_PROG_CC
AC_PROG_CPP
AM_PROG_CC_C_O
@@ -109,7 +108,7 @@ AC_SUBST(POLKIT_LIBS)
AC_MSG_CHECKING([systemd unit directory])
AC_ARG_WITH(systemd-unit-dir,
- AC_HELP_STRING([--with-systemd-unit-dir],
+ AS_HELP_STRING([--with-systemd-unit-dir],
[Directory to install systemd service file]))
if test "$with_systemd_unit_dir" = "" -o "$with_systemd_unit_dir" = "yes"; then
@@ -136,7 +135,7 @@ AC_SUBST(dbus_systemd_service)
AC_MSG_RESULT($with_systemd_unit_dir)
AC_ARG_WITH(systemd-journal,
- AC_HELP_STRING([--with-systemd-journal],
+ AS_HELP_STRING([--with-systemd-journal],
[Use systemd's journal for logging]))
if test "$with_systemd_journal" != "no"; then
@@ -245,7 +244,7 @@ AC_SUBST(POLKIT_ACTION_DIR)
AC_MSG_CHECKING([whether to build documentation])
AC_ARG_ENABLE(doc,
- AC_HELP_STRING([--enable-doc],
+ AS_HELP_STRING([--enable-doc],
[Disable building documentation])
)
@@ -314,7 +313,7 @@ AC_SUBST(GENHTML)
AC_MSG_CHECKING([for debug mode])
AC_ARG_ENABLE(debug,
- AC_HELP_STRING([--enable-debug=no/default/yes],
+ AS_HELP_STRING([--enable-debug=no/default/yes],
[Turn on or off debugging])
)
@@ -397,7 +396,7 @@ AC_SUBST(TEST_MODE)
privatedir='${prefix}/lib/realmd'
AC_MSG_CHECKING([private directory])
AC_ARG_WITH(private-dir,
- AC_HELP_STRING([--with-private-dir=DIR],
+ AS_HELP_STRING([--with-private-dir=DIR],
[Directory to install realmd system defaults (default: ${prefix}/lib/realmd)]))
if test -n "$with_private_dir"; then
--
2.30.2

88
0002-service-fix-error-message-when-removing-host-from-AD.patch Normal file
View File

@ -0,0 +1,88 @@
From d691c679c1531b3eb457c494141bafdc4e0bc692 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Dec 2023 12:14:06 +0100
Subject: [PATCH 2/3] service: fix error message when removing host from AD
If there is an error while trying to remove the host from AD with the
help of adcli the error message talks about "joining" which might be
irritating when figuring out the reason for the failure. This patch
adds a better message when leaving the domain.
---
service/realm-adcli-enroll.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index e0d752b..c913987 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -25,9 +25,10 @@
#include "realm-settings.h"
static void
-on_join_process (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
+on_join_leave_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data,
+ gboolean is_join)
{
GTask *task = G_TASK (user_data);
GError *error = NULL;
@@ -39,15 +40,18 @@ on_join_process (GObject *source,
switch (status) {
case 2: /* ADCLI_ERR_UNEXPECTED */
g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
- "Internal unexpected error joining the domain");
+ is_join ? "Internal unexpected error joining the domain"
+ : "Internal unexpected error removing host from the domain");
break;
case 6: /* ADCLI_ERR_CREDENTIALS */
g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
- "Insufficient permissions to join the domain");
+ is_join ? "Insufficient permissions to join the domain"
+ : "Insufficient permissions to remove the host from the domain");
break;
default:
g_set_error (&error, REALM_ERROR, REALM_ERROR_FAILED,
- "Failed to join the domain");
+ is_join ? "Failed to join the domain"
+ : "Failed to remove the host from the domain");
break;
}
}
@@ -64,6 +68,22 @@ on_join_process (GObject *source,
g_object_unref (task);
}
+static void
+on_join_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, TRUE);
+}
+
+static void
+on_leave_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, FALSE);
+}
+
void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
@@ -290,7 +310,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
g_ptr_array_add (args, NULL);
realm_command_runv_async ((gchar **)args->pdata, environ, input,
- invocation, on_join_process,
+ invocation, on_leave_process,
g_object_ref (task));
g_ptr_array_free (args, TRUE);
--
2.43.0

26
0003-doc-fix-reference-in-realmd.conf-man-page.patch Normal file
View File

@ -0,0 +1,26 @@
From 56aedbceec3e6ff0d6142a16ca0c343c523b6d7a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Dec 2023 13:07:10 +0100
Subject: [PATCH 3/3] doc: fix reference in realmd.conf man page
---
doc/manual/realmd.conf.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 72b706c..ad17639 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -110,7 +110,8 @@ default-client = sssd
</para>
<para>Some callers of <command>realmd</command> such as the
- <link linkend="realm"><command>realm</command></link>
+ <citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
command line tool allow specifying which client software should
be used. Others, such as GNOME Control Center, simplify choose
the default.</para>
--
2.43.0

50
realmd.spec
View File

@ -1,28 +1,20 @@
Name: realmd
Version: 0.17.0
Release: 9%{?dist}
Version: 0.17.1
Release: 2%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/realmd
Source0: https://gitlab.freedesktop.org/sbose/realmd/uploads/b13a87292762bdad3ecbfe65bbb57211/realmd-%{version}.tar.gz
Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
Patch1: 0001-switch-to-authselect.patch
Patch2: 0001-build-add-with-vendor-error-message-configure-option.patch
Patch3: 0002-configure-update-some-macros-for-autoconf-2.71.patch
Patch4: 0001-doc-add-computer-name-to-realm-man-page.patch
Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
Patch0004: 0001-tools-fix-ccache-handling-for-leave-operation.patch
# rhbz#1978255 - regression in realmd/Sanity/realmd-service-sanity
Patch5: ipa-packages.patch
# rhbz#2038260 - realmd operations hang if a DC is unreachable
Patch6: 0001-ldap-add-socket-timeout.patch
# rhbz#2038268 - realmd logs are duplicated
Patch7: 0001-syslog-avoid-duplicate-log-messages.patch
# rhbz#2028530 - realm join needs to updated to use the command line options of
# Samba's net command
Patch8: 0001-samba-use-new-Samba-4.15-command-line-options.patch
### Downstream Patches ###
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
# using freeipa-*, the following patch applies the needed changes.
Patch0100: ipa-packages.patch
BuildRequires: make
BuildRequires: gcc
@ -74,13 +66,13 @@ autoreconf -fi
%endif
%{nil}
make %{?_smp_mflags}
%make_build
%check
make check
%install
make install DESTDIR=%{buildroot}
%make_install
%find_lang realmd
@ -95,7 +87,7 @@ make install DESTDIR=%{buildroot}
%files -f realmd.lang
%doc AUTHORS COPYING NEWS README
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
%{_libexecdir}/realmd
@ -113,6 +105,18 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Tue Feb 20 2024 Sumit Bose <sbose@redhat.com>
- Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- migrated to SPDX license
- allow multiple names and _srv_ ad_server option
Resolves: jira#RHEL-12112
- fix ccache handling for leave operation
Resolves: jira#RHEL-5104
* Fri Oct 14 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Update to upstream release 0.17.1
Resolves: rhbz#2129050, rhbz#2133839
* Tue Jan 11 2022 Sumit Bose <sbose@redhat.com> - 0.17.0-9
- enforce new Samba command line options
Resolves: rhbz#2028530

2
sources
View File

@ -1 +1 @@
SHA512 (realmd-0.17.0.tar.gz) = 1bde6d97abc7c9b792889f9a35a17e0551af049865facd7db1a35981971a2c0ae1f60ab578d66f8662b33238936472d8afe3ec6b90dd9e148846b318d6f0a82b
SHA512 (realmd-0.17.1.tar.gz) = 24f6b1fd149f2cd9e8019be1cb1638d8bc25845238ced224512a212d9de47305cf2b0c613c203a92fff0987a94cc9e08f9b45b93eedd54593b0c34f3875d1480