rpms/realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10
rpms:c10s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:c9s
rpms:imports/c10/realmd-0.17.1-13.el10_1
rpms:imports/c10s/realmd-0.17.1-13.el10
rpms:imports/c10s/realmd-0.17.1-12.el10
rpms:imports/c10s/realmd-0.17.1-11.el10
rpms:imports/c10s/realmd-0.17.1-10.el10
rpms:imports/c8/realmd-0.17.1-2.el8
rpms:imports/c9/realmd-0.17.1-2.el9
rpms:imports/c8/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.1-1.el9
rpms:imports/c9-beta/realmd-0.17.1-1.el9
rpms:imports/c8-beta/realmd-0.17.1-1.el8
rpms:imports/c8s/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.0-9.el9
rpms:imports/c8/realmd-0.16.3-25.el8
rpms:imports/c8-beta/realmd-0.16.3-25.el8
rpms:imports/c9-beta/realmd-0.17.0-9.el9
rpms:imports/c8s/realmd-0.16.3-25.el8
rpms:imports/c8s/realmd-0.16.3-24.el8
rpms:imports/c9-beta/realmd-0.17.0-7.el9
rpms:imports/c8/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-22.el8
rpms:imports/c8-beta/realmd-0.16.3-18.el8
rpms:imports/c8-beta/realmd-0.16.3-17.el8
rpms:imports/c8-beta/realmd-0.16.3-16.el8
rpms:imports/c8s/realmd-0.16.3-23.el8
rpms:imports/c8s/realmd-0.16.3-22.el8
rpms:imports/c8s/realmd-0.16.3-20.el8
rpms:imports/c8s/realmd-0.16.3-19.el8
rpms:imports/c8s/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-22.el8
rpms:imports/c8/realmd-0.16.3-19.el8
rpms:imports/c8/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-16.el8
...
pull from: rpms:c10
Branches Tags
rpms:c10
rpms:c10s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:c9s
rpms:imports/c10/realmd-0.17.1-13.el10_1
rpms:imports/c10s/realmd-0.17.1-13.el10
rpms:imports/c10s/realmd-0.17.1-12.el10
rpms:imports/c10s/realmd-0.17.1-11.el10
rpms:imports/c10s/realmd-0.17.1-10.el10
rpms:imports/c8/realmd-0.17.1-2.el8
rpms:imports/c9/realmd-0.17.1-2.el9
rpms:imports/c8/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.1-1.el9
rpms:imports/c9-beta/realmd-0.17.1-1.el9
rpms:imports/c8-beta/realmd-0.17.1-1.el8
rpms:imports/c8s/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.0-9.el9
rpms:imports/c8/realmd-0.16.3-25.el8
rpms:imports/c8-beta/realmd-0.16.3-25.el8
rpms:imports/c9-beta/realmd-0.17.0-9.el9
rpms:imports/c8s/realmd-0.16.3-25.el8
rpms:imports/c8s/realmd-0.16.3-24.el8
rpms:imports/c9-beta/realmd-0.17.0-7.el9
rpms:imports/c8/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-22.el8
rpms:imports/c8-beta/realmd-0.16.3-18.el8
rpms:imports/c8-beta/realmd-0.16.3-17.el8
rpms:imports/c8-beta/realmd-0.16.3-16.el8
rpms:imports/c8s/realmd-0.16.3-23.el8
rpms:imports/c8s/realmd-0.16.3-22.el8
rpms:imports/c8s/realmd-0.16.3-20.el8
rpms:imports/c8s/realmd-0.16.3-19.el8
rpms:imports/c8s/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-22.el8
rpms:imports/c8/realmd-0.16.3-19.el8
rpms:imports/c8/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-16.el8

1 Commits
c8 ... c10

Author SHA1 Message Date
eabdullin
09e90f3c5f import CS realmd-0.17.1-13.el10 2025-11-14 14:08:27 +00:00
16 changed files with 1694 additions and 89 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/realmd-0.17.1.tar.gz
realmd-0.17.1.tar.gz

335
0001-Initial-implementation-of-a-renew-request.patch Normal file
View File

@ -0,0 +1,335 @@
From 7a19dbe6620565817769f6862d3af5bac761235e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Dec 2024 17:22:06 +0100
Subject: [PATCH] Initial implementation of a renew request
This patch implements a new D-Bus request for realmd to renew the machine
account credentials in a keytab. This patch does not implement calling
the membership-software to do the actual update.
https://issues.redhat.com/browse/SSSD-8347
---
dbus/org.freedesktop.realmd.xml | 9 ++
service/org.freedesktop.realmd.policy.in | 10 ++
service/realm-invocation.c | 1 +
service/realm-kerberos.c | 15 ++
tools/Makefile.am | 1 +
tools/realm-renew.c | 179 +++++++++++++++++++++++
tools/realm.c | 1 +
tools/realm.h | 4 +
8 files changed, 220 insertions(+)
create mode 100644 tools/realm-renew.c
diff --git a/dbus/org.freedesktop.realmd.xml b/dbus/org.freedesktop.realmd.xml
index c34a47a..58e5773 100644
--- a/dbus/org.freedesktop.realmd.xml
+++ b/dbus/org.freedesktop.realmd.xml
@@ -725,6 +725,15 @@
<arg name="options" type="a{sv}" direction="in"/>
</method>
+ <!--
+ Renew:
+
+ Renew the client's credential in the realm.
+ -->
+ <method name="Renew">
+ <arg name="options" type="a{sv}" direction="in"/>
+ </method>
+
</interface>
</node>
diff --git a/service/org.freedesktop.realmd.policy.in b/service/org.freedesktop.realmd.policy.in
index 562cbbc..4ce97d7 100644
--- a/service/org.freedesktop.realmd.policy.in
+++ b/service/org.freedesktop.realmd.policy.in
@@ -44,6 +44,16 @@
</defaults>
</action>
+ <action id="org.freedesktop.realmd.renew-realm">
+ <description>Renew machine creadentials in realm</description>
+ <message>Authentication is required to renew the credentials of this computer in a realm or domain.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+
<action id="org.freedesktop.realmd.login-policy">
<description>Change login policy</description>
<message>Authentication is required to change the policy of who can log in on this computer.</message>
diff --git a/service/realm-invocation.c b/service/realm-invocation.c
index bb26fe3..91977e9 100644
--- a/service/realm-invocation.c
+++ b/service/realm-invocation.c
@@ -37,6 +37,7 @@ static InvocationMethod invocation_methods[] = {
{ REALM_DBUS_PROVIDER_INTERFACE, "Discover", "org.freedesktop.realmd.discover-realm", 2 },
{ REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, "Join", "org.freedesktop.realmd.configure-realm", 2 },
{ REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, "Leave", "org.freedesktop.realmd.deconfigure-realm", 2 },
+ { REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, "Renew", "org.freedesktop.realmd.renew-realm", 1 },
{ REALM_DBUS_REALM_INTERFACE, "Deconfigure", "org.freedesktop.realmd.deconfigure-realm", 1 },
{ REALM_DBUS_REALM_INTERFACE, "ChangeLoginPolicy", "org.freedesktop.realmd.login-policy", 4 },
};
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 51a1b11..3c9c71c 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -407,6 +407,19 @@ handle_leave (RealmDbusKerberosMembership *membership,
return TRUE;
}
+static gboolean
+handle_renew (RealmDbusKerberosMembership *membership,
+ GDBusMethodInvocation *invocation,
+ GVariant *options,
+ gpointer user_data)
+{
+ //RealmKerberos *self = REALM_KERBEROS (user_data);
+
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_UNKNOWN_METHOD,
+ "Renew is currently not impemented.");
+ return TRUE;
+}
+
static gboolean
handle_deconfigure (RealmDbusRealm *realm,
GDBusMethodInvocation *invocation,
@@ -567,6 +580,8 @@ realm_kerberos_constructed (GObject *obj)
G_CALLBACK (handle_join), self);
g_signal_connect (self->pv->membership_iface, "handle-leave",
G_CALLBACK (handle_leave), self);
+ g_signal_connect (self->pv->membership_iface, "handle-renew",
+ G_CALLBACK (handle_renew), self);
g_dbus_object_skeleton_add_interface (G_DBUS_OBJECT_SKELETON (self),
G_DBUS_INTERFACE_SKELETON (self->pv->membership_iface));
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 97b67e7..65abb60 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -9,6 +9,7 @@ realm_SOURCES = \
tools/realm-discover.c \
tools/realm-join.c \
tools/realm-leave.c \
+ tools/realm-renew.c \
tools/realm-logins.c \
service/realm-kerberos-helper.c \
$(NULL)
diff --git a/tools/realm-renew.c b/tools/realm-renew.c
new file mode 100644
index 0000000..7b28e48
--- /dev/null
+++ b/tools/realm-renew.c
@@ -0,0 +1,179 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2024 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#include "realm.h"
+#include "realm-client.h"
+#include "realm-dbus-constants.h"
+#include "realm-dbus-generated.h"
+
+#include <glib.h>
+#include <glib/gi18n.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+
+typedef struct {
+ GAsyncResult *result;
+ GMainLoop *loop;
+} SyncClosure;
+
+static void
+on_complete_get_result (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ SyncClosure *sync = user_data;
+ sync->result = g_object_ref (result);
+ g_main_loop_quit (sync->loop);
+}
+
+static int
+call_renew (RealmDbusKerberosMembership *membership,
+ GVariant *options,
+ GError **error)
+{
+ SyncClosure sync;
+ gboolean ret;
+
+ sync.result = NULL;
+ sync.loop = g_main_loop_new (NULL, FALSE);
+
+ /* Start actual operation */
+ realm_dbus_kerberos_membership_call_renew (membership, options, NULL,
+ on_complete_get_result, &sync);
+
+ /* This mainloop is quit by on_complete_get_result */
+ g_main_loop_run (sync.loop);
+
+ ret = realm_dbus_kerberos_membership_call_renew_finish (membership, sync.result, error);
+
+ g_object_unref (sync.result);
+ g_main_loop_unref (sync.loop);
+
+ return ret ? 0 : 1;
+}
+
+typedef struct {
+ gchar *membership_software;
+ gboolean use_ldaps;
+} RealmRenewArgs;
+
+static void
+realm_renew_args_clear (gpointer data)
+{
+ RealmRenewArgs *args = data;
+ g_free (args->membership_software);
+}
+
+static int
+perform_renew (RealmClient *client,
+ const gchar *string,
+ RealmRenewArgs *args)
+{
+ RealmDbusKerberosMembership *membership;
+ gboolean had_mismatched = FALSE;
+ RealmDbusRealm *realm;
+ GError *error = NULL;
+ GVariant *options;
+ GList *realms;
+ gint ret;
+
+ realms = realm_client_discover (client, string, args->use_ldaps, NULL,
+ NULL, args->membership_software,
+ REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
+ &had_mismatched, &error);
+
+ if (error != NULL) {
+ realm_handle_error(error, NULL);
+ return 1;
+ } else if (realms == NULL) {
+ if (had_mismatched)
+ realm_handle_error (NULL, _("Cannot renew credentials for this realm"));
+ else
+ realm_handle_error(NULL, _("No such realm found"));
+ return 1;
+ }
+
+ membership = realms->data;
+ realm = realm_client_to_realm (client, membership);
+ if (!realm_is_configured (realm)) {
+ realm_handle_error (NULL, _("Not joined to this domain"));
+ return 1;
+ }
+
+ options = realm_build_options (REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
+ NULL);
+ g_variant_ref_sink (options);
+
+ ret = call_renew (membership, options, &error);
+ if (error != NULL) {
+ realm_handle_error (error, _("Couldn't renew realm credentials"));
+ }
+
+ g_variant_unref (options);
+ g_list_free_full (realms, g_object_unref);
+ return ret;
+}
+
+int
+realm_renew (RealmClient *client,
+ int argc,
+ char *argv[])
+{
+ GOptionContext *context;
+ GError *error = NULL;
+ const gchar *realm_name;
+ RealmRenewArgs args;
+ GOptionGroup *group;
+ gint ret = 0;
+
+ GOptionEntry option_entries[] = {
+ { "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software,
+ N_("Use specific membership software"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
+ N_("Use ldaps to connect to LDAP"), NULL },
+ { NULL, }
+ };
+
+ memset (&args, 0, sizeof (args));
+
+ context = g_option_context_new ("renew REALM");
+ g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
+
+ group = g_option_group_new (NULL, NULL, NULL, &args, realm_renew_args_clear);
+ g_option_group_add_entries (group, option_entries);
+ g_option_group_add_entries (group, realm_global_options);
+ g_option_context_set_main_group (context, group);
+
+ if (!g_option_context_parse (context, &argc, &argv, &error)) {
+ g_printerr ("%s: %s\n", g_get_prgname (), error->message);
+ g_error_free (error);
+ ret = 2;
+
+ } else if (argc > 2) {
+ g_printerr ("%s: %s\n", g_get_prgname (), _("Specify one realm to renew credentials"));
+ ret = 2;
+
+ } else {
+ realm_name = argc < 2 ? "" : argv[1];
+ ret = perform_renew (client, realm_name, &args);
+ }
+
+ g_option_context_free (context);
+ return ret;
+}
diff --git a/tools/realm.c b/tools/realm.c
index 8fdca16..3902017 100644
--- a/tools/realm.c
+++ b/tools/realm.c
@@ -40,6 +40,7 @@ struct {
{ "discover", realm_discover, "realm discover -v [realm-name]", N_("Discover available realm") },
{ "join", realm_join, "realm join -v [-U user] realm-name", N_("Enroll this machine in a realm") },
{ "leave", realm_leave, "realm leave -v [-U user] [realm-name]", N_("Unenroll this machine from a realm") },
+ { "renew", realm_renew, "realm renew -v [realm-name]", N_("Renew credentials for this machine in a realm") },
{ "list", realm_list, "realm list", N_("List known realms") },
{ "permit", realm_permit, "realm permit [-ax] [-R realm] user ...", N_("Permit user logins") },
{ "deny", realm_deny, "realm deny --all [-R realm]", N_("Deny user logins") },
diff --git a/tools/realm.h b/tools/realm.h
index 380b58b..68118e3 100644
--- a/tools/realm.h
+++ b/tools/realm.h
@@ -41,6 +41,10 @@ int realm_leave (RealmClient *client,
int argc,
char *argv[]);
+int realm_renew (RealmClient *client,
+ int argc,
+ char *argv[]);
+
int realm_discover (RealmClient *client,
int argc,
char *argv[]);
--
2.51.0

242
0001-Various-fixes-for-issues-found-by-static-code-scanne.patch Normal file
View File

@ -0,0 +1,242 @@
From 1e6fe345218bc089c385711fbbb9941df6672b66 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 13 Nov 2024 16:28:21 +0100
Subject: [PATCH 1/2] Various fixes for issues found by static code scanners
---
service/realm-adcli-enroll.c | 10 +++++-----
service/realm-ini-config.c | 1 +
service/realm-kerberos.c | 11 +++++++----
service/realm-ldap.c | 9 +++++++--
service/realm-samba-winbind.c | 1 +
service/realm-samba.c | 5 ++---
tools/realm-client.c | 16 ++++++++++------
7 files changed, 33 insertions(+), 20 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index c913987..c58175e 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -226,10 +226,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
if (input)
g_bytes_unref (input);
- free (ccache_arg);
- free (upn_arg);
- free (server_arg);
- free (ou_arg);
+ g_free (ccache_arg);
+ g_free (upn_arg);
+ g_free (server_arg);
+ g_free (ou_arg);
}
gboolean
@@ -319,7 +319,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
if (input)
g_bytes_unref (input);
- free (ccache_arg);
+ g_free (ccache_arg);
g_free (server_arg);
}
diff --git a/service/realm-ini-config.c b/service/realm-ini-config.c
index 2e6813b..7bbea34 100644
--- a/service/realm-ini-config.c
+++ b/service/realm-ini-config.c
@@ -650,6 +650,7 @@ realm_ini_config_read_file (RealmIniConfig *self,
if (err != NULL) {
g_propagate_error (error, err);
+ g_free (contents);
return FALSE;
}
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 7994e1e..8810f87 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -300,7 +300,7 @@ join_or_leave (RealmKerberos *self,
{
RealmKerberosMembershipIface *iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self);
RealmKerberosMembership *membership = REALM_KERBEROS_MEMBERSHIP (self);
- RealmCredential *cred;
+ RealmCredential *cred = NULL;
MethodClosure *method;
GError *error = NULL;
@@ -317,6 +317,7 @@ join_or_leave (RealmKerberos *self,
cred = realm_credential_parse (credential, &error);
if (error != NULL) {
g_dbus_method_invocation_return_gerror (invocation, error);
+ realm_credential_unref (cred);
g_error_free (error);
return;
}
@@ -331,6 +332,8 @@ join_or_leave (RealmKerberos *self,
if (!realm_invocation_lock_daemon (invocation)) {
g_dbus_method_invocation_return_error (invocation, REALM_ERROR, REALM_ERROR_BUSY,
_("Already running another action"));
+ realm_credential_unref (cred);
+ g_error_free (error);
return;
}
@@ -1067,7 +1070,7 @@ flush_keytab_entries (krb5_context ctx,
count = 0;
}
- code = krb5_kt_free_entry (ctx, &entry);
+ code = krb5_free_keytab_entry_contents (ctx, &entry);
return_val_if_krb5_failed (ctx, code, FALSE);
}
@@ -1175,13 +1178,13 @@ realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
&& name_data->data[name_data->length - 1] == '$') {
netbios_name = g_strndup (name_data->data, name_data->length - 1);
if (netbios_name == NULL) {
- code = krb5_kt_free_entry (ctx, &entry);
+ code = krb5_free_keytab_entry_contents (ctx, &entry);
warn_if_krb5_failed (ctx, code);
break;
}
}
}
- code = krb5_kt_free_entry (ctx, &entry);
+ code = krb5_free_keytab_entry_contents (ctx, &entry);
warn_if_krb5_failed (ctx, code);
}
}
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index f7b6d13..c28e8d1 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -228,6 +228,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
/* Not an expected failure */
if (ls->sock < 0) {
g_critical ("couldn't open socket to: %s: %s", addrname, strerror (errno));
+ g_free (addrname);
return NULL;
}
@@ -236,8 +237,10 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
native_len = g_socket_address_get_native_size (address);
native = g_malloc (native_len);
- if (!g_socket_address_to_native (address, native, native_len, NULL))
+ if (!g_socket_address_to_native (address, native, native_len, NULL)) {
+ g_free (addrname);
g_return_val_if_reached (NULL);
+ }
if (connect (ls->sock, native, native_len) < 0 &&
errno != EINPROGRESS) {
@@ -280,6 +283,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
g_free (url);
g_free (native);
+ g_free (addrname);
/* Not an expected failure */
if (rc != LDAP_SUCCESS) {
@@ -326,6 +330,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
case G_SOCKET_PROTOCOL_UDP:
url = g_strdup_printf ("cldap://%s:%d", addrname, port);
+ g_free (addrname);
/*
* HACK: ldap_init_fd() does not work for UDP, otherwise we
@@ -367,11 +372,11 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
break;
default:
+ g_free (addrname);
g_return_val_if_reached (NULL);
break;
}
- g_free (addrname);
version = LDAP_VERSION3;
if (ldap_set_option (ls->ldap, LDAP_OPT_PROTOCOL_VERSION, &version) != 0)
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index 61988eb..30f0433 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -154,6 +154,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
realm_ini_config_finish_change (config, &error);
g_free (idmap_config_backend);
g_free (idmap_config_range);
+ g_free (idmap_config_schema_mode);
}
/* Setup pam_winbind.conf with decent defaults matching our expectations */
diff --git a/service/realm-samba.c b/service/realm-samba.c
index 677c848..bc976f1 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -134,10 +134,9 @@ lookup_login_prefix (RealmSamba *self)
return NULL;
separator = realm_ini_config_get (self->config, REALM_SAMBA_CONFIG_GLOBAL, "winbind separator");
- if (separator == NULL)
- separator = g_strdup ("\\");
- return g_strdup_printf ("%s%s", workgroup, separator);
+ return g_strdup_printf ("%s%s", workgroup,
+ separator != NULL ? separator : "\\");
}
typedef struct {
diff --git a/tools/realm-client.c b/tools/realm-client.c
index 06420ea..a63652d 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -287,8 +287,8 @@ realm_client_new_installer (gboolean verbose,
socket = g_socket_new_from_fd (pair[0], &error);
if (error != NULL) {
realm_handle_error (error, _("Couldn't create socket"));
- close(pair[0]);
- close(pair[1]);
+ close (pair[0]);
+ close (pair[1]);
return NULL;
}
@@ -296,11 +296,12 @@ realm_client_new_installer (gboolean verbose,
G_SPAWN_LEAVE_DESCRIPTORS_OPEN | G_SPAWN_DO_NOT_REAP_CHILD,
NULL, NULL, &pid, &error);
- close(pair[1]);
+ close (pair[1]);
if (error != NULL) {
realm_handle_error (error, _("Couldn't run realmd"));
- close(pair[0]);
+ close (pair[0]);
+ g_object_unref (socket);
return NULL;
}
@@ -770,11 +771,14 @@ build_ccache_credential (const gchar *user_name,
if (ccache) {
ret = copy_or_kinit_to_ccache (krb5, ccache, user_name, realm_name, error);
krb5_cc_close (krb5, ccache);
- krb5_free_context (krb5);
}
+ krb5_free_context (krb5);
- if (!ret)
+ if (!ret) {
+ g_unlink (filename);
+ g_free (filename);
return NULL;
+ }
result = read_file_into_variant (filename);
--
2.48.1

0
SOURCES/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch → 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
View File

72
0001-sssd-package-fix.patch Normal file
View File

@ -0,0 +1,72 @@
From 4299bd81279830e48b93f163049179aff14d1402 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Feb 2024 08:58:56 +0100
Subject: [PATCH] sssd package fix
---
dbus/realm-dbus-constants.h | 1 +
service/realm-sssd-ad.c | 3 +++
service/realmd-redhat-authconfig.conf | 5 ++++-
service/realmd-redhat.conf | 5 ++++-
4 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index d2c2a8b..e49034b 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -78,6 +78,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_IDENTIFIER_IPA "ipa"
#define REALM_DBUS_IDENTIFIER_FREEIPA "freeipa"
#define REALM_DBUS_IDENTIFIER_SSSD "sssd"
+#define REALM_DBUS_IDENTIFIER_SSSD_AD "sssd-ad"
#define REALM_DBUS_IDENTIFIER_SAMBA "samba"
#define REALM_DBUS_IDENTIFIER_ADCLI "adcli"
#define REALM_DBUS_IDENTIFIER_EXAMPLE "example"
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 096b6c5..64bb488 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -46,18 +46,21 @@ typedef struct {
static const gchar *ADCLI_PACKAGES[] = {
REALM_DBUS_IDENTIFIER_SSSD,
+ REALM_DBUS_IDENTIFIER_SSSD_AD,
REALM_DBUS_IDENTIFIER_ADCLI,
NULL
};
static const gchar *SAMBA_PACKAGES[] = {
REALM_DBUS_IDENTIFIER_SSSD,
+ REALM_DBUS_IDENTIFIER_SSSD_AD,
REALM_DBUS_IDENTIFIER_SAMBA,
NULL
};
static const gchar *ALL_PACKAGES[] = {
REALM_DBUS_IDENTIFIER_SSSD,
+ REALM_DBUS_IDENTIFIER_SSSD_AD,
REALM_DBUS_IDENTIFIER_ADCLI,
REALM_DBUS_IDENTIFIER_SAMBA,
NULL
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index 2b11c30..12ec3c3 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -13,10 +13,13 @@ oddjob = /usr/sbin/oddjobd
oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
[sssd-packages]
-sssd = /usr/sbin/sssd
+sssd-common = /usr/sbin/sssd
oddjob = /usr/sbin/oddjobd
oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
+[sssd-ad-packages]
+sssd-ad = /usr/libexec/sssd/gpo_child
+
[adcli-packages]
adcli = /usr/sbin/adcli
--
2.43.0

0
SOURCES/0001-tools-fix-ccache-handling-for-leave-operation.patch → 0001-tools-fix-ccache-handling-for-leave-operation.patch
View File

226
0002-krb5-add-realm_krb5_get_error_message.patch Normal file
View File

@ -0,0 +1,226 @@
From f52ee4b8373f9fa8a96f9f6af656dfabc90b57ee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 13 Nov 2024 17:41:54 +0100
Subject: [PATCH 2/2] krb5: add realm_krb5_get_error_message()
The krb5_get_error_message() call returns an error message in an
allocated string which must be freed. This makes it hard to simply use
krb5_get_error_message() in a printf() argument list.
realm_krb5_get_error_message() used a static memory area to make the
usage more easy.
---
service/Makefile.am | 1 +
service/realm-kerberos-helper.c | 33 +++++++++++++++++++++++++++++++++
service/realm-kerberos-helper.h | 28 ++++++++++++++++++++++++++++
service/realm-kerberos.c | 9 +++++----
tools/Makefile.am | 1 +
tools/realm-client.c | 15 ++++++++++-----
6 files changed, 78 insertions(+), 9 deletions(-)
create mode 100644 service/realm-kerberos-helper.c
create mode 100644 service/realm-kerberos-helper.h
diff --git a/service/Makefile.am b/service/Makefile.am
index 1fb4da9..977f4e4 100644
--- a/service/Makefile.am
+++ b/service/Makefile.am
@@ -56,6 +56,7 @@ realmd_SOURCES = \
service/realm-kerberos.h \
service/realm-kerberos-config.c \
service/realm-kerberos-config.h \
+ service/realm-kerberos-helper.c \
service/realm-kerberos-membership.c \
service/realm-kerberos-membership.h \
service/realm-kerberos-provider.c \
diff --git a/service/realm-kerberos-helper.c b/service/realm-kerberos-helper.c
new file mode 100644
index 0000000..a89fb6a
--- /dev/null
+++ b/service/realm-kerberos-helper.c
@@ -0,0 +1,33 @@
+/* realmd -- Realm Kerberos helper functions used by tools as well
+ *
+ * Copyright 2024 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#include "realm-kerberos-helper.h"
+
+const char *realm_krb5_get_error_message (krb5_context ctx,
+ krb5_error_code code)
+{
+ static char out[4096];
+ const char *tmp;
+ size_t len;
+
+ tmp = krb5_get_error_message (ctx, code);
+ len = strlen (tmp);
+ memcpy (out, tmp, MIN (sizeof (out), len));
+ out[sizeof(out) - 1] = '\0';
+ krb5_free_error_message (ctx, tmp);
+
+ return out;
+}
diff --git a/service/realm-kerberos-helper.h b/service/realm-kerberos-helper.h
new file mode 100644
index 0000000..4dc1bdb
--- /dev/null
+++ b/service/realm-kerberos-helper.h
@@ -0,0 +1,28 @@
+/* realmd -- Realm Kerberos helper functions used by tools as well
+ *
+ * Copyright 2024 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#ifndef __REALM_KERBEROS_HELPER_H__
+#define __REALM_KERBEROS_HELPER_H__
+
+#include <string.h>
+#include <sys/param.h>
+#include <krb5/krb5.h>
+
+
+const char *realm_krb5_get_error_message (krb5_context ctx,
+ krb5_error_code code);
+
+#endif /* __REALM_KERBEROS_HELPER_H__ */
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 8810f87..51a1b11 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -24,6 +24,7 @@
#include "realm-errors.h"
#include "realm-invocation.h"
#include "realm-kerberos.h"
+#include "realm-kerberos-helper.h"
#include "realm-kerberos-membership.h"
#include "realm-login-name.h"
#include "realm-options.h"
@@ -65,21 +66,21 @@ G_DEFINE_TYPE (RealmKerberos, realm_kerberos, G_TYPE_DBUS_OBJECT_SKELETON);
#define return_if_krb5_failed(ctx, code) G_STMT_START \
if G_LIKELY ((code) == 0) { } else { \
g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
- krb5_get_error_message ((ctx), (code))); \
+ realm_krb5_get_error_message ((ctx), (code))); \
return; \
} G_STMT_END
#define return_val_if_krb5_failed(ctx, code, val) G_STMT_START \
if G_LIKELY ((code) == 0) { } else { \
g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
- krb5_get_error_message ((ctx), (code))); \
+ realm_krb5_get_error_message ((ctx), (code))); \
return (val); \
} G_STMT_END
#define warn_if_krb5_failed(ctx, code) G_STMT_START \
if G_LIKELY ((code) == 0) { } else { \
g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
- krb5_get_error_message ((ctx), (code))); \
+ realm_krb5_get_error_message ((ctx), (code))); \
} G_STMT_END
typedef struct {
@@ -802,7 +803,7 @@ set_krb5_error (GError **error,
va_end (va);
g_set_error (error, REALM_KRB5_ERROR, code,
- "%s: %s", string, krb5_get_error_message (context, code));
+ "%s: %s", string, realm_krb5_get_error_message (context, code));
g_free (string);
}
diff --git a/tools/Makefile.am b/tools/Makefile.am
index b94782f..97b67e7 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -10,6 +10,7 @@ realm_SOURCES = \
tools/realm-join.c \
tools/realm-leave.c \
tools/realm-logins.c \
+ service/realm-kerberos-helper.c \
$(NULL)
realm_CFLAGS = \
diff --git a/tools/realm-client.c b/tools/realm-client.c
index a63652d..46848da 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -17,6 +17,7 @@
#include "realm.h"
#include "realm-client.h"
#include "realm-dbus-constants.h"
+#include "service/realm-kerberos-helper.h"
#include <glib/gi18n.h>
#include <glib/gstdio.h>
@@ -543,7 +544,7 @@ propagate_krb5_error (GError **dest,
if (code != 0) {
if (format)
g_string_append (message, ": ");
- g_string_append (message, krb5_get_error_message (context, code));
+ g_string_append (message, realm_krb5_get_error_message (context, code));
}
g_set_error_literal (dest, g_quark_from_static_string ("krb5"),
@@ -614,7 +615,8 @@ copy_to_ccache (krb5_context krb5,
code = krb5_cc_default (krb5, &def_ccache);
if (code != 0) {
- g_debug ("krb5_cc_default failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_default failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
@@ -637,13 +639,15 @@ copy_to_ccache (krb5_context krb5,
g_debug ("no matching principal found in %s", krb5_cc_default_name (krb5));
return FALSE;
} else if (code != 0) {
- g_debug ("krb5_cc_retrieve_cred failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_retrieve_cred failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
code = krb5_cc_initialize (krb5, ccache, creds.client);
if (code != 0) {
- g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_initialize failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
@@ -651,7 +655,8 @@ copy_to_ccache (krb5_context krb5,
krb5_free_cred_contents (krb5, &creds);
if (code != 0) {
- g_debug ("krb5_cc_store_cred failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_store_cred failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
--
2.48.1

516
0002-renew-implement-support-for-adcli.patch Normal file
View File

@ -0,0 +1,516 @@
From aab58393b1f5255d905d5872c697522b3a52a64c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 Jan 2025 15:11:53 +0100
Subject: [PATCH] renew: implement support for adcli
With this patch realmd can call adcli to renew the machine account
credentials in a given keytab.
Resolves: https://issues.redhat.com/browse/SSSD-8347
---
dbus/realm-dbus-constants.h | 4 +
service/realm-adcli-enroll.c | 103 ++++++++++++++++++++++++
service/realm-adcli-enroll.h | 6 ++
service/realm-kerberos-membership.h | 10 +++
service/realm-kerberos.c | 49 +++++++++++-
service/realm-options.c | 36 +++++++++
service/realm-options.h | 3 +
service/realm-sssd-ad.c | 120 ++++++++++++++++++++++++++++
tools/realm-renew.c | 18 ++++-
9 files changed, 344 insertions(+), 5 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index e49034b..1608901 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -72,6 +72,10 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps"
#define REALM_DBUS_OPTION_DO_NOT_TOUCH_CONFIG "do-not-touch-config"
+#define REALM_DBUS_OPTION_ADD_SAMBA_DATA "add-samba-data"
+#define REALM_DBUS_OPTION_COMPUTER_PWD_LIFETIME "computer-password-lifetime"
+#define REALM_DBUS_OPTION_HOST_KEYTAB "host-keytab"
+#define REALM_DBUS_OPTION_HOST_FQDN "host-fqdn"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index c58175e..c428f70 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -23,6 +23,7 @@
#include "realm-ini-config.h"
#include "realm-options.h"
#include "realm-settings.h"
+#include "realm-dbus-constants.h"
static void
on_join_leave_process (GObject *source,
@@ -84,6 +85,14 @@ on_leave_process (GObject *source,
on_join_leave_process (source, result, user_data, FALSE);
}
+static void
+on_renew_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, FALSE);
+}
+
void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
@@ -330,3 +339,97 @@ realm_adcli_enroll_delete_finish (GAsyncResult *result,
g_return_val_if_fail (g_task_is_valid (result, NULL), FALSE);
return g_task_propagate_boolean (G_TASK (result), error);
}
+
+void
+realm_adcli_enroll_renew_async (RealmDisco *disco,
+ GVariant *options,
+ gboolean use_ldaps,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data)
+{
+ gchar *environ[] = { "LANG=C", NULL };
+ GInetAddress *address;
+ GTask *task;
+ GPtrArray *args;
+ gchar *ccache_arg = NULL;
+ gchar *server_arg = NULL;
+ gboolean add_samba_data = FALSE;
+ const gchar *computer_password_lifetime = NULL;
+ gchar *lifetime_arg = NULL;
+ const gchar *host_keytab = NULL;
+ gchar *keytab_arg = NULL;
+ const gchar *host_fqdn = NULL;
+ gchar *fqdn_arg = NULL;
+
+ g_return_if_fail (disco != NULL);
+ g_return_if_fail (invocation != NULL);
+
+ task = g_task_new (NULL, NULL, callback, user_data);
+ args = g_ptr_array_new ();
+
+ add_samba_data = realm_option_add_samba_data (options);
+ computer_password_lifetime = realm_option_computer_pwd_lifetime (options);
+ host_keytab = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_HOST_KEYTAB);
+ host_fqdn = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_HOST_FQDN);
+
+ g_ptr_array_add (args, (gpointer)realm_settings_path ("adcli"));
+ g_ptr_array_add (args, "update");
+ g_ptr_array_add (args, "--verbose");
+ g_ptr_array_add (args, "--domain");
+ g_ptr_array_add (args, (gpointer)disco->domain_name);
+
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
+ if (add_samba_data) {
+ g_ptr_array_add (args, "--add-samba-data");
+ }
+
+ if (computer_password_lifetime != NULL) {
+ lifetime_arg = g_strdup_printf ("--computer-password-lifetime=%s",
+ computer_password_lifetime);
+ g_ptr_array_add (args, lifetime_arg);
+ }
+
+ if (host_keytab != NULL) {
+ keytab_arg = g_strdup_printf ("--host-keytab=%s", host_keytab);
+ g_ptr_array_add (args, keytab_arg);
+ }
+
+ if (host_fqdn != NULL) {
+ fqdn_arg = g_strdup_printf ("--host-fqdn=%s", host_fqdn);
+ g_ptr_array_add (args, fqdn_arg);
+ }
+
+ if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
+ address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
+ server_arg = g_inet_address_to_string (address);
+ if (server_arg) {
+ g_ptr_array_add (args, "--domain-controller");
+ g_ptr_array_add (args, server_arg);
+ }
+
+ } else if (disco->explicit_server) {
+ g_ptr_array_add (args, "--domain-controller");
+ g_ptr_array_add (args, (gpointer)disco->explicit_server);
+ }
+
+ g_ptr_array_add (args, NULL);
+
+ realm_command_runv_async ((gchar **)args->pdata, environ, NULL,
+ invocation, on_renew_process,
+ g_object_ref (task));
+
+ g_ptr_array_free (args, TRUE);
+ g_object_unref (task);
+
+ g_free (fqdn_arg);
+ g_free (keytab_arg);
+ g_free (lifetime_arg);
+ g_free (ccache_arg);
+ g_free (server_arg);
+}
diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
index 3f535d0..e03f3f0 100644
--- a/service/realm-adcli-enroll.h
+++ b/service/realm-adcli-enroll.h
@@ -48,6 +48,12 @@ void realm_adcli_enroll_delete_async (RealmDisco *disco,
gboolean realm_adcli_enroll_delete_finish (GAsyncResult *result,
GError **error);
+void realm_adcli_enroll_renew_async (RealmDisco *disco,
+ GVariant *options,
+ gboolean use_ldaps,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data);
G_END_DECLS
#endif /* __REALM_ADCLI_ENROLL_H__ */
diff --git a/service/realm-kerberos-membership.h b/service/realm-kerberos-membership.h
index 50eea53..90337b7 100644
--- a/service/realm-kerberos-membership.h
+++ b/service/realm-kerberos-membership.h
@@ -62,6 +62,16 @@ struct _RealmKerberosMembershipIface {
GError **error);
const RealmCredential * (* leave_creds) (RealmKerberosMembership *realm);
+
+ void (* renew_async) (RealmKerberosMembership *realm,
+ GVariant *options,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data);
+
+ gboolean (* renew_finish) (RealmKerberosMembership *realm,
+ GAsyncResult *result,
+ GError **error);
};
GType realm_kerberos_membership_get_type (void) G_GNUC_CONST;
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 3c9c71c..0cf2da0 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -407,16 +407,57 @@ handle_leave (RealmDbusKerberosMembership *membership,
return TRUE;
}
+static void
+on_renew_complete (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ MethodClosure *closure = user_data;
+ RealmKerberosMembershipIface *iface;
+ GCancellable *cancellable;
+ GError *error = NULL;
+
+ iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (closure->self);
+ g_return_if_fail (iface->renew_finish != NULL);
+
+ cancellable = realm_invocation_get_cancellable (closure->invocation);
+ if (!g_cancellable_set_error_if_cancelled (cancellable, &error))
+ (iface->leave_finish) (REALM_KERBEROS_MEMBERSHIP (closure->self), result, &error);
+
+ unenroll_method_reply (closure->invocation, error);
+
+ g_clear_error (&error);
+ method_closure_free (closure);
+}
+
static gboolean
-handle_renew (RealmDbusKerberosMembership *membership,
+handle_renew (RealmDbusKerberosMembership *dbus_membership,
GDBusMethodInvocation *invocation,
GVariant *options,
gpointer user_data)
{
- //RealmKerberos *self = REALM_KERBEROS (user_data);
+ MethodClosure *method;
+ RealmKerberos *self = REALM_KERBEROS (user_data);
+ RealmKerberosMembershipIface *iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self);
+ RealmKerberosMembership *membership = REALM_KERBEROS_MEMBERSHIP (self);
+
+ if (!realm_invocation_lock_daemon (invocation)) {
+ g_dbus_method_invocation_return_error (invocation, REALM_ERROR, REALM_ERROR_BUSY,
+ _("Already running another action"));
+ return TRUE;
+ }
+
+ method = method_closure_new (self, invocation);
+
+ if (iface->renew_async == NULL || iface->renew_finish == NULL) {
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+ G_DBUS_ERROR_UNKNOWN_METHOD,
+ "Renew is currently not impemented.");
+ return TRUE;
+ }
+
+ (iface->renew_async) (membership, options, invocation, on_renew_complete, method);
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_UNKNOWN_METHOD,
- "Renew is currently not impemented.");
return TRUE;
}
diff --git a/service/realm-options.c b/service/realm-options.c
index e1abe3a..919461f 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -215,6 +215,42 @@ gboolean realm_option_use_ldaps (GVariant *options)
return FALSE;
}
+gboolean realm_option_add_samba_data (GVariant *options)
+{
+ const gchar *add_samba_data_str;
+
+ add_samba_data_str = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_ADD_SAMBA_DATA);
+ if (add_samba_data_str != NULL
+ && ( g_ascii_strcasecmp (add_samba_data_str, "True") == 0
+ || g_ascii_strcasecmp (add_samba_data_str, "Yes") == 0)) {
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+const gchar *realm_option_computer_pwd_lifetime (GVariant *options)
+{
+ const gchar *computer_password_lifetime;
+ gint64 tmp64;
+ gchar *endptr;
+
+ computer_password_lifetime = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_COMPUTER_PWD_LIFETIME);
+ if (computer_password_lifetime != NULL && *computer_password_lifetime != '\0') {
+ errno = 0;
+ tmp64 = g_ascii_strtoll (computer_password_lifetime, &endptr, 10);
+ if (tmp64 < 0 || errno != 0 || *endptr != '\0') {
+ /* Illegal input, ignored, should be checked earlier
+ * to return an error */
+ computer_password_lifetime = NULL;
+ }
+ }
+
+ return computer_password_lifetime;
+}
+
gboolean realm_option_do_not_touch_config (GVariant *options)
{
const gchar *str;
diff --git a/service/realm-options.h b/service/realm-options.h
index 569ef42..a6b5c41 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -52,6 +52,9 @@ gboolean realm_option_use_ldaps (GVariant *options);
gboolean realm_option_do_not_touch_config (GVariant *options);
+gboolean realm_option_add_samba_data (GVariant *options);
+
+const gchar * realm_option_computer_pwd_lifetime (GVariant *options);
G_END_DECLS
#endif /* __REALM_OPTIONS_H__ */
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 64bb488..c04557b 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -644,6 +644,123 @@ realm_sssd_ad_leave_creds (RealmKerberosMembership *membership)
return creds;
}
+typedef struct {
+ GDBusMethodInvocation *invocation;
+ gchar *realm_name;
+} RenewClosure;
+
+static void
+renew_closure_free (gpointer data)
+{
+ RenewClosure *renew = data;
+ g_free (renew->realm_name);
+ g_object_unref (renew->invocation);
+ g_free (renew);
+}
+
+static void
+on_renew_done (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ GTask *task = G_TASK (user_data);
+ RenewClosure *renew = g_task_get_task_data (task);
+ GError *error = NULL;
+
+ if (!g_task_is_valid (result, NULL)) {
+ realm_diagnostics_info (renew->invocation, "Task not valid.");
+ }
+
+ g_task_propagate_boolean (G_TASK (result), &error);
+ if (error != NULL) {
+ realm_diagnostics_error (renew->invocation, error,
+ "Task failed with: ");
+ g_error_free (error);
+ g_task_return_error (task, error);
+ } else {
+ g_task_return_boolean (task, TRUE);
+ }
+
+ g_object_unref (task);
+}
+
+static void
+realm_sssd_ad_renew_async (RealmKerberosMembership *membership,
+ GVariant *options,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data)
+{
+ RealmSssdAd *self = REALM_SSSD_AD (membership);
+ RealmKerberos *realm = REALM_KERBEROS (self);
+ RealmSssd *sssd = REALM_SSSD (self);
+ RealmDisco *disco;
+ const gchar *section;
+ GTask *task;
+ RenewClosure *renew;
+ gboolean use_ldaps = FALSE;
+
+ task = g_task_new (self, NULL, callback, user_data);
+
+ /* Check that enrolled in this realm */
+ section = realm_sssd_get_config_section (sssd);
+ if (!section) {
+ g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_NOT_CONFIGURED,
+ _("Not currently joined to this domain"));
+ g_object_unref (task);
+ return;
+ }
+
+
+ /* This also has the side-effect of populating the disco info if necessary */
+ disco = realm_kerberos_get_disco (realm);
+
+ renew = g_new0 (RenewClosure, 1);
+ renew->realm_name = g_strdup (realm_kerberos_get_realm_name (realm));
+ renew->invocation = g_object_ref (invocation);
+ g_task_set_task_data (task, renew, renew_closure_free);
+
+ realm_adcli_enroll_renew_async (disco, options, use_ldaps, invocation, on_renew_done,
+ g_object_ref (task));
+
+ g_object_unref (task);
+#if 0
+ switch (cred->type) {
+ case REALM_CREDENTIAL_AUTOMATIC:
+ realm_sssd_deconfigure_domain_tail (REALM_SSSD (self), task, invocation);
+ break;
+ case REALM_CREDENTIAL_CCACHE:
+ case REALM_CREDENTIAL_PASSWORD:
+ leave = g_new0 (LeaveClosure, 1);
+ leave->realm_name = g_strdup (realm_kerberos_get_realm_name (realm));
+ leave->invocation = g_object_ref (invocation);
+ leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
+ g_task_set_task_data (task, leave, leave_closure_free);
+
+ use_ldaps = realm_option_use_ldaps (options);
+ if (leave->use_adcli) {
+ realm_adcli_enroll_delete_async (disco, cred, options,
+ use_ldaps, invocation,
+ on_leave_do_deconfigure, g_object_ref (task));
+ } else {
+ if (use_ldaps) {
+ realm_diagnostics_info (leave->invocation,
+ "Membership software does "
+ "not support ldaps, trying "
+ "without.");
+ }
+ realm_samba_enroll_leave_async (disco, cred, options, invocation,
+ on_leave_do_deconfigure, g_object_ref (task));
+ }
+ break;
+ default:
+ g_return_if_reached ();
+ }
+
+ g_object_unref (task);
+#endif
+}
+
static gboolean
realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
GAsyncResult *result,
@@ -752,4 +869,7 @@ realm_sssd_ad_kerberos_membership_iface (RealmKerberosMembershipIface *iface)
iface->leave_async = realm_sssd_ad_leave_async;
iface->leave_finish = realm_sssd_ad_generic_finish;
iface->leave_creds = realm_sssd_ad_leave_creds;
+
+ iface->renew_async = realm_sssd_ad_renew_async;
+ iface->renew_finish = realm_sssd_ad_generic_finish;
}
diff --git a/tools/realm-renew.c b/tools/realm-renew.c
index 7b28e48..c17febc 100644
--- a/tools/realm-renew.c
+++ b/tools/realm-renew.c
@@ -70,6 +70,10 @@ call_renew (RealmDbusKerberosMembership *membership,
typedef struct {
gchar *membership_software;
gboolean use_ldaps;
+ gboolean add_samba_data;
+ gchar *computer_password_lifetime;
+ gchar *host_keytab;
+ gchar *host_fqdn;
} RealmRenewArgs;
static void
@@ -116,7 +120,11 @@ perform_renew (RealmClient *client,
}
options = realm_build_options (REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
+ REALM_DBUS_OPTION_COMPUTER_PWD_LIFETIME, args->computer_password_lifetime,
+ REALM_DBUS_OPTION_HOST_KEYTAB, args->host_keytab,
+ REALM_DBUS_OPTION_HOST_FQDN, args->host_fqdn,
REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
+ REALM_DBUS_OPTION_ADD_SAMBA_DATA, args->add_samba_data ? "True" : "False",
NULL);
g_variant_ref_sink (options);
@@ -138,7 +146,7 @@ realm_renew (RealmClient *client,
GOptionContext *context;
GError *error = NULL;
const gchar *realm_name;
- RealmRenewArgs args;
+ RealmRenewArgs args = { 0 };
GOptionGroup *group;
gint ret = 0;
@@ -147,6 +155,14 @@ realm_renew (RealmClient *client,
N_("Use specific membership software"), NULL },
{ "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
N_("Use ldaps to connect to LDAP"), NULL },
+ { "host-keytab", 0, 0, G_OPTION_ARG_STRING, &args.host_keytab,
+ N_("Path to the keytab"), NULL },
+ { "host-fqdn", 0, 0, G_OPTION_ARG_STRING, &args.host_fqdn,
+ N_("Fully-qualified name of the host"), NULL },
+ { "computer-password-lifetime", 0, 0, G_OPTION_ARG_STRING, &args.computer_password_lifetime,
+ N_("lifetime of the host accounts password in days"), NULL },
+ { "add-samba-data", 0, 0, G_OPTION_ARG_NONE, &args.add_samba_data,
+ N_("Try to update Samba's internal machine account password as well"), NULL },
{ NULL, }
};
--
2.51.0

0
SOURCES/0002-service-fix-error-message-when-removing-host-from-AD.patch → 0002-service-fix-error-message-when-removing-host-from-AD.patch
View File

0
SOURCES/0003-doc-fix-reference-in-realmd.conf-man-page.patch → 0003-doc-fix-reference-in-realmd.conf-man-page.patch
View File

21
0003-renew-add-translatable-strings.patch Normal file
View File

@ -0,0 +1,21 @@
From 24d1cb6392a95d2336a66b3538bfe42d4fe73289 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 13 May 2025 13:08:10 +0200
Subject: [PATCH] renew: add translatable strings
---
po/POTFILES.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 140ed4c..2d8b266 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -20,3 +20,4 @@ tools/realm-discover.c
tools/realm-join.c
tools/realm-leave.c
tools/realm-logins.c
+tools/realm-renew.c
--
2.51.0

47
0004-renew-fix-issues-found-by-Coverity.patch Normal file
View File

@ -0,0 +1,47 @@
From 5239baba5ac501358b28e8421935f2a102a57c0f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 24 Apr 2025 11:38:35 +0200
Subject: [PATCH] renew: fix issues found by Coverity
---
service/realm-kerberos.c | 4 ++--
service/realm-sssd-ad.c | 1 -
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 0cf2da0..2b617a5 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -447,8 +447,6 @@ handle_renew (RealmDbusKerberosMembership *dbus_membership,
return TRUE;
}
- method = method_closure_new (self, invocation);
-
if (iface->renew_async == NULL || iface->renew_finish == NULL) {
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
G_DBUS_ERROR_UNKNOWN_METHOD,
@@ -456,6 +454,8 @@ handle_renew (RealmDbusKerberosMembership *dbus_membership,
return TRUE;
}
+ method = method_closure_new (self, invocation);
+
(iface->renew_async) (membership, options, invocation, on_renew_complete, method);
return TRUE;
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index c04557b..249e796 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -675,7 +675,6 @@ on_renew_done (GObject *source,
if (error != NULL) {
realm_diagnostics_error (renew->invocation, error,
"Task failed with: ");
- g_error_free (error);
g_task_return_error (task, error);
} else {
g_task_return_boolean (task, TRUE);
--
2.51.0

90
0005-doc-add-renew-option-of-realm-man-page.patch Normal file
View File

@ -0,0 +1,90 @@
From 5ad0311459db3e291db88e1b9c2bcde912698cce Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Oct 2025 10:37:01 +0200
Subject: [PATCH] doc: add 'renew' option of realm man page
---
doc/manual/realm.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 0693283..caa6308 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -38,6 +38,9 @@
<cmdsynopsis>
<command>realm leave</command> <arg choice="opt">-U user</arg> <arg choice="opt">realm-name</arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>realm renew</command> <arg choice="opt">realm-name</arg>
+ </cmdsynopsis>
<cmdsynopsis>
<command>realm list</command>
</cmdsynopsis>
@@ -407,6 +410,63 @@ $ realm leave domain.example.com
</refsect1>
+<refsect1 id="man-renew">
+ <title>Renew</title>
+
+ <para>Renew the machine account password and update the keytab.</para>
+
+ <informalexample>
+<programlisting>
+$ realm renew
+</programlisting>
+<programlisting>
+$ realm renew --computer-password-lifetime=10 domain.example.com
+</programlisting>
+ </informalexample>
+
+ <para>Renew the machine account password with the help of the existing one
+ from a keytab and store the new version in the keytab. If no domain name is
+ given it is derived from the existing configuration.</para>
+
+ <para>The following options can be used:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--membership-software=xxx</option></term>
+ <listitem><para>Use specified membership software, currently
+ only <replaceable>adcli</replaceable> is supported.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--host-keytab=xxx</option></term>
+ <listitem><para>Path to the keytab, if not specified the
+ default keytab file will be used.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--host-fqdn=xxx</option></term>
+ <listitem><para>Fully-qualified name of the host, only needed
+ if it is not determined correctly automatically.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--computer-password-lifetime=xxx</option></term>
+ <listitem><para>Lifetime of the machine account password in days,
+ default is 30.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--add-samba-data</option></term>
+ <listitem><para>Try to update Samba's internal machine account
+ password as well if a membership software other than Samba is used.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id="man-list">
<title>List</title>
--
2.51.0

13
SOURCES/ipa-packages.patch
View File

@ -1,13 +0,0 @@
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index da2de55..856b36d 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -20,7 +20,7 @@ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
adcli = /usr/sbin/adcli
[ipa-packages]
-freeipa-client = /usr/sbin/ipa-client-install
+ipa-client = /usr/sbin/ipa-client-install
[commands]
winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"

218
SPECS/realmd.spec → realmd.spec
View File

@ -1,6 +1,6 @@
Name: realmd
Version: 0.17.1
Release: 2%{?dist}
Release: 13%{?dist}
Summary: Kerberos realm enrollment service
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/realmd
@ -9,12 +9,19 @@ Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2
Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
Patch0004: 0001-tools-fix-ccache-handling-for-leave-operation.patch
Patch0004: 0001-sssd-package-fix.patch
Patch0005: 0001-tools-fix-ccache-handling-for-leave-operation.patch
### Downstream Patches ###
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
# using freeipa-*, the following patch applies the needed changes.
Patch0100: ipa-packages.patch
# fixes for issues found by static analyser
Patch0006: 0001-Various-fixes-for-issues-found-by-static-code-scanne.patch
Patch0007: 0002-krb5-add-realm_krb5_get_error_message.patch
# add renew command
Patch0008: 0001-Initial-implementation-of-a-renew-request.patch
Patch0009: 0002-renew-implement-support-for-adcli.patch
Patch0010: 0003-renew-add-translatable-strings.patch
Patch0011: 0004-renew-fix-issues-found-by-Coverity.patch
Patch0012: 0005-doc-add-renew-option-of-realm-man-page.patch
BuildRequires: make
BuildRequires: gcc
@ -29,15 +36,12 @@ BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: samba-common-tools
BuildRequires: python3
BuildRequires: samba-common-tools
Requires: authselect
Requires: polkit
Conflicts: realmd-devel-docs < %{version}-%{release}
# This build will use Samba's new command line options so it cannot be used
# with older versions of Samba.
Conflicts: samba-common-tools < 4.15
%description
realmd is a DBus system service which manages discovery and enrollment in realms
@ -60,7 +64,6 @@ applications that use %{name}.
%build
autoreconf -fi
%configure --disable-silent-rules \
--with-new-samba-cli-options=yes \
%if 0%{?rhel}
--with-vendor-error-message='Please check\n https://red.ht/support_rhel_ad \nto get help for common issues.' \
%endif
@ -87,7 +90,7 @@ make check
%files -f realmd.lang
%doc AUTHORS COPYING NEWS README
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
%{_libexecdir}/realmd
@ -105,90 +108,155 @@ make check
%doc ChangeLog
%changelog
* Tue Feb 20 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-2
- Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- migrated to SPDX license
- allow multiple names and _srv_ ad_server option
Resolves: RHEL-12113
* Tue Oct 14 2025 Sumit Bose <sbose@redhat.com> - 0.17.1-13
- add renew command
Resolves: RHEL-117645
* Thu Feb 13 2025 Sumit Bose <sbose@redhat.com> - 0.17.1-12
- Fixes for RHEL SAST Automation
Resolves: RHEL-44992
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.17.1-11
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.17.1-10
- Bump release for June 2024 mass rebuild
* Fri Feb 09 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-9
- fix ccache handling for leave operation
Resolves: RHEL-26166
Resolves: jira#SSSD-6420
* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Update to upstream release 0.17.1
Resolves: rhbz#2133841
* Mon Feb 05 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-8
- improve sssd package handling due to removed sssd meta package
Resolves: rhbz#2255725
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- add LDAP socket timeout
Resolves: rhbz#2037864
* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Dec 15 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-24
- Avoid duplicated log messages and use Samba's new CLI options
Resolves: rhbz#2024248
Resolves: rhbz#2028528
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue May 11 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-23
- Add restart macro and vendor message to spec file
* Fri Dec 01 2023 Sumit Bose <sbose@redhat.com> - 0.17.1-5
- allow multiple names and _srv_ ad_server option
Resolves: jira#SSSD-6077
* Wed Oct 18 2023 Sumit Bose <sbose@redhat.com> - 0.17.1-4
- migrated to SPDX license
* Wed Oct 18 2023 Tom Stellard <tstellar@redhat.com>
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Sep 29 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Updated to upstream 0.17.1
Resolves: rhbz#1628302
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Apr 25 2022 Andreas Schneider <asn@redhat.com> - 0.17.0-10
- resolves rhbz#2078447 - Fix detction for new samba commandline options
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 15 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-8
- Fix LDAP socket timeout, duplicate log messages and Samba CLI
Resolves: rhbz#1817869, rhbz#2024248, rhbz#2028530
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue May 11 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-6
- Add man page section, enable restart after update
Resolves: rhbz#1926046
* Thu Dec 03 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-22
- Add fixes LDAPS functionality
Resolves: rhbz#1826964
* Tue Apr 06 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-5
- Add missing configure option
Resolves: rhbz#1889386
* Thu Nov 26 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-21
- Add missing patch for LDAPS functionality
Resolves: rhbz#1826964
* Tue Apr 06 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-4
- Add vendor error message, autoconf-2.71 fixes, downstream gating
Resolves: rhbz#1889386
* Thu Nov 05 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-20
- realmd should handle default_realm in krb5.conf
Resolves: rhbz#1791016
- [RFE] Enable LDAPS functionality in realmd join
Resolves: rhbz#1826964
* Wed Mar 03 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-3
- Use authselect instead of authconfig
Resolves: rhbz#1934124
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- Realm join fails with error 'Failed to join domain: failed to lookup
DC info ...'
Resolves: rhbz#1859503
- realm command to use option like dnshostname=fqdn
Resolves: rhbz#1867912
* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-2
- Add Conflicts to avoid update/downgrade issues
* Fri Feb 21 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-18
- Fix kerberos method
Resolves: rhbz#1801195
* Fri Feb 19 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-1
- Updated to upstream 0.17.0
* Sun Dec 01 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-17
- rebuild fails if DISTRO variable is exported
Resolves: rhbz#1747454
- realmd.conf user-principal RFE and clarification
Resolves: rhbz#1747452
- realmd.conf documentation incorrect
Resolves: rhbz#1747457
- Document realmd.conf and how realmd reads the configuration
Resolves: rhbz#1747456
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 04 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-27
- Sync with latest upstream patches
* Wed Aug 12 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- Sync with latest upstream patches
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-25
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Mar 18 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-23
- Sync with latest upstream patches and fix package URL
Resolves: rhbz#1800897
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 02 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-21
- Remove gtester support, use autosetup
Resolves: rhbz#1736578
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Feb 21 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- fix test depending on order
Resolves: rhbz#1675879
* Wed Feb 20 2019 Adam Williamson <awilliam@redhat.com> - 0.16.3-18
- Backport fix from upstream to always install latest packages via PK
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Sep 27 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-16
- Do not call authselect for IPA domains
Resolves: rhbz#1633572
Resolves: rhbz#1620097
* Wed Aug 22 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults
Resolves: rhbz#1619162
* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults and improve realm discovery
Resolves: rhbz#1575538
Resolves: rhbz#1145777
* Tue Aug 14 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-14
- Fix python BuildRequires
Resolves: rhbz#1615564
- Add RHEL specific patch for IPA
Resolves: rhbz#1615320
- Fix issues found by Coverity
Resolves: rhbz#1602677
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 04 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-13
- Add latests patches from RHEL7
- Add polkit runtime dependency
Resolves: rhbz#1577179
- Drop python2 build dependency
Resolves: rhbz#1595813
- Add polkit runtime dependency
Resolves: rhbz#1577178
- Fix documentation reference in systemd unit file
Resolves: rhbz#1596325
Resolves: rhbz#1596323
- Use current Samba config options
Resolves: rhbz#1482926
* Sun Mar 18 2018 René Genz <liebundartig@freenet.de> - 0.16.3-12
- use correct authselect syntax for *-disable-logins to fix rhbz#1558245
- Iryna Shcherbina <ishcherb@redhat.com>

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (realmd-0.17.1.tar.gz) = 24f6b1fd149f2cd9e8019be1cb1638d8bc25845238ced224512a212d9de47305cf2b0c613c203a92fff0987a94cc9e08f9b45b93eedd54593b0c34f3875d1480