rpms/realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10
rpms:c10s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:c9s
rpms:imports/c10/realmd-0.17.1-13.el10_1
rpms:imports/c10s/realmd-0.17.1-13.el10
rpms:imports/c10s/realmd-0.17.1-12.el10
rpms:imports/c10s/realmd-0.17.1-11.el10
rpms:imports/c10s/realmd-0.17.1-10.el10
rpms:imports/c8/realmd-0.17.1-2.el8
rpms:imports/c9/realmd-0.17.1-2.el9
rpms:imports/c8/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.1-1.el9
rpms:imports/c9-beta/realmd-0.17.1-1.el9
rpms:imports/c8-beta/realmd-0.17.1-1.el8
rpms:imports/c8s/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.0-9.el9
rpms:imports/c8/realmd-0.16.3-25.el8
rpms:imports/c8-beta/realmd-0.16.3-25.el8
rpms:imports/c9-beta/realmd-0.17.0-9.el9
rpms:imports/c8s/realmd-0.16.3-25.el8
rpms:imports/c8s/realmd-0.16.3-24.el8
rpms:imports/c9-beta/realmd-0.17.0-7.el9
rpms:imports/c8/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-22.el8
rpms:imports/c8-beta/realmd-0.16.3-18.el8
rpms:imports/c8-beta/realmd-0.16.3-17.el8
rpms:imports/c8-beta/realmd-0.16.3-16.el8
rpms:imports/c8s/realmd-0.16.3-23.el8
rpms:imports/c8s/realmd-0.16.3-22.el8
rpms:imports/c8s/realmd-0.16.3-20.el8
rpms:imports/c8s/realmd-0.16.3-19.el8
rpms:imports/c8s/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-22.el8
rpms:imports/c8/realmd-0.16.3-19.el8
rpms:imports/c8/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-16.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c10
rpms:c10s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:c9s
rpms:imports/c10/realmd-0.17.1-13.el10_1
rpms:imports/c10s/realmd-0.17.1-13.el10
rpms:imports/c10s/realmd-0.17.1-12.el10
rpms:imports/c10s/realmd-0.17.1-11.el10
rpms:imports/c10s/realmd-0.17.1-10.el10
rpms:imports/c8/realmd-0.17.1-2.el8
rpms:imports/c9/realmd-0.17.1-2.el9
rpms:imports/c8/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.1-1.el9
rpms:imports/c9-beta/realmd-0.17.1-1.el9
rpms:imports/c8-beta/realmd-0.17.1-1.el8
rpms:imports/c8s/realmd-0.17.1-1.el8
rpms:imports/c9/realmd-0.17.0-9.el9
rpms:imports/c8/realmd-0.16.3-25.el8
rpms:imports/c8-beta/realmd-0.16.3-25.el8
rpms:imports/c9-beta/realmd-0.17.0-9.el9
rpms:imports/c8s/realmd-0.16.3-25.el8
rpms:imports/c8s/realmd-0.16.3-24.el8
rpms:imports/c9-beta/realmd-0.17.0-7.el9
rpms:imports/c8/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-23.el8
rpms:imports/c8-beta/realmd-0.16.3-22.el8
rpms:imports/c8-beta/realmd-0.16.3-18.el8
rpms:imports/c8-beta/realmd-0.16.3-17.el8
rpms:imports/c8-beta/realmd-0.16.3-16.el8
rpms:imports/c8s/realmd-0.16.3-23.el8
rpms:imports/c8s/realmd-0.16.3-22.el8
rpms:imports/c8s/realmd-0.16.3-20.el8
rpms:imports/c8s/realmd-0.16.3-19.el8
rpms:imports/c8s/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-22.el8
rpms:imports/c8/realmd-0.16.3-19.el8
rpms:imports/c8/realmd-0.16.3-18.el8
rpms:imports/c8/realmd-0.16.3-16.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

20 changed files with 2658 additions and 89 deletions
Show Stats Expand all files Collapse all files

11
.gitignore vendored
View File

@ -1 +1,10 @@
SOURCES/realmd-0.17.1.tar.gz
/realmd-?.*/
/.build-*.log
/*.rpm
/x86_64
/realmd-0.16.0.tar.gz
/realmd-0.16.1.tar.gz
/realmd-0.16.2.tar.gz
/realmd-0.16.3.tar.gz
/realmd-0.17.0.tar.gz
/realmd-0.17.1.tar.gz

335
0001-Initial-implementation-of-a-renew-request.patch Normal file
View File

@ -0,0 +1,335 @@
From 7a19dbe6620565817769f6862d3af5bac761235e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Dec 2024 17:22:06 +0100
Subject: [PATCH] Initial implementation of a renew request
This patch implements a new D-Bus request for realmd to renew the machine
account credentials in a keytab. This patch does not implement calling
the membership-software to do the actual update.
https://issues.redhat.com/browse/SSSD-8347
---
dbus/org.freedesktop.realmd.xml | 9 ++
service/org.freedesktop.realmd.policy.in | 10 ++
service/realm-invocation.c | 1 +
service/realm-kerberos.c | 15 ++
tools/Makefile.am | 1 +
tools/realm-renew.c | 179 +++++++++++++++++++++++
tools/realm.c | 1 +
tools/realm.h | 4 +
8 files changed, 220 insertions(+)
create mode 100644 tools/realm-renew.c
diff --git a/dbus/org.freedesktop.realmd.xml b/dbus/org.freedesktop.realmd.xml
index c34a47a..58e5773 100644
--- a/dbus/org.freedesktop.realmd.xml
+++ b/dbus/org.freedesktop.realmd.xml
@@ -725,6 +725,15 @@
<arg name="options" type="a{sv}" direction="in"/>
</method>
+ <!--
+ Renew:
+
+ Renew the client's credential in the realm.
+ -->
+ <method name="Renew">
+ <arg name="options" type="a{sv}" direction="in"/>
+ </method>
+
</interface>
</node>
diff --git a/service/org.freedesktop.realmd.policy.in b/service/org.freedesktop.realmd.policy.in
index 562cbbc..4ce97d7 100644
--- a/service/org.freedesktop.realmd.policy.in
+++ b/service/org.freedesktop.realmd.policy.in
@@ -44,6 +44,16 @@
</defaults>
</action>
+ <action id="org.freedesktop.realmd.renew-realm">
+ <description>Renew machine creadentials in realm</description>
+ <message>Authentication is required to renew the credentials of this computer in a realm or domain.</message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+
<action id="org.freedesktop.realmd.login-policy">
<description>Change login policy</description>
<message>Authentication is required to change the policy of who can log in on this computer.</message>
diff --git a/service/realm-invocation.c b/service/realm-invocation.c
index bb26fe3..91977e9 100644
--- a/service/realm-invocation.c
+++ b/service/realm-invocation.c
@@ -37,6 +37,7 @@ static InvocationMethod invocation_methods[] = {
{ REALM_DBUS_PROVIDER_INTERFACE, "Discover", "org.freedesktop.realmd.discover-realm", 2 },
{ REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, "Join", "org.freedesktop.realmd.configure-realm", 2 },
{ REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, "Leave", "org.freedesktop.realmd.deconfigure-realm", 2 },
+ { REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, "Renew", "org.freedesktop.realmd.renew-realm", 1 },
{ REALM_DBUS_REALM_INTERFACE, "Deconfigure", "org.freedesktop.realmd.deconfigure-realm", 1 },
{ REALM_DBUS_REALM_INTERFACE, "ChangeLoginPolicy", "org.freedesktop.realmd.login-policy", 4 },
};
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 51a1b11..3c9c71c 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -407,6 +407,19 @@ handle_leave (RealmDbusKerberosMembership *membership,
return TRUE;
}
+static gboolean
+handle_renew (RealmDbusKerberosMembership *membership,
+ GDBusMethodInvocation *invocation,
+ GVariant *options,
+ gpointer user_data)
+{
+ //RealmKerberos *self = REALM_KERBEROS (user_data);
+
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_UNKNOWN_METHOD,
+ "Renew is currently not impemented.");
+ return TRUE;
+}
+
static gboolean
handle_deconfigure (RealmDbusRealm *realm,
GDBusMethodInvocation *invocation,
@@ -567,6 +580,8 @@ realm_kerberos_constructed (GObject *obj)
G_CALLBACK (handle_join), self);
g_signal_connect (self->pv->membership_iface, "handle-leave",
G_CALLBACK (handle_leave), self);
+ g_signal_connect (self->pv->membership_iface, "handle-renew",
+ G_CALLBACK (handle_renew), self);
g_dbus_object_skeleton_add_interface (G_DBUS_OBJECT_SKELETON (self),
G_DBUS_INTERFACE_SKELETON (self->pv->membership_iface));
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 97b67e7..65abb60 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -9,6 +9,7 @@ realm_SOURCES = \
tools/realm-discover.c \
tools/realm-join.c \
tools/realm-leave.c \
+ tools/realm-renew.c \
tools/realm-logins.c \
service/realm-kerberos-helper.c \
$(NULL)
diff --git a/tools/realm-renew.c b/tools/realm-renew.c
new file mode 100644
index 0000000..7b28e48
--- /dev/null
+++ b/tools/realm-renew.c
@@ -0,0 +1,179 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2024 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#include "realm.h"
+#include "realm-client.h"
+#include "realm-dbus-constants.h"
+#include "realm-dbus-generated.h"
+
+#include <glib.h>
+#include <glib/gi18n.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+
+typedef struct {
+ GAsyncResult *result;
+ GMainLoop *loop;
+} SyncClosure;
+
+static void
+on_complete_get_result (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ SyncClosure *sync = user_data;
+ sync->result = g_object_ref (result);
+ g_main_loop_quit (sync->loop);
+}
+
+static int
+call_renew (RealmDbusKerberosMembership *membership,
+ GVariant *options,
+ GError **error)
+{
+ SyncClosure sync;
+ gboolean ret;
+
+ sync.result = NULL;
+ sync.loop = g_main_loop_new (NULL, FALSE);
+
+ /* Start actual operation */
+ realm_dbus_kerberos_membership_call_renew (membership, options, NULL,
+ on_complete_get_result, &sync);
+
+ /* This mainloop is quit by on_complete_get_result */
+ g_main_loop_run (sync.loop);
+
+ ret = realm_dbus_kerberos_membership_call_renew_finish (membership, sync.result, error);
+
+ g_object_unref (sync.result);
+ g_main_loop_unref (sync.loop);
+
+ return ret ? 0 : 1;
+}
+
+typedef struct {
+ gchar *membership_software;
+ gboolean use_ldaps;
+} RealmRenewArgs;
+
+static void
+realm_renew_args_clear (gpointer data)
+{
+ RealmRenewArgs *args = data;
+ g_free (args->membership_software);
+}
+
+static int
+perform_renew (RealmClient *client,
+ const gchar *string,
+ RealmRenewArgs *args)
+{
+ RealmDbusKerberosMembership *membership;
+ gboolean had_mismatched = FALSE;
+ RealmDbusRealm *realm;
+ GError *error = NULL;
+ GVariant *options;
+ GList *realms;
+ gint ret;
+
+ realms = realm_client_discover (client, string, args->use_ldaps, NULL,
+ NULL, args->membership_software,
+ REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
+ &had_mismatched, &error);
+
+ if (error != NULL) {
+ realm_handle_error(error, NULL);
+ return 1;
+ } else if (realms == NULL) {
+ if (had_mismatched)
+ realm_handle_error (NULL, _("Cannot renew credentials for this realm"));
+ else
+ realm_handle_error(NULL, _("No such realm found"));
+ return 1;
+ }
+
+ membership = realms->data;
+ realm = realm_client_to_realm (client, membership);
+ if (!realm_is_configured (realm)) {
+ realm_handle_error (NULL, _("Not joined to this domain"));
+ return 1;
+ }
+
+ options = realm_build_options (REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
+ NULL);
+ g_variant_ref_sink (options);
+
+ ret = call_renew (membership, options, &error);
+ if (error != NULL) {
+ realm_handle_error (error, _("Couldn't renew realm credentials"));
+ }
+
+ g_variant_unref (options);
+ g_list_free_full (realms, g_object_unref);
+ return ret;
+}
+
+int
+realm_renew (RealmClient *client,
+ int argc,
+ char *argv[])
+{
+ GOptionContext *context;
+ GError *error = NULL;
+ const gchar *realm_name;
+ RealmRenewArgs args;
+ GOptionGroup *group;
+ gint ret = 0;
+
+ GOptionEntry option_entries[] = {
+ { "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software,
+ N_("Use specific membership software"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
+ N_("Use ldaps to connect to LDAP"), NULL },
+ { NULL, }
+ };
+
+ memset (&args, 0, sizeof (args));
+
+ context = g_option_context_new ("renew REALM");
+ g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
+
+ group = g_option_group_new (NULL, NULL, NULL, &args, realm_renew_args_clear);
+ g_option_group_add_entries (group, option_entries);
+ g_option_group_add_entries (group, realm_global_options);
+ g_option_context_set_main_group (context, group);
+
+ if (!g_option_context_parse (context, &argc, &argv, &error)) {
+ g_printerr ("%s: %s\n", g_get_prgname (), error->message);
+ g_error_free (error);
+ ret = 2;
+
+ } else if (argc > 2) {
+ g_printerr ("%s: %s\n", g_get_prgname (), _("Specify one realm to renew credentials"));
+ ret = 2;
+
+ } else {
+ realm_name = argc < 2 ? "" : argv[1];
+ ret = perform_renew (client, realm_name, &args);
+ }
+
+ g_option_context_free (context);
+ return ret;
+}
diff --git a/tools/realm.c b/tools/realm.c
index 8fdca16..3902017 100644
--- a/tools/realm.c
+++ b/tools/realm.c
@@ -40,6 +40,7 @@ struct {
{ "discover", realm_discover, "realm discover -v [realm-name]", N_("Discover available realm") },
{ "join", realm_join, "realm join -v [-U user] realm-name", N_("Enroll this machine in a realm") },
{ "leave", realm_leave, "realm leave -v [-U user] [realm-name]", N_("Unenroll this machine from a realm") },
+ { "renew", realm_renew, "realm renew -v [realm-name]", N_("Renew credentials for this machine in a realm") },
{ "list", realm_list, "realm list", N_("List known realms") },
{ "permit", realm_permit, "realm permit [-ax] [-R realm] user ...", N_("Permit user logins") },
{ "deny", realm_deny, "realm deny --all [-R realm]", N_("Deny user logins") },
diff --git a/tools/realm.h b/tools/realm.h
index 380b58b..68118e3 100644
--- a/tools/realm.h
+++ b/tools/realm.h
@@ -41,6 +41,10 @@ int realm_leave (RealmClient *client,
int argc,
char *argv[]);
+int realm_renew (RealmClient *client,
+ int argc,
+ char *argv[]);
+
int realm_discover (RealmClient *client,
int argc,
char *argv[]);
--
2.51.0

242
0001-Various-fixes-for-issues-found-by-static-code-scanne.patch Normal file
View File

@ -0,0 +1,242 @@
From 1e6fe345218bc089c385711fbbb9941df6672b66 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 13 Nov 2024 16:28:21 +0100
Subject: [PATCH 1/2] Various fixes for issues found by static code scanners
---
service/realm-adcli-enroll.c | 10 +++++-----
service/realm-ini-config.c | 1 +
service/realm-kerberos.c | 11 +++++++----
service/realm-ldap.c | 9 +++++++--
service/realm-samba-winbind.c | 1 +
service/realm-samba.c | 5 ++---
tools/realm-client.c | 16 ++++++++++------
7 files changed, 33 insertions(+), 20 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index c913987..c58175e 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -226,10 +226,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
if (input)
g_bytes_unref (input);
- free (ccache_arg);
- free (upn_arg);
- free (server_arg);
- free (ou_arg);
+ g_free (ccache_arg);
+ g_free (upn_arg);
+ g_free (server_arg);
+ g_free (ou_arg);
}
gboolean
@@ -319,7 +319,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
if (input)
g_bytes_unref (input);
- free (ccache_arg);
+ g_free (ccache_arg);
g_free (server_arg);
}
diff --git a/service/realm-ini-config.c b/service/realm-ini-config.c
index 2e6813b..7bbea34 100644
--- a/service/realm-ini-config.c
+++ b/service/realm-ini-config.c
@@ -650,6 +650,7 @@ realm_ini_config_read_file (RealmIniConfig *self,
if (err != NULL) {
g_propagate_error (error, err);
+ g_free (contents);
return FALSE;
}
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 7994e1e..8810f87 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -300,7 +300,7 @@ join_or_leave (RealmKerberos *self,
{
RealmKerberosMembershipIface *iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self);
RealmKerberosMembership *membership = REALM_KERBEROS_MEMBERSHIP (self);
- RealmCredential *cred;
+ RealmCredential *cred = NULL;
MethodClosure *method;
GError *error = NULL;
@@ -317,6 +317,7 @@ join_or_leave (RealmKerberos *self,
cred = realm_credential_parse (credential, &error);
if (error != NULL) {
g_dbus_method_invocation_return_gerror (invocation, error);
+ realm_credential_unref (cred);
g_error_free (error);
return;
}
@@ -331,6 +332,8 @@ join_or_leave (RealmKerberos *self,
if (!realm_invocation_lock_daemon (invocation)) {
g_dbus_method_invocation_return_error (invocation, REALM_ERROR, REALM_ERROR_BUSY,
_("Already running another action"));
+ realm_credential_unref (cred);
+ g_error_free (error);
return;
}
@@ -1067,7 +1070,7 @@ flush_keytab_entries (krb5_context ctx,
count = 0;
}
- code = krb5_kt_free_entry (ctx, &entry);
+ code = krb5_free_keytab_entry_contents (ctx, &entry);
return_val_if_krb5_failed (ctx, code, FALSE);
}
@@ -1175,13 +1178,13 @@ realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
&& name_data->data[name_data->length - 1] == '$') {
netbios_name = g_strndup (name_data->data, name_data->length - 1);
if (netbios_name == NULL) {
- code = krb5_kt_free_entry (ctx, &entry);
+ code = krb5_free_keytab_entry_contents (ctx, &entry);
warn_if_krb5_failed (ctx, code);
break;
}
}
}
- code = krb5_kt_free_entry (ctx, &entry);
+ code = krb5_free_keytab_entry_contents (ctx, &entry);
warn_if_krb5_failed (ctx, code);
}
}
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index f7b6d13..c28e8d1 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -228,6 +228,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
/* Not an expected failure */
if (ls->sock < 0) {
g_critical ("couldn't open socket to: %s: %s", addrname, strerror (errno));
+ g_free (addrname);
return NULL;
}
@@ -236,8 +237,10 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
native_len = g_socket_address_get_native_size (address);
native = g_malloc (native_len);
- if (!g_socket_address_to_native (address, native, native_len, NULL))
+ if (!g_socket_address_to_native (address, native, native_len, NULL)) {
+ g_free (addrname);
g_return_val_if_reached (NULL);
+ }
if (connect (ls->sock, native, native_len) < 0 &&
errno != EINPROGRESS) {
@@ -280,6 +283,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
g_free (url);
g_free (native);
+ g_free (addrname);
/* Not an expected failure */
if (rc != LDAP_SUCCESS) {
@@ -326,6 +330,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
case G_SOCKET_PROTOCOL_UDP:
url = g_strdup_printf ("cldap://%s:%d", addrname, port);
+ g_free (addrname);
/*
* HACK: ldap_init_fd() does not work for UDP, otherwise we
@@ -367,11 +372,11 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
break;
default:
+ g_free (addrname);
g_return_val_if_reached (NULL);
break;
}
- g_free (addrname);
version = LDAP_VERSION3;
if (ldap_set_option (ls->ldap, LDAP_OPT_PROTOCOL_VERSION, &version) != 0)
diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
index 61988eb..30f0433 100644
--- a/service/realm-samba-winbind.c
+++ b/service/realm-samba-winbind.c
@@ -154,6 +154,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
realm_ini_config_finish_change (config, &error);
g_free (idmap_config_backend);
g_free (idmap_config_range);
+ g_free (idmap_config_schema_mode);
}
/* Setup pam_winbind.conf with decent defaults matching our expectations */
diff --git a/service/realm-samba.c b/service/realm-samba.c
index 677c848..bc976f1 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -134,10 +134,9 @@ lookup_login_prefix (RealmSamba *self)
return NULL;
separator = realm_ini_config_get (self->config, REALM_SAMBA_CONFIG_GLOBAL, "winbind separator");
- if (separator == NULL)
- separator = g_strdup ("\\");
- return g_strdup_printf ("%s%s", workgroup, separator);
+ return g_strdup_printf ("%s%s", workgroup,
+ separator != NULL ? separator : "\\");
}
typedef struct {
diff --git a/tools/realm-client.c b/tools/realm-client.c
index 06420ea..a63652d 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -287,8 +287,8 @@ realm_client_new_installer (gboolean verbose,
socket = g_socket_new_from_fd (pair[0], &error);
if (error != NULL) {
realm_handle_error (error, _("Couldn't create socket"));
- close(pair[0]);
- close(pair[1]);
+ close (pair[0]);
+ close (pair[1]);
return NULL;
}
@@ -296,11 +296,12 @@ realm_client_new_installer (gboolean verbose,
G_SPAWN_LEAVE_DESCRIPTORS_OPEN | G_SPAWN_DO_NOT_REAP_CHILD,
NULL, NULL, &pid, &error);
- close(pair[1]);
+ close (pair[1]);
if (error != NULL) {
realm_handle_error (error, _("Couldn't run realmd"));
- close(pair[0]);
+ close (pair[0]);
+ g_object_unref (socket);
return NULL;
}
@@ -770,11 +771,14 @@ build_ccache_credential (const gchar *user_name,
if (ccache) {
ret = copy_or_kinit_to_ccache (krb5, ccache, user_name, realm_name, error);
krb5_cc_close (krb5, ccache);
- krb5_free_context (krb5);
}
+ krb5_free_context (krb5);
- if (!ret)
+ if (!ret) {
+ g_unlink (filename);
+ g_free (filename);
return NULL;
+ }
result = read_file_into_variant (filename);
--
2.48.1

0
SOURCES/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch → 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
View File

72
0001-sssd-package-fix.patch Normal file
View File

@ -0,0 +1,72 @@
From 4299bd81279830e48b93f163049179aff14d1402 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Feb 2024 08:58:56 +0100
Subject: [PATCH] sssd package fix
---
dbus/realm-dbus-constants.h | 1 +
service/realm-sssd-ad.c | 3 +++
service/realmd-redhat-authconfig.conf | 5 ++++-
service/realmd-redhat.conf | 5 ++++-
4 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index d2c2a8b..e49034b 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -78,6 +78,7 @@ G_BEGIN_DECLS
#define REALM_DBUS_IDENTIFIER_IPA "ipa"
#define REALM_DBUS_IDENTIFIER_FREEIPA "freeipa"
#define REALM_DBUS_IDENTIFIER_SSSD "sssd"
+#define REALM_DBUS_IDENTIFIER_SSSD_AD "sssd-ad"
#define REALM_DBUS_IDENTIFIER_SAMBA "samba"
#define REALM_DBUS_IDENTIFIER_ADCLI "adcli"
#define REALM_DBUS_IDENTIFIER_EXAMPLE "example"
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 096b6c5..64bb488 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -46,18 +46,21 @@ typedef struct {
static const gchar *ADCLI_PACKAGES[] = {
REALM_DBUS_IDENTIFIER_SSSD,
+ REALM_DBUS_IDENTIFIER_SSSD_AD,
REALM_DBUS_IDENTIFIER_ADCLI,
NULL
};
static const gchar *SAMBA_PACKAGES[] = {
REALM_DBUS_IDENTIFIER_SSSD,
+ REALM_DBUS_IDENTIFIER_SSSD_AD,
REALM_DBUS_IDENTIFIER_SAMBA,
NULL
};
static const gchar *ALL_PACKAGES[] = {
REALM_DBUS_IDENTIFIER_SSSD,
+ REALM_DBUS_IDENTIFIER_SSSD_AD,
REALM_DBUS_IDENTIFIER_ADCLI,
REALM_DBUS_IDENTIFIER_SAMBA,
NULL
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index 2b11c30..12ec3c3 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -13,10 +13,13 @@ oddjob = /usr/sbin/oddjobd
oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
[sssd-packages]
-sssd = /usr/sbin/sssd
+sssd-common = /usr/sbin/sssd
oddjob = /usr/sbin/oddjobd
oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
+[sssd-ad-packages]
+sssd-ad = /usr/libexec/sssd/gpo_child
+
[adcli-packages]
adcli = /usr/sbin/adcli
--
2.43.0

0
SOURCES/0001-tools-fix-ccache-handling-for-leave-operation.patch → 0001-tools-fix-ccache-handling-for-leave-operation.patch
View File

226
0002-krb5-add-realm_krb5_get_error_message.patch Normal file
View File

@ -0,0 +1,226 @@
From f52ee4b8373f9fa8a96f9f6af656dfabc90b57ee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 13 Nov 2024 17:41:54 +0100
Subject: [PATCH 2/2] krb5: add realm_krb5_get_error_message()
The krb5_get_error_message() call returns an error message in an
allocated string which must be freed. This makes it hard to simply use
krb5_get_error_message() in a printf() argument list.
realm_krb5_get_error_message() used a static memory area to make the
usage more easy.
---
service/Makefile.am | 1 +
service/realm-kerberos-helper.c | 33 +++++++++++++++++++++++++++++++++
service/realm-kerberos-helper.h | 28 ++++++++++++++++++++++++++++
service/realm-kerberos.c | 9 +++++----
tools/Makefile.am | 1 +
tools/realm-client.c | 15 ++++++++++-----
6 files changed, 78 insertions(+), 9 deletions(-)
create mode 100644 service/realm-kerberos-helper.c
create mode 100644 service/realm-kerberos-helper.h
diff --git a/service/Makefile.am b/service/Makefile.am
index 1fb4da9..977f4e4 100644
--- a/service/Makefile.am
+++ b/service/Makefile.am
@@ -56,6 +56,7 @@ realmd_SOURCES = \
service/realm-kerberos.h \
service/realm-kerberos-config.c \
service/realm-kerberos-config.h \
+ service/realm-kerberos-helper.c \
service/realm-kerberos-membership.c \
service/realm-kerberos-membership.h \
service/realm-kerberos-provider.c \
diff --git a/service/realm-kerberos-helper.c b/service/realm-kerberos-helper.c
new file mode 100644
index 0000000..a89fb6a
--- /dev/null
+++ b/service/realm-kerberos-helper.c
@@ -0,0 +1,33 @@
+/* realmd -- Realm Kerberos helper functions used by tools as well
+ *
+ * Copyright 2024 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#include "realm-kerberos-helper.h"
+
+const char *realm_krb5_get_error_message (krb5_context ctx,
+ krb5_error_code code)
+{
+ static char out[4096];
+ const char *tmp;
+ size_t len;
+
+ tmp = krb5_get_error_message (ctx, code);
+ len = strlen (tmp);
+ memcpy (out, tmp, MIN (sizeof (out), len));
+ out[sizeof(out) - 1] = '\0';
+ krb5_free_error_message (ctx, tmp);
+
+ return out;
+}
diff --git a/service/realm-kerberos-helper.h b/service/realm-kerberos-helper.h
new file mode 100644
index 0000000..4dc1bdb
--- /dev/null
+++ b/service/realm-kerberos-helper.h
@@ -0,0 +1,28 @@
+/* realmd -- Realm Kerberos helper functions used by tools as well
+ *
+ * Copyright 2024 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Sumit Bose <sbose@redhat.com>
+ */
+
+#include "config.h"
+
+#ifndef __REALM_KERBEROS_HELPER_H__
+#define __REALM_KERBEROS_HELPER_H__
+
+#include <string.h>
+#include <sys/param.h>
+#include <krb5/krb5.h>
+
+
+const char *realm_krb5_get_error_message (krb5_context ctx,
+ krb5_error_code code);
+
+#endif /* __REALM_KERBEROS_HELPER_H__ */
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 8810f87..51a1b11 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -24,6 +24,7 @@
#include "realm-errors.h"
#include "realm-invocation.h"
#include "realm-kerberos.h"
+#include "realm-kerberos-helper.h"
#include "realm-kerberos-membership.h"
#include "realm-login-name.h"
#include "realm-options.h"
@@ -65,21 +66,21 @@ G_DEFINE_TYPE (RealmKerberos, realm_kerberos, G_TYPE_DBUS_OBJECT_SKELETON);
#define return_if_krb5_failed(ctx, code) G_STMT_START \
if G_LIKELY ((code) == 0) { } else { \
g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
- krb5_get_error_message ((ctx), (code))); \
+ realm_krb5_get_error_message ((ctx), (code))); \
return; \
} G_STMT_END
#define return_val_if_krb5_failed(ctx, code, val) G_STMT_START \
if G_LIKELY ((code) == 0) { } else { \
g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
- krb5_get_error_message ((ctx), (code))); \
+ realm_krb5_get_error_message ((ctx), (code))); \
return (val); \
} G_STMT_END
#define warn_if_krb5_failed(ctx, code) G_STMT_START \
if G_LIKELY ((code) == 0) { } else { \
g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \
- krb5_get_error_message ((ctx), (code))); \
+ realm_krb5_get_error_message ((ctx), (code))); \
} G_STMT_END
typedef struct {
@@ -802,7 +803,7 @@ set_krb5_error (GError **error,
va_end (va);
g_set_error (error, REALM_KRB5_ERROR, code,
- "%s: %s", string, krb5_get_error_message (context, code));
+ "%s: %s", string, realm_krb5_get_error_message (context, code));
g_free (string);
}
diff --git a/tools/Makefile.am b/tools/Makefile.am
index b94782f..97b67e7 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -10,6 +10,7 @@ realm_SOURCES = \
tools/realm-join.c \
tools/realm-leave.c \
tools/realm-logins.c \
+ service/realm-kerberos-helper.c \
$(NULL)
realm_CFLAGS = \
diff --git a/tools/realm-client.c b/tools/realm-client.c
index a63652d..46848da 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -17,6 +17,7 @@
#include "realm.h"
#include "realm-client.h"
#include "realm-dbus-constants.h"
+#include "service/realm-kerberos-helper.h"
#include <glib/gi18n.h>
#include <glib/gstdio.h>
@@ -543,7 +544,7 @@ propagate_krb5_error (GError **dest,
if (code != 0) {
if (format)
g_string_append (message, ": ");
- g_string_append (message, krb5_get_error_message (context, code));
+ g_string_append (message, realm_krb5_get_error_message (context, code));
}
g_set_error_literal (dest, g_quark_from_static_string ("krb5"),
@@ -614,7 +615,8 @@ copy_to_ccache (krb5_context krb5,
code = krb5_cc_default (krb5, &def_ccache);
if (code != 0) {
- g_debug ("krb5_cc_default failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_default failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
@@ -637,13 +639,15 @@ copy_to_ccache (krb5_context krb5,
g_debug ("no matching principal found in %s", krb5_cc_default_name (krb5));
return FALSE;
} else if (code != 0) {
- g_debug ("krb5_cc_retrieve_cred failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_retrieve_cred failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
code = krb5_cc_initialize (krb5, ccache, creds.client);
if (code != 0) {
- g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_initialize failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
@@ -651,7 +655,8 @@ copy_to_ccache (krb5_context krb5,
krb5_free_cred_contents (krb5, &creds);
if (code != 0) {
- g_debug ("krb5_cc_store_cred failed: %s", krb5_get_error_message (krb5, code));
+ g_debug ("krb5_cc_store_cred failed: %s",
+ realm_krb5_get_error_message (krb5, code));
return FALSE;
}
--
2.48.1

516
0002-renew-implement-support-for-adcli.patch Normal file
View File

@ -0,0 +1,516 @@
From aab58393b1f5255d905d5872c697522b3a52a64c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 Jan 2025 15:11:53 +0100
Subject: [PATCH] renew: implement support for adcli
With this patch realmd can call adcli to renew the machine account
credentials in a given keytab.
Resolves: https://issues.redhat.com/browse/SSSD-8347
---
dbus/realm-dbus-constants.h | 4 +
service/realm-adcli-enroll.c | 103 ++++++++++++++++++++++++
service/realm-adcli-enroll.h | 6 ++
service/realm-kerberos-membership.h | 10 +++
service/realm-kerberos.c | 49 +++++++++++-
service/realm-options.c | 36 +++++++++
service/realm-options.h | 3 +
service/realm-sssd-ad.c | 120 ++++++++++++++++++++++++++++
tools/realm-renew.c | 18 ++++-
9 files changed, 344 insertions(+), 5 deletions(-)
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index e49034b..1608901 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -72,6 +72,10 @@ G_BEGIN_DECLS
#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps"
#define REALM_DBUS_OPTION_DO_NOT_TOUCH_CONFIG "do-not-touch-config"
+#define REALM_DBUS_OPTION_ADD_SAMBA_DATA "add-samba-data"
+#define REALM_DBUS_OPTION_COMPUTER_PWD_LIFETIME "computer-password-lifetime"
+#define REALM_DBUS_OPTION_HOST_KEYTAB "host-keytab"
+#define REALM_DBUS_OPTION_HOST_FQDN "host-fqdn"
#define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
#define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index c58175e..c428f70 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -23,6 +23,7 @@
#include "realm-ini-config.h"
#include "realm-options.h"
#include "realm-settings.h"
+#include "realm-dbus-constants.h"
static void
on_join_leave_process (GObject *source,
@@ -84,6 +85,14 @@ on_leave_process (GObject *source,
on_join_leave_process (source, result, user_data, FALSE);
}
+static void
+on_renew_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, FALSE);
+}
+
void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
@@ -330,3 +339,97 @@ realm_adcli_enroll_delete_finish (GAsyncResult *result,
g_return_val_if_fail (g_task_is_valid (result, NULL), FALSE);
return g_task_propagate_boolean (G_TASK (result), error);
}
+
+void
+realm_adcli_enroll_renew_async (RealmDisco *disco,
+ GVariant *options,
+ gboolean use_ldaps,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data)
+{
+ gchar *environ[] = { "LANG=C", NULL };
+ GInetAddress *address;
+ GTask *task;
+ GPtrArray *args;
+ gchar *ccache_arg = NULL;
+ gchar *server_arg = NULL;
+ gboolean add_samba_data = FALSE;
+ const gchar *computer_password_lifetime = NULL;
+ gchar *lifetime_arg = NULL;
+ const gchar *host_keytab = NULL;
+ gchar *keytab_arg = NULL;
+ const gchar *host_fqdn = NULL;
+ gchar *fqdn_arg = NULL;
+
+ g_return_if_fail (disco != NULL);
+ g_return_if_fail (invocation != NULL);
+
+ task = g_task_new (NULL, NULL, callback, user_data);
+ args = g_ptr_array_new ();
+
+ add_samba_data = realm_option_add_samba_data (options);
+ computer_password_lifetime = realm_option_computer_pwd_lifetime (options);
+ host_keytab = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_HOST_KEYTAB);
+ host_fqdn = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_HOST_FQDN);
+
+ g_ptr_array_add (args, (gpointer)realm_settings_path ("adcli"));
+ g_ptr_array_add (args, "update");
+ g_ptr_array_add (args, "--verbose");
+ g_ptr_array_add (args, "--domain");
+ g_ptr_array_add (args, (gpointer)disco->domain_name);
+
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
+ if (add_samba_data) {
+ g_ptr_array_add (args, "--add-samba-data");
+ }
+
+ if (computer_password_lifetime != NULL) {
+ lifetime_arg = g_strdup_printf ("--computer-password-lifetime=%s",
+ computer_password_lifetime);
+ g_ptr_array_add (args, lifetime_arg);
+ }
+
+ if (host_keytab != NULL) {
+ keytab_arg = g_strdup_printf ("--host-keytab=%s", host_keytab);
+ g_ptr_array_add (args, keytab_arg);
+ }
+
+ if (host_fqdn != NULL) {
+ fqdn_arg = g_strdup_printf ("--host-fqdn=%s", host_fqdn);
+ g_ptr_array_add (args, fqdn_arg);
+ }
+
+ if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
+ address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
+ server_arg = g_inet_address_to_string (address);
+ if (server_arg) {
+ g_ptr_array_add (args, "--domain-controller");
+ g_ptr_array_add (args, server_arg);
+ }
+
+ } else if (disco->explicit_server) {
+ g_ptr_array_add (args, "--domain-controller");
+ g_ptr_array_add (args, (gpointer)disco->explicit_server);
+ }
+
+ g_ptr_array_add (args, NULL);
+
+ realm_command_runv_async ((gchar **)args->pdata, environ, NULL,
+ invocation, on_renew_process,
+ g_object_ref (task));
+
+ g_ptr_array_free (args, TRUE);
+ g_object_unref (task);
+
+ g_free (fqdn_arg);
+ g_free (keytab_arg);
+ g_free (lifetime_arg);
+ g_free (ccache_arg);
+ g_free (server_arg);
+}
diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
index 3f535d0..e03f3f0 100644
--- a/service/realm-adcli-enroll.h
+++ b/service/realm-adcli-enroll.h
@@ -48,6 +48,12 @@ void realm_adcli_enroll_delete_async (RealmDisco *disco,
gboolean realm_adcli_enroll_delete_finish (GAsyncResult *result,
GError **error);
+void realm_adcli_enroll_renew_async (RealmDisco *disco,
+ GVariant *options,
+ gboolean use_ldaps,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data);
G_END_DECLS
#endif /* __REALM_ADCLI_ENROLL_H__ */
diff --git a/service/realm-kerberos-membership.h b/service/realm-kerberos-membership.h
index 50eea53..90337b7 100644
--- a/service/realm-kerberos-membership.h
+++ b/service/realm-kerberos-membership.h
@@ -62,6 +62,16 @@ struct _RealmKerberosMembershipIface {
GError **error);
const RealmCredential * (* leave_creds) (RealmKerberosMembership *realm);
+
+ void (* renew_async) (RealmKerberosMembership *realm,
+ GVariant *options,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data);
+
+ gboolean (* renew_finish) (RealmKerberosMembership *realm,
+ GAsyncResult *result,
+ GError **error);
};
GType realm_kerberos_membership_get_type (void) G_GNUC_CONST;
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 3c9c71c..0cf2da0 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -407,16 +407,57 @@ handle_leave (RealmDbusKerberosMembership *membership,
return TRUE;
}
+static void
+on_renew_complete (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ MethodClosure *closure = user_data;
+ RealmKerberosMembershipIface *iface;
+ GCancellable *cancellable;
+ GError *error = NULL;
+
+ iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (closure->self);
+ g_return_if_fail (iface->renew_finish != NULL);
+
+ cancellable = realm_invocation_get_cancellable (closure->invocation);
+ if (!g_cancellable_set_error_if_cancelled (cancellable, &error))
+ (iface->leave_finish) (REALM_KERBEROS_MEMBERSHIP (closure->self), result, &error);
+
+ unenroll_method_reply (closure->invocation, error);
+
+ g_clear_error (&error);
+ method_closure_free (closure);
+}
+
static gboolean
-handle_renew (RealmDbusKerberosMembership *membership,
+handle_renew (RealmDbusKerberosMembership *dbus_membership,
GDBusMethodInvocation *invocation,
GVariant *options,
gpointer user_data)
{
- //RealmKerberos *self = REALM_KERBEROS (user_data);
+ MethodClosure *method;
+ RealmKerberos *self = REALM_KERBEROS (user_data);
+ RealmKerberosMembershipIface *iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self);
+ RealmKerberosMembership *membership = REALM_KERBEROS_MEMBERSHIP (self);
+
+ if (!realm_invocation_lock_daemon (invocation)) {
+ g_dbus_method_invocation_return_error (invocation, REALM_ERROR, REALM_ERROR_BUSY,
+ _("Already running another action"));
+ return TRUE;
+ }
+
+ method = method_closure_new (self, invocation);
+
+ if (iface->renew_async == NULL || iface->renew_finish == NULL) {
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+ G_DBUS_ERROR_UNKNOWN_METHOD,
+ "Renew is currently not impemented.");
+ return TRUE;
+ }
+
+ (iface->renew_async) (membership, options, invocation, on_renew_complete, method);
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_UNKNOWN_METHOD,
- "Renew is currently not impemented.");
return TRUE;
}
diff --git a/service/realm-options.c b/service/realm-options.c
index e1abe3a..919461f 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -215,6 +215,42 @@ gboolean realm_option_use_ldaps (GVariant *options)
return FALSE;
}
+gboolean realm_option_add_samba_data (GVariant *options)
+{
+ const gchar *add_samba_data_str;
+
+ add_samba_data_str = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_ADD_SAMBA_DATA);
+ if (add_samba_data_str != NULL
+ && ( g_ascii_strcasecmp (add_samba_data_str, "True") == 0
+ || g_ascii_strcasecmp (add_samba_data_str, "Yes") == 0)) {
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+const gchar *realm_option_computer_pwd_lifetime (GVariant *options)
+{
+ const gchar *computer_password_lifetime;
+ gint64 tmp64;
+ gchar *endptr;
+
+ computer_password_lifetime = realm_options_ad_specific (options,
+ REALM_DBUS_OPTION_COMPUTER_PWD_LIFETIME);
+ if (computer_password_lifetime != NULL && *computer_password_lifetime != '\0') {
+ errno = 0;
+ tmp64 = g_ascii_strtoll (computer_password_lifetime, &endptr, 10);
+ if (tmp64 < 0 || errno != 0 || *endptr != '\0') {
+ /* Illegal input, ignored, should be checked earlier
+ * to return an error */
+ computer_password_lifetime = NULL;
+ }
+ }
+
+ return computer_password_lifetime;
+}
+
gboolean realm_option_do_not_touch_config (GVariant *options)
{
const gchar *str;
diff --git a/service/realm-options.h b/service/realm-options.h
index 569ef42..a6b5c41 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -52,6 +52,9 @@ gboolean realm_option_use_ldaps (GVariant *options);
gboolean realm_option_do_not_touch_config (GVariant *options);
+gboolean realm_option_add_samba_data (GVariant *options);
+
+const gchar * realm_option_computer_pwd_lifetime (GVariant *options);
G_END_DECLS
#endif /* __REALM_OPTIONS_H__ */
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 64bb488..c04557b 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -644,6 +644,123 @@ realm_sssd_ad_leave_creds (RealmKerberosMembership *membership)
return creds;
}
+typedef struct {
+ GDBusMethodInvocation *invocation;
+ gchar *realm_name;
+} RenewClosure;
+
+static void
+renew_closure_free (gpointer data)
+{
+ RenewClosure *renew = data;
+ g_free (renew->realm_name);
+ g_object_unref (renew->invocation);
+ g_free (renew);
+}
+
+static void
+on_renew_done (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ GTask *task = G_TASK (user_data);
+ RenewClosure *renew = g_task_get_task_data (task);
+ GError *error = NULL;
+
+ if (!g_task_is_valid (result, NULL)) {
+ realm_diagnostics_info (renew->invocation, "Task not valid.");
+ }
+
+ g_task_propagate_boolean (G_TASK (result), &error);
+ if (error != NULL) {
+ realm_diagnostics_error (renew->invocation, error,
+ "Task failed with: ");
+ g_error_free (error);
+ g_task_return_error (task, error);
+ } else {
+ g_task_return_boolean (task, TRUE);
+ }
+
+ g_object_unref (task);
+}
+
+static void
+realm_sssd_ad_renew_async (RealmKerberosMembership *membership,
+ GVariant *options,
+ GDBusMethodInvocation *invocation,
+ GAsyncReadyCallback callback,
+ gpointer user_data)
+{
+ RealmSssdAd *self = REALM_SSSD_AD (membership);
+ RealmKerberos *realm = REALM_KERBEROS (self);
+ RealmSssd *sssd = REALM_SSSD (self);
+ RealmDisco *disco;
+ const gchar *section;
+ GTask *task;
+ RenewClosure *renew;
+ gboolean use_ldaps = FALSE;
+
+ task = g_task_new (self, NULL, callback, user_data);
+
+ /* Check that enrolled in this realm */
+ section = realm_sssd_get_config_section (sssd);
+ if (!section) {
+ g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_NOT_CONFIGURED,
+ _("Not currently joined to this domain"));
+ g_object_unref (task);
+ return;
+ }
+
+
+ /* This also has the side-effect of populating the disco info if necessary */
+ disco = realm_kerberos_get_disco (realm);
+
+ renew = g_new0 (RenewClosure, 1);
+ renew->realm_name = g_strdup (realm_kerberos_get_realm_name (realm));
+ renew->invocation = g_object_ref (invocation);
+ g_task_set_task_data (task, renew, renew_closure_free);
+
+ realm_adcli_enroll_renew_async (disco, options, use_ldaps, invocation, on_renew_done,
+ g_object_ref (task));
+
+ g_object_unref (task);
+#if 0
+ switch (cred->type) {
+ case REALM_CREDENTIAL_AUTOMATIC:
+ realm_sssd_deconfigure_domain_tail (REALM_SSSD (self), task, invocation);
+ break;
+ case REALM_CREDENTIAL_CCACHE:
+ case REALM_CREDENTIAL_PASSWORD:
+ leave = g_new0 (LeaveClosure, 1);
+ leave->realm_name = g_strdup (realm_kerberos_get_realm_name (realm));
+ leave->invocation = g_object_ref (invocation);
+ leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
+ g_task_set_task_data (task, leave, leave_closure_free);
+
+ use_ldaps = realm_option_use_ldaps (options);
+ if (leave->use_adcli) {
+ realm_adcli_enroll_delete_async (disco, cred, options,
+ use_ldaps, invocation,
+ on_leave_do_deconfigure, g_object_ref (task));
+ } else {
+ if (use_ldaps) {
+ realm_diagnostics_info (leave->invocation,
+ "Membership software does "
+ "not support ldaps, trying "
+ "without.");
+ }
+ realm_samba_enroll_leave_async (disco, cred, options, invocation,
+ on_leave_do_deconfigure, g_object_ref (task));
+ }
+ break;
+ default:
+ g_return_if_reached ();
+ }
+
+ g_object_unref (task);
+#endif
+}
+
static gboolean
realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
GAsyncResult *result,
@@ -752,4 +869,7 @@ realm_sssd_ad_kerberos_membership_iface (RealmKerberosMembershipIface *iface)
iface->leave_async = realm_sssd_ad_leave_async;
iface->leave_finish = realm_sssd_ad_generic_finish;
iface->leave_creds = realm_sssd_ad_leave_creds;
+
+ iface->renew_async = realm_sssd_ad_renew_async;
+ iface->renew_finish = realm_sssd_ad_generic_finish;
}
diff --git a/tools/realm-renew.c b/tools/realm-renew.c
index 7b28e48..c17febc 100644
--- a/tools/realm-renew.c
+++ b/tools/realm-renew.c
@@ -70,6 +70,10 @@ call_renew (RealmDbusKerberosMembership *membership,
typedef struct {
gchar *membership_software;
gboolean use_ldaps;
+ gboolean add_samba_data;
+ gchar *computer_password_lifetime;
+ gchar *host_keytab;
+ gchar *host_fqdn;
} RealmRenewArgs;
static void
@@ -116,7 +120,11 @@ perform_renew (RealmClient *client,
}
options = realm_build_options (REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
+ REALM_DBUS_OPTION_COMPUTER_PWD_LIFETIME, args->computer_password_lifetime,
+ REALM_DBUS_OPTION_HOST_KEYTAB, args->host_keytab,
+ REALM_DBUS_OPTION_HOST_FQDN, args->host_fqdn,
REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
+ REALM_DBUS_OPTION_ADD_SAMBA_DATA, args->add_samba_data ? "True" : "False",
NULL);
g_variant_ref_sink (options);
@@ -138,7 +146,7 @@ realm_renew (RealmClient *client,
GOptionContext *context;
GError *error = NULL;
const gchar *realm_name;
- RealmRenewArgs args;
+ RealmRenewArgs args = { 0 };
GOptionGroup *group;
gint ret = 0;
@@ -147,6 +155,14 @@ realm_renew (RealmClient *client,
N_("Use specific membership software"), NULL },
{ "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
N_("Use ldaps to connect to LDAP"), NULL },
+ { "host-keytab", 0, 0, G_OPTION_ARG_STRING, &args.host_keytab,
+ N_("Path to the keytab"), NULL },
+ { "host-fqdn", 0, 0, G_OPTION_ARG_STRING, &args.host_fqdn,
+ N_("Fully-qualified name of the host"), NULL },
+ { "computer-password-lifetime", 0, 0, G_OPTION_ARG_STRING, &args.computer_password_lifetime,
+ N_("lifetime of the host accounts password in days"), NULL },
+ { "add-samba-data", 0, 0, G_OPTION_ARG_NONE, &args.add_samba_data,
+ N_("Try to update Samba's internal machine account password as well"), NULL },
{ NULL, }
};
--
2.51.0

0
SOURCES/0002-service-fix-error-message-when-removing-host-from-AD.patch → 0002-service-fix-error-message-when-removing-host-from-AD.patch
View File

0
SOURCES/0003-doc-fix-reference-in-realmd.conf-man-page.patch → 0003-doc-fix-reference-in-realmd.conf-man-page.patch
View File

21
0003-renew-add-translatable-strings.patch Normal file
View File

@ -0,0 +1,21 @@
From 24d1cb6392a95d2336a66b3538bfe42d4fe73289 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 13 May 2025 13:08:10 +0200
Subject: [PATCH] renew: add translatable strings
---
po/POTFILES.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 140ed4c..2d8b266 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -20,3 +20,4 @@ tools/realm-discover.c
tools/realm-join.c
tools/realm-leave.c
tools/realm-logins.c
+tools/realm-renew.c
--
2.51.0

47
0004-renew-fix-issues-found-by-Coverity.patch Normal file
View File

@ -0,0 +1,47 @@
From 5239baba5ac501358b28e8421935f2a102a57c0f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 24 Apr 2025 11:38:35 +0200
Subject: [PATCH] renew: fix issues found by Coverity
---
service/realm-kerberos.c | 4 ++--
service/realm-sssd-ad.c | 1 -
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
index 0cf2da0..2b617a5 100644
--- a/service/realm-kerberos.c
+++ b/service/realm-kerberos.c
@@ -447,8 +447,6 @@ handle_renew (RealmDbusKerberosMembership *dbus_membership,
return TRUE;
}
- method = method_closure_new (self, invocation);
-
if (iface->renew_async == NULL || iface->renew_finish == NULL) {
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
G_DBUS_ERROR_UNKNOWN_METHOD,
@@ -456,6 +454,8 @@ handle_renew (RealmDbusKerberosMembership *dbus_membership,
return TRUE;
}
+ method = method_closure_new (self, invocation);
+
(iface->renew_async) (membership, options, invocation, on_renew_complete, method);
return TRUE;
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index c04557b..249e796 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -675,7 +675,6 @@ on_renew_done (GObject *source,
if (error != NULL) {
realm_diagnostics_error (renew->invocation, error,
"Task failed with: ");
- g_error_free (error);
g_task_return_error (task, error);
} else {
g_task_return_boolean (task, TRUE);
--
2.51.0

90
0005-doc-add-renew-option-of-realm-man-page.patch Normal file
View File

@ -0,0 +1,90 @@
From 5ad0311459db3e291db88e1b9c2bcde912698cce Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Oct 2025 10:37:01 +0200
Subject: [PATCH] doc: add 'renew' option of realm man page
---
doc/manual/realm.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 0693283..caa6308 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -38,6 +38,9 @@
<cmdsynopsis>
<command>realm leave</command> <arg choice="opt">-U user</arg> <arg choice="opt">realm-name</arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>realm renew</command> <arg choice="opt">realm-name</arg>
+ </cmdsynopsis>
<cmdsynopsis>
<command>realm list</command>
</cmdsynopsis>
@@ -407,6 +410,63 @@ $ realm leave domain.example.com
</refsect1>
+<refsect1 id="man-renew">
+ <title>Renew</title>
+
+ <para>Renew the machine account password and update the keytab.</para>
+
+ <informalexample>
+<programlisting>
+$ realm renew
+</programlisting>
+<programlisting>
+$ realm renew --computer-password-lifetime=10 domain.example.com
+</programlisting>
+ </informalexample>
+
+ <para>Renew the machine account password with the help of the existing one
+ from a keytab and store the new version in the keytab. If no domain name is
+ given it is derived from the existing configuration.</para>
+
+ <para>The following options can be used:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--membership-software=xxx</option></term>
+ <listitem><para>Use specified membership software, currently
+ only <replaceable>adcli</replaceable> is supported.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--host-keytab=xxx</option></term>
+ <listitem><para>Path to the keytab, if not specified the
+ default keytab file will be used.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--host-fqdn=xxx</option></term>
+ <listitem><para>Fully-qualified name of the host, only needed
+ if it is not determined correctly automatically.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--computer-password-lifetime=xxx</option></term>
+ <listitem><para>Lifetime of the machine account password in days,
+ default is 30.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--add-samba-data</option></term>
+ <listitem><para>Try to update Samba's internal machine account
+ password as well if a membership software other than Samba is used.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
<refsect1 id="man-list">
<title>List</title>
--
2.51.0

13
SOURCES/ipa-packages.patch
View File

@ -1,13 +0,0 @@
diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
index da2de55..856b36d 100644
--- a/service/realmd-redhat.conf
+++ b/service/realmd-redhat.conf
@@ -20,7 +20,7 @@ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
adcli = /usr/sbin/adcli
[ipa-packages]
-freeipa-client = /usr/sbin/ipa-client-install
+ipa-client = /usr/sbin/ipa-client-install
[commands]
winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"

894
computer-ou.patch Normal file
View File

@ -0,0 +1,894 @@
From 3db35ad73ec57c8af499a0dcef96ffd4da914236 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 7 Sep 2015 13:49:10 +0200
Subject: [PATCH 2/2] service: Fully qualify --computer-ou DN before passing to
adcli
This allows us to have a similar behavior for both the Samba and
adcli membership software.
---
service/Makefile.am | 4 +-
service/realm-adcli-enroll.c | 11 +-
service/realm-dn-util.c | 239 +++++++++++++++++++++++++++++++++++++++++++
service/realm-dn-util.h | 32 ++++++
service/realm-samba-enroll.c | 4 +-
service/realm-samba-util.c | 172 -------------------------------
service/realm-samba-util.h | 29 ------
tests/Makefile.am | 16 +--
tests/test-dn-util.c | 129 +++++++++++++++++++++++
tests/test-samba-ou-format.c | 89 ----------------
11 files changed, 422 insertions(+), 305 deletions(-)
create mode 100644 service/realm-dn-util.c
create mode 100644 service/realm-dn-util.h
delete mode 100644 service/realm-samba-util.c
delete mode 100644 service/realm-samba-util.h
create mode 100644 tests/test-dn-util.c
delete mode 100644 tests/test-samba-ou-format.c
diff --git a/service/Makefile.am b/service/Makefile.am
index 06a95ef..88ee780 100644
--- a/service/Makefile.am
+++ b/service/Makefile.am
@@ -43,6 +43,8 @@ realmd_SOURCES = \
service/realm-disco-mscldap.h \
service/realm-disco-rootdse.c \
service/realm-disco-rootdse.h \
+ service/realm-dn-util.c \
+ service/realm-dn-util.h \
service/realm-errors.c \
service/realm-errors.h \
service/realm-example.c \
@@ -79,8 +81,6 @@ realmd_SOURCES = \
service/realm-samba-enroll.h \
service/realm-samba-provider.c \
service/realm-samba-provider.h \
- service/realm-samba-util.c \
- service/realm-samba-util.h \
service/realm-samba-winbind.c \
service/realm-samba-winbind.h \
service/realm-service.c \
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index 7448647..ef1b563 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -18,6 +18,7 @@
#include "realm-command.h"
#include "realm-daemon.h"
#include "realm-diagnostics.h"
+#include "realm-dn-util.h"
#include "realm-errors.h"
#include "realm-ini-config.h"
#include "realm-options.h"
@@ -82,6 +83,7 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
gchar *ccache_arg = NULL;
gchar *upn_arg = NULL;
gchar *server_arg = NULL;
+ gchar *ou_arg = NULL;
g_return_if_fail (cred != NULL);
g_return_if_fail (disco != NULL);
@@ -120,9 +122,13 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
}
computer_ou = realm_options_computer_ou (options, disco->domain_name);
- if (computer_ou) {
+ if (computer_ou != NULL) {
+ ou_arg = realm_dn_util_build_qualified (computer_ou, disco->domain_name);
g_ptr_array_add (args, "--computer-ou");
- g_ptr_array_add (args, (gpointer)computer_ou);
+ if (ou_arg)
+ g_ptr_array_add (args, ou_arg);
+ else
+ g_ptr_array_add (args, (gpointer)computer_ou);
}
os = realm_settings_value ("active-directory", "os-name");
@@ -190,6 +196,7 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
free (ccache_arg);
free (upn_arg);
free (server_arg);
+ free (ou_arg);
}
gboolean
diff --git a/service/realm-dn-util.c b/service/realm-dn-util.c
new file mode 100644
index 0000000..85bcdb9
--- /dev/null
+++ b/service/realm-dn-util.c
@@ -0,0 +1,239 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2012 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+
+#include "realm-dn-util.h"
+
+#include <glib.h>
+
+#include <ldap.h>
+
+static gboolean
+berval_is_string (const struct berval *bv,
+ const gchar *string,
+ gsize length)
+{
+ return (bv->bv_len == length &&
+ g_ascii_strncasecmp (bv->bv_val, string, length) == 0);
+
+}
+
+static gboolean
+berval_case_equals (const struct berval *v1,
+ const struct berval *v2)
+{
+ return (v1->bv_len == v2->bv_len &&
+ g_ascii_strncasecmp (v1->bv_val, v2->bv_val, v1->bv_len) == 0);
+}
+
+static gboolean
+dn_equals_domain (LDAPDN dn,
+ const gchar *domain_dn_str,
+ const gchar *domain)
+{
+ LDAPDN domain_dn;
+ gboolean ret;
+ int rc;
+ gint i, j;
+
+ rc = ldap_str2dn (domain_dn_str, &domain_dn, LDAP_DN_FORMAT_LDAPV3);
+ g_return_val_if_fail (rc == LDAP_SUCCESS, FALSE);
+
+ for (i = 0; dn[i] != NULL && domain_dn[i] != NULL; i++) {
+ for (j = 0; dn[i][j] != NULL && domain_dn[i][j] != NULL; j++) {
+ if (!berval_case_equals (&(dn[i][j]->la_attr), &(domain_dn[i][j]->la_attr)) ||
+ !berval_case_equals (&(dn[i][j]->la_value), &(domain_dn[i][j]->la_value)))
+ break;
+ }
+
+ if (dn[i][j] != NULL && domain_dn[i][j] != NULL)
+ break;
+ }
+
+ /* Did we reach end of both DNs? */
+ ret = (dn[i] == NULL && domain_dn[i] == NULL);
+
+ ldap_dnfree (domain_dn);
+
+ return ret;
+}
+
+gchar *
+realm_dn_util_build_samba_ou (const gchar *ldap_dn,
+ const gchar *domain)
+{
+ gchar *domain_dn_str = NULL;
+ GArray *parts;
+ GString *part;
+ gchar **strv;
+ gchar *str;
+ LDAPAVA* ava;
+ gboolean ret;
+ LDAPDN dn;
+ int rc;
+ gint i, j;
+
+ /*
+ * Here we convert a standard LDAP DN to the strange samba net format,
+ * as "documented" here:
+ *
+ * createcomputer=OU Precreate the computer account in a specific OU.
+ * The OU string read from top to bottom without RDNs and delimited by a '/'.
+ * E.g. "createcomputer=Computers/Servers/Unix"
+ * NB: A backslash '\' is used as escape at multiple levels and may
+ * need to be doubled or even quadrupled. It is not used as a separator.
+ */
+
+ /* ldap_str2dn doesn't like empty strings */
+ while (g_ascii_isspace (ldap_dn[0]))
+ ldap_dn++;
+ if (g_str_equal (ldap_dn, ""))
+ return NULL;
+
+ rc = ldap_str2dn (ldap_dn, &dn, LDAP_DN_FORMAT_LDAPV3);
+ if (rc != LDAP_SUCCESS)
+ return NULL;
+
+ ret = TRUE;
+ parts = g_array_new (TRUE, TRUE, sizeof (gchar *));
+
+ for (i = 0; dn[i] != NULL; i++) {
+ ava = dn[i][0];
+
+ /*
+ * Make sure this is a valid DN, we only support one value per
+ * RDN, string values, and must be an OU. DC values are allowed
+ * but only at the end of the DN.
+ */
+
+ if (ava == NULL || dn[i][1] != NULL || !(ava->la_flags & LDAP_AVA_STRING)) {
+ ret = FALSE;
+ break;
+
+ /* A DC, remainder must match the domain */
+ } else if (berval_is_string (&ava->la_attr, "DC", 2)) {
+ rc = ldap_domain2dn (domain, &domain_dn_str);
+ if (rc != LDAP_SUCCESS)
+ ret = FALSE;
+ else
+ ret = dn_equals_domain (dn + i, domain_dn_str, domain);
+ break;
+
+ /* An OU, include */
+ } else if (berval_is_string (&ava->la_attr, "OU", 2)) {
+ part = g_string_sized_new (ava->la_value.bv_len);
+ for (j = 0; j < ava->la_value.bv_len; j++) {
+ switch (ava->la_value.bv_val[j]) {
+ case '\\':
+ g_string_append (part, "\\\\");
+ break;
+ case '/':
+ g_string_append (part, "\\/");
+ break;
+ default:
+ g_string_append_c (part, ava->la_value.bv_val[j]);
+ break;
+ }
+ }
+ str = g_string_free (part, FALSE);
+ g_array_insert_val (parts, 0, str);
+
+ /* Invalid, stop */
+ } else {
+ ret = FALSE;
+ break;
+ }
+ }
+
+ ldap_dnfree (dn);
+ if (domain_dn_str)
+ ldap_memfree (domain_dn_str);
+
+ strv = (gchar **)g_array_free (parts, FALSE);
+ str = NULL;
+
+ /* Loop completed successfully */
+ if (ret)
+ str = g_strjoinv ("/", strv);
+
+ g_strfreev (strv);
+
+ return str;
+}
+
+gchar *
+realm_dn_util_build_qualified (const gchar *ldap_dn,
+ const gchar *domain)
+{
+ gchar *domain_dn_str = NULL;
+ gboolean had_dc = FALSE;
+ gchar *str;
+ LDAPAVA* ava;
+ gboolean ret;
+ LDAPDN dn;
+ int rc;
+ gint i;
+
+ /* ldap_str2dn doesn't like empty strings */
+ while (g_ascii_isspace (ldap_dn[0]))
+ ldap_dn++;
+ if (g_str_equal (ldap_dn, ""))
+ return NULL;
+
+ rc = ldap_str2dn (ldap_dn, &dn, LDAP_DN_FORMAT_LDAPV3);
+ if (rc != LDAP_SUCCESS)
+ return NULL;
+
+ rc = ldap_domain2dn (domain, &domain_dn_str);
+ if (rc != LDAP_SUCCESS) {
+ ldap_dnfree (dn);
+ return NULL;
+ }
+
+ ret = TRUE;
+
+ for (i = 0; dn[i] != NULL; i++) {
+ ava = dn[i][0];
+
+ /*
+ * Make sure this is a valid DN, we only support one value per
+ * RDN, string values. DC values are allowed but only at the end of the DN.
+ */
+
+ if (ava == NULL || dn[i][1] != NULL || !(ava->la_flags & LDAP_AVA_STRING)) {
+ ret = FALSE;
+ break;
+
+ /* A DC, remainder must match the domain */
+ } else if (berval_is_string (&ava->la_attr, "DC", 2)) {
+ had_dc = TRUE;
+ ret = dn_equals_domain (dn + i, domain_dn_str, domain);
+ break;
+ }
+ }
+
+ ldap_dnfree (dn);
+
+ if (!ret)
+ return NULL;
+
+ if (had_dc)
+ str = g_strdup (ldap_dn);
+ else
+ str = g_strdup_printf ("%s,%s", ldap_dn, domain_dn_str);
+
+ ldap_memfree (domain_dn_str);
+ return str;
+}
diff --git a/service/realm-dn-util.h b/service/realm-dn-util.h
new file mode 100644
index 0000000..f5e5e69
--- /dev/null
+++ b/service/realm-dn-util.h
@@ -0,0 +1,32 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2012 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+
+#ifndef __REALM_DN_UTIL_H__
+#define __REALM_DN_UTIL_H__
+
+#include <gio/gio.h>
+
+G_BEGIN_DECLS
+
+gchar * realm_dn_util_build_samba_ou (const gchar *ldap_dn,
+ const gchar *domain);
+
+gchar * realm_dn_util_build_qualified (const gchar *ldap_dn,
+ const gchar *domain);
+
+G_END_DECLS
+
+#endif /* __REALM_DN_UTIL_H__ */
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index e8739d7..e749764 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -18,12 +18,12 @@
#include "realm-daemon.h"
#include "realm-dbus-constants.h"
#include "realm-diagnostics.h"
+#include "realm-dn-util.h"
#include "realm-errors.h"
#include "realm-options.h"
#include "realm-samba-config.h"
#include "realm-samba-enroll.h"
#include "realm-samba-provider.h"
-#include "realm-samba-util.h"
#include "realm-settings.h"
#include <glib/gstdio.h>
@@ -314,7 +314,7 @@ begin_join (GTask *task,
computer_ou = realm_options_computer_ou (options, join->disco->domain_name);
if (computer_ou != NULL) {
- strange_ou = realm_samba_util_build_strange_ou (computer_ou, join->disco->domain_name);
+ strange_ou = realm_dn_util_build_samba_ou (computer_ou, join->disco->domain_name);
if (strange_ou) {
if (!g_str_equal (strange_ou, ""))
join->join_args[at++] = g_strdup_printf ("createcomputer=%s", strange_ou);
diff --git a/service/realm-samba-util.c b/service/realm-samba-util.c
deleted file mode 100644
index 3f6a53e..0000000
--- a/service/realm-samba-util.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/* realmd -- Realm configuration service
- *
- * Copyright 2012 Red Hat Inc
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published
- * by the Free Software Foundation; either version 2 of the licence or (at
- * your option) any later version.
- *
- * See the included COPYING file for more information.
- *
- * Author: Stef Walter <stefw@gnome.org>
- */
-
-#include "config.h"
-
-#include "realm-samba-util.h"
-
-#include <glib.h>
-
-#include <ldap.h>
-
-static gboolean
-berval_is_string (const struct berval *bv,
- const gchar *string,
- gsize length)
-{
- return (bv->bv_len == length &&
- g_ascii_strncasecmp (bv->bv_val, string, length) == 0);
-
-}
-
-static gboolean
-berval_case_equals (const struct berval *v1,
- const struct berval *v2)
-{
- return (v1->bv_len == v2->bv_len &&
- g_ascii_strncasecmp (v1->bv_val, v2->bv_val, v1->bv_len) == 0);
-}
-
-static gboolean
-dn_equals_domain (LDAPDN dn,
- const gchar *domain)
-{
- LDAPDN domain_dn;
- gchar *domain_dn_str;
- gboolean ret;
- int rc;
- gint i, j;
-
- rc = ldap_domain2dn (domain, &domain_dn_str);
- g_return_val_if_fail (rc == LDAP_SUCCESS, FALSE);
-
- rc = ldap_str2dn (domain_dn_str, &domain_dn, LDAP_DN_FORMAT_LDAPV3);
- g_return_val_if_fail (rc == LDAP_SUCCESS, FALSE);
-
- ldap_memfree (domain_dn_str);
-
- for (i = 0; dn[i] != NULL && domain_dn[i] != NULL; i++) {
- for (j = 0; dn[i][j] != NULL && domain_dn[i][j] != NULL; j++) {
- if (!berval_case_equals (&(dn[i][j]->la_attr), &(domain_dn[i][j]->la_attr)) ||
- !berval_case_equals (&(dn[i][j]->la_value), &(domain_dn[i][j]->la_value)))
- break;
- }
-
- if (dn[i][j] != NULL && domain_dn[i][j] != NULL)
- break;
- }
-
- /* Did we reach end of both DNs? */
- ret = (dn[i] == NULL && domain_dn[i] == NULL);
-
- ldap_dnfree (domain_dn);
-
- return ret;
-}
-
-gchar *
-realm_samba_util_build_strange_ou (const gchar *ldap_dn,
- const gchar *domain)
-{
- GArray *parts;
- GString *part;
- gchar **strv;
- gchar *str;
- LDAPAVA* ava;
- gboolean ret;
- LDAPDN dn;
- int rc;
- gint i, j;
-
- /*
- * Here we convert a standard LDAP DN to the strange samba net format,
- * as "documented" here:
- *
- * createcomputer=OU Precreate the computer account in a specific OU.
- * The OU string read from top to bottom without RDNs and delimited by a '/'.
- * E.g. "createcomputer=Computers/Servers/Unix"
- * NB: A backslash '\' is used as escape at multiple levels and may
- * need to be doubled or even quadrupled. It is not used as a separator.
- */
-
- /* ldap_str2dn doesn't like empty strings */
- while (g_ascii_isspace (ldap_dn[0]))
- ldap_dn++;
- if (g_str_equal (ldap_dn, ""))
- return NULL;
-
- rc = ldap_str2dn (ldap_dn, &dn, LDAP_DN_FORMAT_LDAPV3);
- if (rc != LDAP_SUCCESS)
- return NULL;
-
- ret = TRUE;
- parts = g_array_new (TRUE, TRUE, sizeof (gchar *));
-
- for (i = 0; dn[i] != NULL; i++) {
- ava = dn[i][0];
-
- /*
- * Make sure this is a valid DN, we only support one value per
- * RDN, string values, and must be an OU. DC values are allowed
- * but only at the end of the DN.
- */
-
- if (ava == NULL || dn[i][1] != NULL || !(ava->la_flags & LDAP_AVA_STRING)) {
- ret = FALSE;
- break;
-
- /* A DC, remainder must match the domain */
- } else if (berval_is_string (&ava->la_attr, "DC", 2)) {
- ret = dn_equals_domain (dn + i, domain);
- break;
-
- /* An OU, include */
- } else if (berval_is_string (&ava->la_attr, "OU", 2)) {
- part = g_string_sized_new (ava->la_value.bv_len);
- for (j = 0; j < ava->la_value.bv_len; j++) {
- switch (ava->la_value.bv_val[j]) {
- case '\\':
- g_string_append (part, "\\\\");
- break;
- case '/':
- g_string_append (part, "\\/");
- break;
- default:
- g_string_append_c (part, ava->la_value.bv_val[j]);
- break;
- }
- }
- str = g_string_free (part, FALSE);
- g_array_insert_val (parts, 0, str);
-
- /* Invalid, stop */
- } else {
- ret = FALSE;
- break;
- }
- }
-
- ldap_dnfree (dn);
-
- strv = (gchar **)g_array_free (parts, FALSE);
- str = NULL;
-
- /* Loop completed successfully */
- if (ret)
- str = g_strjoinv ("/", strv);
-
- g_strfreev (strv);
-
- return str;
-}
diff --git a/service/realm-samba-util.h b/service/realm-samba-util.h
deleted file mode 100644
index 2a680e7..0000000
--- a/service/realm-samba-util.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* realmd -- Realm configuration service
- *
- * Copyright 2012 Red Hat Inc
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published
- * by the Free Software Foundation; either version 2 of the licence or (at
- * your option) any later version.
- *
- * See the included COPYING file for more information.
- *
- * Author: Stef Walter <stefw@gnome.org>
- */
-
-#include "config.h"
-
-#ifndef __REALM_SAMBA_UTIL_H__
-#define __REALM_SAMBA_UTIL_H__
-
-#include <gio/gio.h>
-
-G_BEGIN_DECLS
-
-gchar * realm_samba_util_build_strange_ou (const gchar *ldap_dn,
- const gchar *suffix_dn);
-
-G_END_DECLS
-
-#endif /* __REALM_SAMBA_UTIL_H__ */
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ddeba4d..3b05066 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -12,11 +12,11 @@ TEST_LIBS = \
$(GLIB_LIBS)
TEST_PROGS = \
+ test-dn-util \
test-ini-config \
test-sssd-config \
test-safe-format \
test-login-name \
- test-samba-ou-format \
test-settings \
$(NULL)
@@ -27,6 +27,13 @@ noinst_PROGRAMS += \
frob-install-packages \
$(NULL)
+test_dn_util_SOURCES = \
+ tests/test-dn-util.c \
+ service/realm-dn-util.c \
+ $(NULL)
+test_dn_util_LDADD = $(TEST_LIBS)
+test_dn_util_CFLAGS = $(TEST_CFLAGS)
+
test_ini_config_SOURCES = \
tests/test-ini-config.c \
service/realm-ini-config.c \
@@ -59,13 +66,6 @@ test_login_name_SOURCES = \
test_login_name_LDADD = $(TEST_LIBS)
test_login_name_CFLAGS = $(TEST_CFLAGS)
-test_samba_ou_format_SOURCES = \
- tests/test-samba-ou-format.c \
- service/realm-samba-util.c \
- $(NULL)
-test_samba_ou_format_LDADD = $(TEST_LIBS)
-test_samba_ou_format_CFLAGS = $(TEST_CFLAGS)
-
test_settings_SOURCES = \
tests/test-settings.c \
service/realm-settings.c \
diff --git a/tests/test-dn-util.c b/tests/test-dn-util.c
new file mode 100644
index 0000000..c62a40f
--- /dev/null
+++ b/tests/test-dn-util.c
@@ -0,0 +1,129 @@
+/* realmd -- Realm configuration service
+ *
+ * Copyright 2012 Red Hat Inc
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * See the included COPYING file for more information.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+
+#include "service/realm-dn-util.h"
+
+#include <glib/gstdio.h>
+
+#include <string.h>
+
+typedef struct {
+ const gchar *ldap_dn;
+ const gchar *domain;
+ const gchar *result;
+} Fixture;
+
+static void
+test_samba_ou_format (gconstpointer user_data)
+{
+ const Fixture *fixture = user_data;
+ gchar *result;
+
+ result = realm_dn_util_build_samba_ou (fixture->ldap_dn, fixture->domain);
+ g_assert_cmpstr (result, ==, fixture->result);
+ g_free (result);
+}
+
+static const Fixture samba_ou_fixtures[] = {
+ { "OU=One", "domain.example.com", "One" },
+ { "OU=One,ou=two", "domain.example.com", "two/One" },
+ { "Ou=One Long,OU=two", "domain.example.com", "two/One Long" },
+ { "Ou=One,OU=two, ou=Three", "domain.example.com", "Three/two/One" },
+ { "Ou=Test/Escape,Ou=Two", "domain.example.com", "Two/Test\\/Escape" },
+ { "Ou=Test\\\\Escape,Ou=Two", "domain.example.com", "Two/Test\\\\Escape" },
+ { "OU=One,DC=domain,dc=example,Dc=COM", "domain.example.com", "One" },
+ { "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM", "domain.example.com", "Two Here/One" },
+ { "OU=One,OU=Two Here,DC=invalid,Dc=COM", "domain.example.com", NULL },
+ { " ", "domain.example.com", NULL },
+ { "", "domain.example.com", NULL },
+ { "OU", "domain.example.com", NULL },
+ { "OU=One,", "domain.example.com", NULL },
+ { "CN=Unsupported", "domain.example.com", NULL },
+ { "OU=One+CN=Unsupported", "domain.example.com", NULL },
+ { "DC=radi07, DC=segad, DC=lab, DC=sjc, DC=redhat, DC=com", "radi08.segad.lab.sjc.redhat.com", NULL },
+
+};
+
+static void
+test_qualify_dn (gconstpointer user_data)
+{
+ const Fixture *fixture = user_data;
+ gchar *result;
+
+ result = realm_dn_util_build_qualified (fixture->ldap_dn, fixture->domain);
+ g_assert_cmpstr (result, ==, fixture->result);
+ g_free (result);
+}
+
+static const Fixture qualify_fixtures[] = {
+ { "OU=One", "domain.example.com", "OU=One,dc=domain,dc=example,dc=com" },
+ { "OU=One,ou=two", "domain.example.com", "OU=One,ou=two,dc=domain,dc=example,dc=com" },
+ { "Ou=One Long,OU=two", "domain.example.com", "Ou=One Long,OU=two,dc=domain,dc=example,dc=com" },
+ { "OU=One,DC=domain,dc=example,Dc=COM", "domain.example.com", "OU=One,DC=domain,dc=example,Dc=COM" },
+ { "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM", "domain.example.com", "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM" },
+ { "OU=One,OU=Two Here,DC=invalid,Dc=COM", "domain.example.com", NULL },
+ { " ", "domain.example.com", NULL },
+ { "", "domain.example.com", NULL },
+ { "OU", "domain.example.com", NULL },
+ { "OU=One,", "domain.example.com", NULL },
+ { "CN=Test", "domain.example.com", "CN=Test,dc=domain,dc=example,dc=com" },
+ { "OU=One+CN=Unsupported", "domain.example.com", NULL },
+ { "DC=radi07, DC=segad, DC=lab, DC=sjc, DC=redhat, DC=com", "radi08.segad.lab.sjc.redhat.com", NULL },
+};
+
+int
+main (int argc,
+ char **argv)
+{
+ gchar *escaped;
+ gchar *name;
+ gint i;
+
+#if !GLIB_CHECK_VERSION(2, 36, 0)
+ g_type_init ();
+#endif
+
+ g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-dn-util");
+
+ for (i = 0; i < G_N_ELEMENTS (samba_ou_fixtures); i++) {
+ if (g_str_equal (samba_ou_fixtures[i].ldap_dn, ""))
+ escaped = g_strdup ("_empty_");
+ else
+ escaped = g_strdup (samba_ou_fixtures[i].ldap_dn);
+ g_strdelimit (escaped, ", =\\/", '_');
+ name = g_strdup_printf ("/realmd/samba-ou-format/%s", escaped);
+ g_free (escaped);
+
+ g_test_add_data_func (name, samba_ou_fixtures + i, test_samba_ou_format);
+ g_free (name);
+ }
+
+ for (i = 0; i < G_N_ELEMENTS (qualify_fixtures); i++) {
+ if (g_str_equal (qualify_fixtures[i].ldap_dn, ""))
+ escaped = g_strdup ("_empty_");
+ else
+ escaped = g_strdup (qualify_fixtures[i].ldap_dn);
+ g_strdelimit (escaped, ", =\\/", '_');
+ name = g_strdup_printf ("/realmd/qualify-dn/%s", escaped);
+ g_free (escaped);
+
+ g_test_add_data_func (name, qualify_fixtures + i, test_qualify_dn);
+ g_free (name);
+ }
+
+ return g_test_run ();
+}
diff --git a/tests/test-samba-ou-format.c b/tests/test-samba-ou-format.c
deleted file mode 100644
index 0a482ee..0000000
--- a/tests/test-samba-ou-format.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/* realmd -- Realm configuration service
- *
- * Copyright 2012 Red Hat Inc
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published
- * by the Free Software Foundation; either version 2 of the licence or (at
- * your option) any later version.
- *
- * See the included COPYING file for more information.
- *
- * Author: Stef Walter <stefw@gnome.org>
- */
-
-#include "config.h"
-
-#include "service/realm-samba-util.h"
-
-#include <glib/gstdio.h>
-
-#include <string.h>
-
-typedef struct {
- const gchar *ldap_dn;
- const gchar *domain;
- const gchar *ou_format;
-} Fixture;
-
-static void
-test_samba_ou_format (gconstpointer user_data)
-{
- const Fixture *fixture = user_data;
- gchar *result;
-
- result = realm_samba_util_build_strange_ou (fixture->ldap_dn, fixture->domain);
- g_assert_cmpstr (result, ==, fixture->ou_format);
- g_free (result);
-}
-
-static const Fixture samba_ou_fixtures[] = {
- { "OU=One", "domain.example.com", "One" },
- { "OU=One,ou=two", "domain.example.com", "two/One" },
- { "Ou=One Long,OU=two", "domain.example.com", "two/One Long" },
- { "Ou=One,OU=two, ou=Three", "domain.example.com", "Three/two/One" },
- { "Ou=Test/Escape,Ou=Two", "domain.example.com", "Two/Test\\/Escape" },
- { "Ou=Test\\\\Escape,Ou=Two", "domain.example.com", "Two/Test\\\\Escape" },
- { "OU=One,DC=domain,dc=example,Dc=COM", "domain.example.com", "One" },
- { "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM", "domain.example.com", "Two Here/One" },
- { "OU=One,OU=Two Here,DC=invalid,Dc=COM", "domain.example.com", NULL },
- { " ", "domain.example.com", NULL },
- { "", "domain.example.com", NULL },
- { "OU", "domain.example.com", NULL },
- { "OU=One,", "domain.example.com", NULL },
- { "CN=Unsupported", "domain.example.com", NULL },
- { "OU=One+CN=Unsupported", "domain.example.com", NULL },
- { "DC=radi07, DC=segad, DC=lab, DC=sjc, DC=redhat, DC=com", "radi08.segad.lab.sjc.redhat.com", NULL },
-
-};
-
-int
-main (int argc,
- char **argv)
-{
- gchar *escaped;
- gchar *name;
- gint i;
-
-#if !GLIB_CHECK_VERSION(2, 36, 0)
- g_type_init ();
-#endif
-
- g_test_init (&argc, &argv, NULL);
- g_set_prgname ("test-samba-ou-format");
-
- for (i = 0; i < G_N_ELEMENTS (samba_ou_fixtures); i++) {
- if (g_str_equal (samba_ou_fixtures[i].ldap_dn, ""))
- escaped = g_strdup ("_empty_");
- else
- escaped = g_strdup (samba_ou_fixtures[i].ldap_dn);
- g_strdelimit (escaped, ", =\\/", '_');
- name = g_strdup_printf ("/realmd/samba-ou-format/%s", escaped);
- g_free (escaped);
-
- g_test_add_data_func (name, samba_ou_fixtures + i, test_samba_ou_format);
- g_free (name);
- }
-
- return g_test_run ();
-}
--
2.4.3

26
duplicate-test-path.patch Normal file
View File

@ -0,0 +1,26 @@
From ab41e2830d2f7540d58370b5f35f85c2808c1871 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 11 Sep 2015 12:32:36 +0200
Subject: [PATCH] tests: Fix duplicate test case path
GLib is now stricter about this
---
tests/test-safe-format.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test-safe-format.c b/tests/test-safe-format.c
index 02aa5f1..204e10d 100644
--- a/tests/test-safe-format.c
+++ b/tests/test-safe-format.c
@@ -194,7 +194,7 @@ main (int argc,
else
escaped = g_strdup (fixtures[i].format);
g_strdelimit (escaped, " =\\/", '_');
- name = g_strdup_printf ("/realmd/safe-format/%s", escaped);
+ name = g_strdup_printf ("/realmd/safe-format/%d-%s", i, escaped);
g_free (escaped);
g_test_add_data_func (name, fixtures + i, test_safe_format_string_cb);
--
2.4.3

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

29
install-diagnostic.patch Normal file
View File

@ -0,0 +1,29 @@
From ef0797e5ed116a98cc074a6d4e1d1d6b6e6384db Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Mon, 7 Sep 2015 12:53:02 +0200
Subject: [PATCH 1/2] service: Fix issue where diagnostics about package
install hidden
Due to the recent refactoring the diagnostics about package
installation were hidden (even when --verbose).
https://bugzilla.redhat.com/show_bug.cgi?id=1258745
---
service/realm-packages.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/service/realm-packages.c b/service/realm-packages.c
index 9da852c..321921a 100644
--- a/service/realm-packages.c
+++ b/service/realm-packages.c
@@ -615,6 +615,7 @@ realm_packages_install_async (const gchar **package_sets,
task = g_task_new (NULL, NULL, callback, user_data);
install = g_new0 (InstallClosure, 1);
install->automatic = realm_options_automatic_install ();
+ install->invocation = invocation ? g_object_ref (invocation) : NULL;
install->connection = g_object_ref (connection);
g_task_set_task_data (task, install, install_closure_free);
--
2.4.3

218
SPECS/realmd.spec → realmd.spec
View File

@ -1,6 +1,6 @@
Name: realmd
Version: 0.17.1
Release: 2%{?dist}
Release: 13%{?dist}
Summary: Kerberos realm enrollment service
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/realmd
@ -9,12 +9,19 @@ Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2
Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
Patch0004: 0001-tools-fix-ccache-handling-for-leave-operation.patch
Patch0004: 0001-sssd-package-fix.patch
Patch0005: 0001-tools-fix-ccache-handling-for-leave-operation.patch
### Downstream Patches ###
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
# using freeipa-*, the following patch applies the needed changes.
Patch0100: ipa-packages.patch
# fixes for issues found by static analyser
Patch0006: 0001-Various-fixes-for-issues-found-by-static-code-scanne.patch
Patch0007: 0002-krb5-add-realm_krb5_get_error_message.patch
# add renew command
Patch0008: 0001-Initial-implementation-of-a-renew-request.patch
Patch0009: 0002-renew-implement-support-for-adcli.patch
Patch0010: 0003-renew-add-translatable-strings.patch
Patch0011: 0004-renew-fix-issues-found-by-Coverity.patch
Patch0012: 0005-doc-add-renew-option-of-realm-man-page.patch
BuildRequires: make
BuildRequires: gcc
@ -29,15 +36,12 @@ BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
BuildRequires: samba-common-tools
BuildRequires: python3
BuildRequires: samba-common-tools
Requires: authselect
Requires: polkit
Conflicts: realmd-devel-docs < %{version}-%{release}
# This build will use Samba's new command line options so it cannot be used
# with older versions of Samba.
Conflicts: samba-common-tools < 4.15
%description
realmd is a DBus system service which manages discovery and enrollment in realms
@ -60,7 +64,6 @@ applications that use %{name}.
%build
autoreconf -fi
%configure --disable-silent-rules \
--with-new-samba-cli-options=yes \
%if 0%{?rhel}
--with-vendor-error-message='Please check\n https://red.ht/support_rhel_ad \nto get help for common issues.' \
%endif
@ -87,7 +90,7 @@ make check
%files -f realmd.lang
%doc AUTHORS COPYING NEWS README
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
%{_libexecdir}/realmd
@ -105,90 +108,155 @@ make check
%doc ChangeLog
%changelog
* Tue Feb 20 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-2
- Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- migrated to SPDX license
- allow multiple names and _srv_ ad_server option
Resolves: RHEL-12113
* Tue Oct 14 2025 Sumit Bose <sbose@redhat.com> - 0.17.1-13
- add renew command
Resolves: RHEL-117645
* Thu Feb 13 2025 Sumit Bose <sbose@redhat.com> - 0.17.1-12
- Fixes for RHEL SAST Automation
Resolves: RHEL-44992
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.17.1-11
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.17.1-10
- Bump release for June 2024 mass rebuild
* Fri Feb 09 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-9
- fix ccache handling for leave operation
Resolves: RHEL-26166
Resolves: jira#SSSD-6420
* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Update to upstream release 0.17.1
Resolves: rhbz#2133841
* Mon Feb 05 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-8
- improve sssd package handling due to removed sssd meta package
Resolves: rhbz#2255725
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- add LDAP socket timeout
Resolves: rhbz#2037864
* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Dec 15 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-24
- Avoid duplicated log messages and use Samba's new CLI options
Resolves: rhbz#2024248
Resolves: rhbz#2028528
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue May 11 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-23
- Add restart macro and vendor message to spec file
* Fri Dec 01 2023 Sumit Bose <sbose@redhat.com> - 0.17.1-5
- allow multiple names and _srv_ ad_server option
Resolves: jira#SSSD-6077
* Wed Oct 18 2023 Sumit Bose <sbose@redhat.com> - 0.17.1-4
- migrated to SPDX license
* Wed Oct 18 2023 Tom Stellard <tstellar@redhat.com>
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Sep 29 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Updated to upstream 0.17.1
Resolves: rhbz#1628302
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Apr 25 2022 Andreas Schneider <asn@redhat.com> - 0.17.0-10
- resolves rhbz#2078447 - Fix detction for new samba commandline options
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 15 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-8
- Fix LDAP socket timeout, duplicate log messages and Samba CLI
Resolves: rhbz#1817869, rhbz#2024248, rhbz#2028530
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue May 11 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-6
- Add man page section, enable restart after update
Resolves: rhbz#1926046
* Thu Dec 03 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-22
- Add fixes LDAPS functionality
Resolves: rhbz#1826964
* Tue Apr 06 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-5
- Add missing configure option
Resolves: rhbz#1889386
* Thu Nov 26 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-21
- Add missing patch for LDAPS functionality
Resolves: rhbz#1826964
* Tue Apr 06 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-4
- Add vendor error message, autoconf-2.71 fixes, downstream gating
Resolves: rhbz#1889386
* Thu Nov 05 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-20
- realmd should handle default_realm in krb5.conf
Resolves: rhbz#1791016
- [RFE] Enable LDAPS functionality in realmd join
Resolves: rhbz#1826964
* Wed Mar 03 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-3
- Use authselect instead of authconfig
Resolves: rhbz#1934124
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- Realm join fails with error 'Failed to join domain: failed to lookup
DC info ...'
Resolves: rhbz#1859503
- realm command to use option like dnshostname=fqdn
Resolves: rhbz#1867912
* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-2
- Add Conflicts to avoid update/downgrade issues
* Fri Feb 21 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-18
- Fix kerberos method
Resolves: rhbz#1801195
* Fri Feb 19 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-1
- Updated to upstream 0.17.0
* Sun Dec 01 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-17
- rebuild fails if DISTRO variable is exported
Resolves: rhbz#1747454
- realmd.conf user-principal RFE and clarification
Resolves: rhbz#1747452
- realmd.conf documentation incorrect
Resolves: rhbz#1747457
- Document realmd.conf and how realmd reads the configuration
Resolves: rhbz#1747456
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 04 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-27
- Sync with latest upstream patches
* Wed Aug 12 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- Sync with latest upstream patches
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-25
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Mar 18 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-23
- Sync with latest upstream patches and fix package URL
Resolves: rhbz#1800897
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 02 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-21
- Remove gtester support, use autosetup
Resolves: rhbz#1736578
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Feb 21 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- fix test depending on order
Resolves: rhbz#1675879
* Wed Feb 20 2019 Adam Williamson <awilliam@redhat.com> - 0.16.3-18
- Backport fix from upstream to always install latest packages via PK
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Sep 27 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-16
- Do not call authselect for IPA domains
Resolves: rhbz#1633572
Resolves: rhbz#1620097
* Wed Aug 22 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults
Resolves: rhbz#1619162
* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults and improve realm discovery
Resolves: rhbz#1575538
Resolves: rhbz#1145777
* Tue Aug 14 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-14
- Fix python BuildRequires
Resolves: rhbz#1615564
- Add RHEL specific patch for IPA
Resolves: rhbz#1615320
- Fix issues found by Coverity
Resolves: rhbz#1602677
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 04 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-13
- Add latests patches from RHEL7
- Add polkit runtime dependency
Resolves: rhbz#1577179
- Drop python2 build dependency
Resolves: rhbz#1595813
- Add polkit runtime dependency
Resolves: rhbz#1577178
- Fix documentation reference in systemd unit file
Resolves: rhbz#1596325
Resolves: rhbz#1596323
- Use current Samba config options
Resolves: rhbz#1482926
* Sun Mar 18 2018 René Genz <liebundartig@freenet.de> - 0.16.3-12
- use correct authselect syntax for *-disable-logins to fix rhbz#1558245
- Iryna Shcherbina <ishcherb@redhat.com>

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (realmd-0.17.1.tar.gz) = 24f6b1fd149f2cd9e8019be1cb1638d8bc25845238ced224512a212d9de47305cf2b0c613c203a92fff0987a94cc9e08f9b45b93eedd54593b0c34f3875d1480