|
 |
56008d |
From 54b207649979475ea7f1fa5eaaea94be31d20935 Mon Sep 17 00:00:00 2001
|
|
|
e53b6b |
From: Ray Strode <rstrode@redhat.com>
|
|
|
e53b6b |
Date: Fri, 13 Dec 2019 15:16:06 -0500
|
|
|
e53b6b |
Subject: [PATCH] daemon: if no local users, check if machine is enrolled in
|
|
|
e53b6b |
network
|
|
|
e53b6b |
|
|
|
e53b6b |
GDM will show gnome initial-setup if a machine has no local users.
|
|
|
e53b6b |
But it's totally possible that a machine has only remote users,
|
|
|
e53b6b |
and shouldn't have a local user.
|
|
|
e53b6b |
|
|
|
e53b6b |
This commit detects that case, and avoids setting the HasNoUsers
|
|
|
e53b6b |
property.
|
|
|
e53b6b |
---
|
|
|
e53b6b |
data/org.freedesktop.realmd.xml | 730 ++++++++++++++++++++++++++++++++
|
|
|
56008d |
src/daemon.c | 63 ++-
|
|
|
56008d |
src/meson.build | 1 +
|
|
|
e53b6b |
src/org.freedesktop.realmd.xml | 730 ++++++++++++++++++++++++++++++++
|
|
|
56008d |
4 files changed, 1520 insertions(+), 4 deletions(-)
|
|
|
e53b6b |
create mode 100644 data/org.freedesktop.realmd.xml
|
|
|
e53b6b |
create mode 100644 src/org.freedesktop.realmd.xml
|
|
|
e53b6b |
|
|
|
e53b6b |
diff --git a/data/org.freedesktop.realmd.xml b/data/org.freedesktop.realmd.xml
|
|
|
e53b6b |
new file mode 100644
|
|
|
e53b6b |
index 0000000..c34a47a
|
|
|
e53b6b |
--- /dev/null
|
|
|
e53b6b |
+++ b/data/org.freedesktop.realmd.xml
|
|
|
e53b6b |
@@ -0,0 +1,730 @@
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
|
|
|
e53b6b |
+<node name="/">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Provider:
|
|
|
e53b6b |
+ @short_description: a realm provider
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various realm providers represent different software implementations
|
|
|
e53b6b |
+ that provide access to realms or domains.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This interface is implemented by individual providers, but is
|
|
|
e53b6b |
+ aggregated globally at the system bus name
|
|
|
e53b6b |
+ <literal>org.freedesktop.realmd</literal>
|
|
|
e53b6b |
+ with the object path <literal>/org/freedesktop/realmd</literal>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Provider">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Name: the name of the provider
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The name of the provider. This is not normally displayed
|
|
|
e53b6b |
+ to the user, but may be useful for diagnostics or debugging.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Name" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Version: the version of the provider
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The version of the provider. This is not normally used in
|
|
|
e53b6b |
+ logic, but may be useful for diagnostics or debugging.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Version" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Realms: a list of realms
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ A list of known, enrolled or discovered realms. All realms
|
|
|
e53b6b |
+ that this provider knows about are listed here. As realms
|
|
|
e53b6b |
+ are discovered they are added to this list.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Each realm is represented by the DBus object path of the
|
|
|
e53b6b |
+ realm object.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Realms" type="ao" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Discover:
|
|
|
e53b6b |
+ @string: an input string to discover realms for
|
|
|
e53b6b |
+ @options: options for the discovery operation
|
|
|
e53b6b |
+ @relevance: the relevance of the returned results
|
|
|
e53b6b |
+ @realm: a list of realms discovered
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Discover realms for the given string. The input @string is
|
|
|
e53b6b |
+ usually a domain or realm name, perhaps typed by a user. If
|
|
|
e53b6b |
+ an empty string is provided, the realm provider should try to
|
|
|
e53b6b |
+ discover a default realm, if possible (e.g. from DHCP).
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>client-software</literal>: a string
|
|
|
e53b6b |
+ containing the client software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>server-software</literal>: a string
|
|
|
e53b6b |
+ containing the client software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>membership-software</literal>: a string
|
|
|
e53b6b |
+ containing the membership software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @relevance returned can be used to rank results from
|
|
|
e53b6b |
+ different discover calls to different providers. Implementors
|
|
|
e53b6b |
+ should return a positive number if the provider highly
|
|
|
e53b6b |
+ recommends that the realms be handled by this provider,
|
|
|
e53b6b |
+ or a zero if it can possibly handle the realms. Negative numbers
|
|
|
e53b6b |
+ should be returned if no realms are found.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method does not return an error when no realms are
|
|
|
e53b6b |
+ discovered. It simply returns an empty @realm list.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ To see diagnostic information about the discovery process,
|
|
|
e53b6b |
+ connect to the org.freedesktop.realmd.Service::Diagnostics
|
|
|
e53b6b |
+ signal.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.discover-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may
|
|
|
e53b6b |
+ return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the discovery could not be run for some reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to perform a discovery
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Discover">
|
|
|
e53b6b |
+ <arg name="string" type="s" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ <arg name="relevance" type="i" direction="out"/>
|
|
|
e53b6b |
+ <arg name="realm" type="ao" direction="out"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Service:
|
|
|
e53b6b |
+ @short_description: the realmd service
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Global calls for managing the realmd service. Usually you'll want
|
|
|
e53b6b |
+ to use #org.freedesktop.realmd.Provider instead.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This interface is implemented by the realmd service, and is always
|
|
|
e53b6b |
+ available at the object path <literal>/org/freedesktop/realmd</literal>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The service also implements the
|
|
|
e53b6b |
+ <literal>org.freedesktop.DBus.ObjectManager</literal> interface which
|
|
|
e53b6b |
+ makes it easy to retrieve all realmd objects and properties in one go.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Service">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Cancel:
|
|
|
e53b6b |
+ @operation: the operation to cancel
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Cancel a realmd operation. To be able to cancel an operation,
|
|
|
e53b6b |
+ pass a uniquely chosen <literal>operation</literal> string
|
|
|
e53b6b |
+ identifier as an option in the method's <literal>options</literal>
|
|
|
e53b6b |
+ argument.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ These operation string identifiers should be unique per client
|
|
|
e53b6b |
+ calling the realmd service.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ It is not guaranteed that the service can or will cancel the
|
|
|
e53b6b |
+ operation. For example, the operation may have already completed
|
|
|
e53b6b |
+ by the time this method is handled. The caller of the operation
|
|
|
e53b6b |
+ method will receive a
|
|
|
e53b6b |
+ <literal>org.freedesktop.realmd.Error.Cancelled</literal>
|
|
|
e53b6b |
+ if the operation was cancelled.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Cancel">
|
|
|
e53b6b |
+ <arg name="operation" type="s" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SetLocale:
|
|
|
e53b6b |
+ @locale: the locale for the client
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Set the language @locale for the client. This locale is used
|
|
|
e53b6b |
+ for error messages. The locale is used until the next time
|
|
|
e53b6b |
+ this method is called, the client disconnects, or the client
|
|
|
e53b6b |
+ calls #org.freedesktop.realmd.Service.Release().
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="SetLocale">
|
|
|
e53b6b |
+ <arg name="locale" type="s" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Diagnostics:
|
|
|
e53b6b |
+ @data: diagnostic data
|
|
|
e53b6b |
+ @operation: the operation this data resulted from
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This signal is fired when diagnostics result from an operation
|
|
|
e53b6b |
+ in the provider or one of its realms.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ It is not guaranteed that this signal is emitted once per line.
|
|
|
e53b6b |
+ More than one line may be contained in @data, or a partial
|
|
|
e53b6b |
+ line. New line characters are embedded in @data.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This signal is sent explicitly to the client which invoked an
|
|
|
e53b6b |
+ operation method. In order to tell which operation this
|
|
|
e53b6b |
+ diagnostic data results from, pass a unique
|
|
|
e53b6b |
+ <literal>operation</literal> string identifier in the
|
|
|
e53b6b |
+ <literal>options</literal> argument of the operation method.
|
|
|
e53b6b |
+ That same identifier will be passed back via the @operation
|
|
|
e53b6b |
+ argument of this signal.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <signal name="Diagnostics">
|
|
|
e53b6b |
+ <arg name="data" type="s"/>
|
|
|
e53b6b |
+ <arg name="operation" type="s"/>
|
|
|
e53b6b |
+ </signal>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Release:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Normally, realmd waits until all clients have disconnected
|
|
|
e53b6b |
+ before exiting itself sometime later. Long lived clients
|
|
|
e53b6b |
+ can call this method to allow the realmd service to quit.
|
|
|
e53b6b |
+ This is an optimization. The daemon will not exit immediately.
|
|
|
e53b6b |
+ It is safe to call this multiple times.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Release">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Realm:
|
|
|
e53b6b |
+ @short_description: a realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Represents one realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Contains generic information about a realm, and useful properties for
|
|
|
e53b6b |
+ introspecting what kind of realm this is and how to work with
|
|
|
e53b6b |
+ the realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Use #org.freedesktop.realmd.Provider:Realms or
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Provider.Discover() to get access to some
|
|
|
e53b6b |
+ kerberos realm objects.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Realms will always implement additional interfaces, such as
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos. Do not assume that all realms
|
|
|
e53b6b |
+ implement that kerberos interface. Use the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property to see
|
|
|
e53b6b |
+ which interfaces are supported.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Different realms support various ways to configure them on the
|
|
|
e53b6b |
+ system. Use the #org.freedesktop.realmd.Realm:Configured property
|
|
|
e53b6b |
+ to determine if a realm is configured. If it is configured, the
|
|
|
e53b6b |
+ property will be set to the interface of the mechanism that was
|
|
|
e53b6b |
+ used to configure it.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ To configure a realm, look in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property for a
|
|
|
e53b6b |
+ recognized purpose-specific interface that can be used for
|
|
|
e53b6b |
+ configuration, such as the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership interface and its
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.Join() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ To deconfigure a realm from the current system, you can use the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm.Deconfigure() method. In addition, some
|
|
|
e53b6b |
+ of the configuration specific interfaces provide methods to
|
|
|
e53b6b |
+ deconfigure a realm in a specific way, such as the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.Leave() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various properties are guaranteed to have been updated before
|
|
|
e53b6b |
+ the operation methods return, if they change state.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Realm">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Name: the realm name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This is the name of the realm, appropriate for display to
|
|
|
e53b6b |
+ end users where necessary.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Name" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Configured: whether this domain is configured and how
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ If this property is an empty string, then the realm is not
|
|
|
e53b6b |
+ configured. Otherwise the realm is configured, and contains
|
|
|
e53b6b |
+ a string which is the interface that represents how it was
|
|
|
e53b6b |
+ configured, for example #org.freedesktop.realmd.KerberosMembership.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Configured" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Deconfigure: deconfigure this realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Deconfigure this realm from the local machine with standard
|
|
|
e53b6b |
+ default behavior.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The behavior of this method depends on the which configuration
|
|
|
e53b6b |
+ interface is present in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm.Configured property. It does not
|
|
|
e53b6b |
+ always delete membership accounts in the realm, but just
|
|
|
e53b6b |
+ reconfigures the local machine so it no longer is configured
|
|
|
e53b6b |
+ for the given realm. In some cases the implementation may try
|
|
|
e53b6b |
+ to update membership accounts, but this is not guaranteed.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various configuration interfaces may support more specific ways
|
|
|
e53b6b |
+ to deconfigure a realm in a specific way, such as the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.Leave() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the deconfigure failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to deconfigure a
|
|
|
e53b6b |
+ realm.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
|
|
|
e53b6b |
+ returned if this realm is not configured on the machine.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Deconfigure">
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SupportedInterfaces:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Additional supported interfaces of this realm. This includes
|
|
|
e53b6b |
+ interfaces that contain more information about the realm,
|
|
|
e53b6b |
+ such as #org.freedesktop.realmd.Kerberos and interfaces
|
|
|
e53b6b |
+ which contain methods for configuring a realm, such as
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SupportedInterfaces" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Details: informational details about the realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Informational details about the realm. The following values
|
|
|
e53b6b |
+ should be present:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>server-software</literal>:
|
|
|
e53b6b |
+ identifier of the software running on the server (e.g.
|
|
|
e53b6b |
+ <literal>active-directory</literal>).</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>client-software</literal>:
|
|
|
e53b6b |
+ identifier of the software running on the client (e.g.
|
|
|
e53b6b |
+ <literal>sssd</literal>).</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Details" type="a(ss)" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ RequiredPackages: prerequisite software
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Software packages that are required in order for a join to
|
|
|
e53b6b |
+ succeed. These are either simple strings like <literal>sssd</literal>,
|
|
|
e53b6b |
+ or strings with an operator and version number like
|
|
|
e53b6b |
+ <literal>sssd >= 1.9.0</literal>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ These values are specific to the packaging system that is
|
|
|
e53b6b |
+ being run.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="RequiredPackages" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ LoginFormats: supported formats for login names
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Supported formats for login to this realm. This is only
|
|
|
e53b6b |
+ relevant once the realm has been enrolled. The formats
|
|
|
e53b6b |
+ will contain a <literal>%U</literal> in the string, which
|
|
|
e53b6b |
+ indicate where the user name should be placed. The formats
|
|
|
e53b6b |
+ may contain a <literal>%D</literal> in the string which
|
|
|
e53b6b |
+ indicate where a domain name should be placed.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The first format in the list is the preferred format for
|
|
|
e53b6b |
+ login names.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="LoginFormats" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ LoginPolicy: the policy for logins using this realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The policy for logging into this computer using this realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The policy can be changed using the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The following policies are predefined. Not all providers
|
|
|
e53b6b |
+ support all these policies and there may be provider specific
|
|
|
e53b6b |
+ policies or multiple policies represented in the string:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>allow-any-login</literal>: allow
|
|
|
e53b6b |
+ login by any authenticated user present in this
|
|
|
e53b6b |
+ realm.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>allow-realm-logins</literal>: allow
|
|
|
e53b6b |
+ logins according to the realm or domain policy for logins
|
|
|
e53b6b |
+ on this machine. This usually defaults to allowing any realm
|
|
|
e53b6b |
+ user to log in.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>allow-permitted-logins</literal>:
|
|
|
e53b6b |
+ only allow the logins permitted in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:PermittedLogins
|
|
|
e53b6b |
+ property.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>deny-any-login</literal>:
|
|
|
e53b6b |
+ don't allow any logins via authenticated users of this
|
|
|
e53b6b |
+ realm.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="LoginPolicy" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ PermittedLogins: the permitted login names
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The list of permitted authenticated users allowed to login
|
|
|
e53b6b |
+ into this computer. This is only relevant if the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:LoginPolicy property
|
|
|
e53b6b |
+ contains the <literal>allow-permitted-logins</literal>
|
|
|
e53b6b |
+ string.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="PermittedLogins" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ PermittedGroups: the permitted group names
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The list of groups which users need to be in to be allowed
|
|
|
e53b6b |
+ to log into this computer. This is only relevant if the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:LoginPolicy property
|
|
|
e53b6b |
+ contains the <literal>allow-permitted-logins</literal>
|
|
|
e53b6b |
+ string.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="PermittedGroups" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ ChangeLoginPolicy:
|
|
|
e53b6b |
+ @login_policy: the new login policy, or an empty string
|
|
|
e53b6b |
+ @permitted_add: a list of logins to permit
|
|
|
e53b6b |
+ @permitted_remove: a list of logins to not permit
|
|
|
e53b6b |
+ @options: options for this operation
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Change the login policy and/or permitted logins for this realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Not all realms support all the various login policies. An
|
|
|
e53b6b |
+ error will be returned if the new login policy is not supported.
|
|
|
e53b6b |
+ You may specify an empty string for the @login_policy argument
|
|
|
e53b6b |
+ which will cause no change in the policy itself. If the policy
|
|
|
e53b6b |
+ is changed, it will be reflected in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:LoginPolicy property.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @permitted_add and @permitted_remove arguments represent
|
|
|
e53b6b |
+ lists of login names that should be added and removed from
|
|
|
e53b6b |
+ the #org.freedesktop.realmd.Kerberos:PermittedLogins property.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>groups</literal>: boolean which if
|
|
|
e53b6b |
+ set to <literal>TRUE</literal> means that the names in
|
|
|
e53b6b |
+ @permitted_add and @permitted_remove are group names instead
|
|
|
e53b6b |
+ of login names.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.login-policy</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the policy change failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to change login policy
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
|
|
|
e53b6b |
+ returned if the realm is not configured.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="ChangeLoginPolicy">
|
|
|
e53b6b |
+ <arg name="login_policy" type="s" direction="in"/>
|
|
|
e53b6b |
+ <arg name="permitted_add" type="as" direction="in"/>
|
|
|
e53b6b |
+ <arg name="permitted_remove" type="as" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Kerberos:
|
|
|
e53b6b |
+ @short_description: a kerberos realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ An interface that describes a kerberos realm in more detail. This
|
|
|
e53b6b |
+ is always implemented on an DBus object path that also implements
|
|
|
e53b6b |
+ the #org.freedesktop.realmd.Realm interface.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Kerberos">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ RealmName: the kerberos realm name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The kerberos name for this realm. This is usually in upper
|
|
|
e53b6b |
+ case.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="RealmName" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ DomainName: the DNS domain name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The DNS domain name for this realm.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="DomainName" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.KerberosMembership:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ An interface used to configure this machine by joining a realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ It sets up a computer/host account in the realm for this machine
|
|
|
e53b6b |
+ and a keytab to track the credentials for that account.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various properties are guaranteed to have been updated before
|
|
|
e53b6b |
+ the operation methods return, if they change state.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.KerberosMembership">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SuggestedAdministrator: common administrator name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The common administrator name for this type of realm. This
|
|
|
e53b6b |
+ can be used by clients as a hint when prompting the user for
|
|
|
e53b6b |
+ administrative authentication.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SuggestedAdministrator" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SupportedJoinCredentials: credentials supported for joining
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various kinds of credentials that are supported when calling the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos.Join() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Each credential is represented by a type and an owner. The type
|
|
|
e53b6b |
+ denotes which kind of credential is passed to the method. The
|
|
|
e53b6b |
+ owner indicates to the client how to prompt the user or obtain
|
|
|
e53b6b |
+ the credential, and to the service how to use the credential.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various types are:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>ccache</literal>:
|
|
|
e53b6b |
+ the credentials should contain an array of bytes as a
|
|
|
e53b6b |
+ <literal>ay</literal> containing the data from a kerberos
|
|
|
e53b6b |
+ credential cache file.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>password</literal>:
|
|
|
e53b6b |
+ the credentials should contain a pair of strings as a
|
|
|
e53b6b |
+ <literal>(ss)</literal> representing a name and
|
|
|
e53b6b |
+ password. The name may contain a realm in the standard
|
|
|
e53b6b |
+ kerberos format. If a realm is missing, it will default
|
|
|
e53b6b |
+ to this realm. </para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>secret</literal>:
|
|
|
e53b6b |
+ the credentials should contain a string secret as an
|
|
|
e53b6b |
+ <literal>ay</literal> array of bytes. This is usually used
|
|
|
e53b6b |
+ for one time passwords. To pass a string here, encode it
|
|
|
e53b6b |
+ in UTF-8, and place the resulting bytes in the
|
|
|
e53b6b |
+ value.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>automatic</literal>:
|
|
|
e53b6b |
+ the credentials should contain an empty string as a
|
|
|
e53b6b |
+ <literal>s</literal>. Using <literal>automatic</literal>
|
|
|
e53b6b |
+ indicates that default or system credentials are to be
|
|
|
e53b6b |
+ used.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various owners are:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>administrator</literal>:
|
|
|
e53b6b |
+ the credentials belong to a kerberos administrator principal.
|
|
|
e53b6b |
+ The caller may use this as a hint to prompt the user
|
|
|
e53b6b |
+ for administrative credentials.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>user</literal>:
|
|
|
e53b6b |
+ the credentials belong to a kerberos user principal.
|
|
|
e53b6b |
+ The caller may use this as a hint to prompt the user
|
|
|
e53b6b |
+ for his (possibly non-administrative)
|
|
|
e53b6b |
+ credentials.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>computer</literal>:
|
|
|
e53b6b |
+ the credentials belong to a computer account.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>none</literal>:
|
|
|
e53b6b |
+ the credentials have an unspecified owner, such as a one
|
|
|
e53b6b |
+ time password.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SupportedJoinCredentials" type="a(ss)" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SupportedLeaveCredentials: credentials supported for leaving
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various kinds of credentials that are supported when calling the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos.Leave() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for
|
|
|
e53b6b |
+ a discussion of what the values represent.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SupportedLeaveCredentials" type="a(ss)" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Join:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Join this machine to the realm and enroll the machine.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ If this method returns successfully, then the machine will be
|
|
|
e53b6b |
+ joined to the realm. It is not necessary to restart services or the
|
|
|
e53b6b |
+ machine afterward. Relevant properties on the realm will be updated
|
|
|
e53b6b |
+ before the method returns.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @credentials should be set according to one of the
|
|
|
e53b6b |
+ supported credentials returned by
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
|
|
|
e53b6b |
+ The first string in the tuple is the type, the second string
|
|
|
e53b6b |
+ is the owner, and the variant contains the credential contents
|
|
|
e53b6b |
+ See the discussion at
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
|
|
|
e53b6b |
+ for more information.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>automatic-id-mapping</literal>: a boolean
|
|
|
e53b6b |
+ value whether to turn on automatic UID/GID mapping. If not
|
|
|
e53b6b |
+ specified the default will come from realmd.conf
|
|
|
e53b6b |
+ configuration.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>computer-ou</literal>: a string
|
|
|
e53b6b |
+ containing an LDAP DN for an organizational unit where the
|
|
|
e53b6b |
+ computer account should be created</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>user-principal</literal>: a string
|
|
|
e53b6b |
+ containing an kerberos user principal name to be set on the
|
|
|
e53b6b |
+ computer account</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>membership-software</literal>: a string
|
|
|
e53b6b |
+ containing the membership software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>manage-system</literal>: a boolean
|
|
|
e53b6b |
+ which controls whether this machine should be managed by
|
|
|
e53b6b |
+ the realm or domain or not. Defaults to true.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.configure-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the join failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to perform a join
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
|
|
|
e53b6b |
+ returned if the credentials passed did not authenticate against the realm
|
|
|
e53b6b |
+ correctly. It is appropriate to prompt the user again.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>:
|
|
|
e53b6b |
+ returned if already enrolled in this realm, or if already enrolled in another realm
|
|
|
e53b6b |
+ (if enrolling in multiple realms is not supported).</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.BadHostname</literal>:
|
|
|
e53b6b |
+ returned if the machine has a hostname that is not usable for a join
|
|
|
e53b6b |
+ or is in conflict with those in the domain.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Join">
|
|
|
e53b6b |
+ <arg name="credentials" type="(ssv)" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Leave:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Leave the realm and unenroll the machine.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ If this method returns successfully, then the machine will have
|
|
|
e53b6b |
+ left the domain and been unenrolled. It is not necessary to restart
|
|
|
e53b6b |
+ services or the machine afterward. Relevant properties on the realm
|
|
|
e53b6b |
+ will be updated before the method returns.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @credentials should be set according to one of the
|
|
|
e53b6b |
+ supported credentials returned by
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
|
|
|
e53b6b |
+ The first string in the tuple is the type, the second string
|
|
|
e53b6b |
+ is the owner, and the variant contains the credential contents
|
|
|
e53b6b |
+ See the discussion at
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
|
|
|
e53b6b |
+ for more information.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the unenroll failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to perform an unenroll
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
|
|
|
e53b6b |
+ returned if the credentials passed did not authenticate against the realm
|
|
|
e53b6b |
+ correctly. It is appropriate to prompt the user again.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>:
|
|
|
e53b6b |
+ returned if not enrolled in this realm.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Leave">
|
|
|
e53b6b |
+ <arg name="credentials" type="(ssv)" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+</node>
|
|
|
e53b6b |
diff --git a/src/daemon.c b/src/daemon.c
|
|
|
56008d |
index c52bda3..5ce0216 100644
|
|
|
e53b6b |
--- a/src/daemon.c
|
|
|
e53b6b |
+++ b/src/daemon.c
|
|
|
e53b6b |
@@ -20,60 +20,61 @@
|
|
|
e53b6b |
* Written by: Matthias Clasen <mclasen@redhat.com>
|
|
|
e53b6b |
*/
|
|
|
e53b6b |
|
|
|
e53b6b |
#include "config.h"
|
|
|
e53b6b |
|
|
|
e53b6b |
#include <stdlib.h>
|
|
|
e53b6b |
#include <stdio.h>
|
|
|
e53b6b |
#include <sys/types.h>
|
|
|
e53b6b |
#include <sys/stat.h>
|
|
|
e53b6b |
#include <fcntl.h>
|
|
|
e53b6b |
#include <sys/wait.h>
|
|
|
e53b6b |
#include <pwd.h>
|
|
|
e53b6b |
#ifdef HAVE_SHADOW_H
|
|
|
e53b6b |
#include <shadow.h>
|
|
|
e53b6b |
#endif
|
|
|
e53b6b |
#include <unistd.h>
|
|
|
e53b6b |
#include <errno.h>
|
|
|
e53b6b |
#include <sys/types.h>
|
|
|
e53b6b |
|
|
|
e53b6b |
#include <glib.h>
|
|
|
e53b6b |
#include <glib/gi18n.h>
|
|
|
e53b6b |
#include <glib-object.h>
|
|
|
e53b6b |
#include <glib/gstdio.h>
|
|
|
e53b6b |
#include <gio/gio.h>
|
|
|
e53b6b |
#include <polkit/polkit.h>
|
|
|
e53b6b |
|
|
|
e53b6b |
#include "user-classify.h"
|
|
|
e53b6b |
#include "wtmp-helper.h"
|
|
|
e53b6b |
#include "daemon.h"
|
|
|
e53b6b |
#include "util.h"
|
|
|
e53b6b |
+#include "realmd-generated.h"
|
|
|
e53b6b |
|
|
|
e53b6b |
#define PATH_PASSWD "/etc/passwd"
|
|
|
e53b6b |
#define PATH_SHADOW "/etc/shadow"
|
|
|
e53b6b |
#define PATH_GROUP "/etc/group"
|
|
|
e53b6b |
|
|
|
e53b6b |
enum {
|
|
|
e53b6b |
PROP_0,
|
|
|
e53b6b |
PROP_DAEMON_VERSION
|
|
|
e53b6b |
};
|
|
|
e53b6b |
|
|
|
56008d |
typedef struct {
|
|
|
e53b6b |
GDBusConnection *bus_connection;
|
|
|
e53b6b |
|
|
|
e53b6b |
GHashTable *users;
|
|
|
e53b6b |
gsize number_of_normal_users;
|
|
|
e53b6b |
GList *explicitly_requested_users;
|
|
|
e53b6b |
|
|
|
e53b6b |
User *autologin;
|
|
|
e53b6b |
|
|
|
e53b6b |
GFileMonitor *passwd_monitor;
|
|
|
e53b6b |
GFileMonitor *shadow_monitor;
|
|
|
e53b6b |
GFileMonitor *group_monitor;
|
|
|
e53b6b |
GFileMonitor *gdm_monitor;
|
|
|
e53b6b |
GFileMonitor *wtmp_monitor;
|
|
|
e53b6b |
|
|
|
56008d |
GQueue *pending_list_cached_users;
|
|
|
56008d |
|
|
|
e53b6b |
guint reload_id;
|
|
|
e53b6b |
guint autologin_id;
|
|
|
e53b6b |
|
|
|
56008d |
@@ -425,110 +426,167 @@ load_entries (Daemon *daemon,
|
|
|
e53b6b |
} else {
|
|
|
e53b6b |
g_object_ref (user);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
/* freeze & update users not already in the new list */
|
|
|
e53b6b |
g_object_freeze_notify (G_OBJECT (user));
|
|
|
e53b6b |
user_update_from_pwent (user, pwent, spent);
|
|
|
e53b6b |
|
|
|
e53b6b |
g_hash_table_insert (users, g_strdup (user_get_user_name (user)), user);
|
|
|
e53b6b |
g_debug ("loaded user: %s", user_get_user_name (user));
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
if (!explicitly_requested) {
|
|
|
e53b6b |
user_set_cached (user, TRUE);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Generator should have cleaned up */
|
|
|
e53b6b |
g_assert (generator_state == NULL);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
static GHashTable *
|
|
|
e53b6b |
create_users_hash_table (void)
|
|
|
e53b6b |
{
|
|
|
e53b6b |
return g_hash_table_new_full (g_str_hash,
|
|
|
e53b6b |
g_str_equal,
|
|
|
e53b6b |
g_free,
|
|
|
e53b6b |
g_object_unref);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
+static gboolean
|
|
|
e53b6b |
+ensure_bus_connection (Daemon *daemon)
|
|
|
e53b6b |
+{
|
|
|
56008d |
+ DaemonPrivate *priv = daemon_get_instance_private (daemon);
|
|
|
e53b6b |
+ g_autoptr (GError) error = NULL;
|
|
|
e53b6b |
+
|
|
|
56008d |
+ if (priv->bus_connection != NULL)
|
|
|
e53b6b |
+ return TRUE;
|
|
|
e53b6b |
+
|
|
|
56008d |
+ priv->bus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
|
|
|
56008d |
+ if (priv->bus_connection == NULL) {
|
|
|
e53b6b |
+ if (error != NULL)
|
|
|
e53b6b |
+ g_critical ("error getting system bus: %s", error->message);
|
|
|
e53b6b |
+ return FALSE;
|
|
|
e53b6b |
+ }
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ return TRUE;
|
|
|
e53b6b |
+}
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+static gboolean
|
|
|
e53b6b |
+has_network_realms (Daemon *daemon)
|
|
|
e53b6b |
+{
|
|
|
56008d |
+ DaemonPrivate *priv = daemon_get_instance_private (daemon);
|
|
|
e53b6b |
+ g_autoptr (AccountsRealmdProvider) realmd_provider = NULL;
|
|
|
e53b6b |
+ g_autoptr (GError) error = NULL;
|
|
|
e53b6b |
+ const char *const *realms = NULL;
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ if (!ensure_bus_connection (daemon)) {
|
|
|
e53b6b |
+ return FALSE;
|
|
|
e53b6b |
+ }
|
|
|
e53b6b |
+
|
|
|
56008d |
+ realmd_provider = accounts_realmd_provider_proxy_new_sync (priv->bus_connection,
|
|
|
e53b6b |
+ G_DBUS_PROXY_FLAGS_NONE,
|
|
|
e53b6b |
+ "org.freedesktop.realmd",
|
|
|
e53b6b |
+ "/org/freedesktop/realmd",
|
|
|
e53b6b |
+ NULL,
|
|
|
e53b6b |
+ &error);
|
|
|
e53b6b |
+ if (realmd_provider == NULL) {
|
|
|
e53b6b |
+ g_debug ("failed to contact realmd: %s", error->message);
|
|
|
e53b6b |
+ return FALSE;
|
|
|
e53b6b |
+ }
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ realms = accounts_realmd_provider_get_realms (realmd_provider);
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ if (!realms) {
|
|
|
e53b6b |
+ g_debug("realmd provider 'Realms' property is unset");
|
|
|
e53b6b |
+ return FALSE;
|
|
|
e53b6b |
+ }
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ return realms[0] != NULL;
|
|
|
e53b6b |
+}
|
|
|
e53b6b |
+
|
|
|
e53b6b |
static void
|
|
|
e53b6b |
reload_users (Daemon *daemon)
|
|
|
e53b6b |
{
|
|
|
56008d |
DaemonPrivate *priv = daemon_get_instance_private (daemon);
|
|
|
e53b6b |
AccountsAccounts *accounts = ACCOUNTS_ACCOUNTS (daemon);
|
|
|
e53b6b |
gboolean had_no_users, has_no_users, had_multiple_users, has_multiple_users;
|
|
|
e53b6b |
GHashTable *users;
|
|
|
e53b6b |
GHashTable *old_users;
|
|
|
e53b6b |
GHashTable *local;
|
|
|
e53b6b |
GHashTableIter iter;
|
|
|
e53b6b |
gsize number_of_normal_users = 0;
|
|
|
e53b6b |
gpointer name, value;
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Track the users that we saw during our (re)load */
|
|
|
e53b6b |
users = create_users_hash_table ();
|
|
|
e53b6b |
|
|
|
e53b6b |
/*
|
|
|
e53b6b |
* NOTE: As we load data from all the sources, notifies are
|
|
|
e53b6b |
* frozen in load_entries() and then thawed as we process
|
|
|
e53b6b |
* them below.
|
|
|
e53b6b |
*/
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Load the local users into our hash table */
|
|
|
e53b6b |
load_entries (daemon, users, FALSE, entry_generator_fgetpwent);
|
|
|
e53b6b |
local = g_hash_table_new (g_str_hash, g_str_equal);
|
|
|
e53b6b |
g_hash_table_iter_init (&iter, users);
|
|
|
e53b6b |
while (g_hash_table_iter_next (&iter, &name, NULL))
|
|
|
e53b6b |
g_hash_table_add (local, name);
|
|
|
e53b6b |
|
|
|
e53b6b |
/* and add users to hash table that were explicitly requested */
|
|
|
e53b6b |
load_entries (daemon, users, TRUE, entry_generator_requested_users);
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Now add/update users from other sources, possibly non-local */
|
|
|
e53b6b |
load_entries (daemon, users, FALSE, entry_generator_cachedir);
|
|
|
e53b6b |
|
|
|
e53b6b |
wtmp_helper_update_login_frequencies (users);
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Count the non-system users. Mark which users are local, which are not. */
|
|
|
e53b6b |
g_hash_table_iter_init (&iter, users);
|
|
|
e53b6b |
while (g_hash_table_iter_next (&iter, &name, &value)) {
|
|
|
e53b6b |
User *user = value;
|
|
|
e53b6b |
if (!user_get_system_account (user))
|
|
|
e53b6b |
number_of_normal_users++;
|
|
|
e53b6b |
user_update_local_account_property (user, g_hash_table_lookup (local, name) != NULL);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
g_hash_table_destroy (local);
|
|
|
e53b6b |
|
|
|
e53b6b |
had_no_users = accounts_accounts_get_has_no_users (accounts);
|
|
|
e53b6b |
has_no_users = number_of_normal_users == 0;
|
|
|
e53b6b |
|
|
|
e53b6b |
+ if (has_no_users && has_network_realms (daemon)) {
|
|
|
e53b6b |
+ g_debug ("No local users, but network realms detected, presuming there are remote users");
|
|
|
e53b6b |
+ has_no_users = FALSE;
|
|
|
e53b6b |
+ }
|
|
|
e53b6b |
+
|
|
|
e53b6b |
if (had_no_users != has_no_users)
|
|
|
e53b6b |
accounts_accounts_set_has_no_users (accounts, has_no_users);
|
|
|
e53b6b |
|
|
|
e53b6b |
had_multiple_users = accounts_accounts_get_has_multiple_users (accounts);
|
|
|
e53b6b |
has_multiple_users = number_of_normal_users > 1;
|
|
|
e53b6b |
|
|
|
e53b6b |
if (had_multiple_users != has_multiple_users)
|
|
|
e53b6b |
accounts_accounts_set_has_multiple_users (accounts, has_multiple_users);
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Swap out the users */
|
|
|
56008d |
old_users = priv->users;
|
|
|
56008d |
priv->users = users;
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Remove all the old users */
|
|
|
e53b6b |
g_hash_table_iter_init (&iter, old_users);
|
|
|
e53b6b |
while (g_hash_table_iter_next (&iter, &name, &value)) {
|
|
|
e53b6b |
User *user = value;
|
|
|
e53b6b |
User *refreshed_user;
|
|
|
e53b6b |
|
|
|
e53b6b |
refreshed_user = g_hash_table_lookup (users, name);
|
|
|
e53b6b |
|
|
|
e53b6b |
if (!refreshed_user || (user_get_cached (user) && !user_get_cached (refreshed_user))) {
|
|
|
e53b6b |
accounts_accounts_emit_user_deleted (ACCOUNTS_ACCOUNTS (daemon),
|
|
|
e53b6b |
user_get_object_path (user));
|
|
|
e53b6b |
user_unregister (user);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
/* Register all the new users */
|
|
|
e53b6b |
g_hash_table_iter_init (&iter, users);
|
|
|
56008d |
@@ -766,64 +824,61 @@ daemon_finalize (GObject *object)
|
|
|
56008d |
priv = daemon_get_instance_private (daemon);
|
|
|
e53b6b |
|
|
|
56008d |
if (priv->bus_connection != NULL)
|
|
|
56008d |
g_object_unref (priv->bus_connection);
|
|
|
e53b6b |
|
|
|
56008d |
g_queue_free_full (priv->pending_list_cached_users,
|
|
|
56008d |
(GDestroyNotify) list_user_data_free);
|
|
|
e53b6b |
|
|
|
56008d |
g_list_free_full (priv->explicitly_requested_users, g_free);
|
|
|
e53b6b |
|
|
|
56008d |
g_hash_table_destroy (priv->users);
|
|
|
e53b6b |
|
|
|
56008d |
g_hash_table_unref (priv->extension_ifaces);
|
|
|
e53b6b |
|
|
|
e53b6b |
G_OBJECT_CLASS (daemon_parent_class)->finalize (object);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
static gboolean
|
|
|
e53b6b |
register_accounts_daemon (Daemon *daemon)
|
|
|
e53b6b |
{
|
|
|
56008d |
DaemonPrivate *priv = daemon_get_instance_private (daemon);
|
|
|
e53b6b |
g_autoptr(GError) error = NULL;
|
|
|
e53b6b |
|
|
|
56008d |
priv->authority = polkit_authority_get_sync (NULL, &error);
|
|
|
56008d |
if (priv->authority == NULL) {
|
|
|
e53b6b |
if (error != NULL)
|
|
|
e53b6b |
g_critical ("error getting polkit authority: %s", error->message);
|
|
|
e53b6b |
return FALSE;
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
56008d |
- priv->bus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
|
|
|
56008d |
- if (priv->bus_connection == NULL) {
|
|
|
e53b6b |
- if (error != NULL)
|
|
|
e53b6b |
- g_critical ("error getting system bus: %s", error->message);
|
|
|
e53b6b |
+ if (!ensure_bus_connection (daemon)) {
|
|
|
e53b6b |
return FALSE;
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
if (!g_dbus_interface_skeleton_export (G_DBUS_INTERFACE_SKELETON (daemon),
|
|
|
56008d |
priv->bus_connection,
|
|
|
e53b6b |
"/org/freedesktop/Accounts",
|
|
|
e53b6b |
&error)) {
|
|
|
e53b6b |
if (error != NULL)
|
|
|
e53b6b |
g_critical ("error exporting interface: %s", error->message);
|
|
|
e53b6b |
return FALSE;
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
return TRUE;
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
Daemon *
|
|
|
e53b6b |
daemon_new (void)
|
|
|
e53b6b |
{
|
|
|
e53b6b |
g_autoptr(Daemon) daemon = NULL;
|
|
|
e53b6b |
|
|
|
e53b6b |
daemon = DAEMON (g_object_new (TYPE_DAEMON, NULL));
|
|
|
e53b6b |
|
|
|
e53b6b |
if (!register_accounts_daemon (DAEMON (daemon))) {
|
|
|
e53b6b |
return NULL;
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
return g_steal_pointer (&daemon);
|
|
|
e53b6b |
}
|
|
|
e53b6b |
|
|
|
e53b6b |
static void
|
|
|
56008d |
diff --git a/src/meson.build b/src/meson.build
|
|
|
56008d |
index 20d5276..3970749 100644
|
|
|
56008d |
--- a/src/meson.build
|
|
|
56008d |
+++ b/src/meson.build
|
|
|
56008d |
@@ -1,37 +1,38 @@
|
|
|
56008d |
sources = []
|
|
|
56008d |
|
|
|
56008d |
gdbus_headers = []
|
|
|
56008d |
|
|
|
56008d |
ifaces = [
|
|
|
56008d |
['accounts-generated', 'org.freedesktop.', 'Accounts'],
|
|
|
56008d |
['accounts-user-generated', act_namespace + '.', 'User'],
|
|
|
56008d |
+ ['realmd-generated', 'org.freedesktop.', 'realmd'],
|
|
|
56008d |
]
|
|
|
56008d |
|
|
|
56008d |
foreach iface: ifaces
|
|
|
56008d |
gdbus_sources = gnome.gdbus_codegen(
|
|
|
56008d |
iface[0],
|
|
|
56008d |
join_paths(data_dir, iface[1] + iface[2] + '.xml'),
|
|
|
56008d |
interface_prefix: iface[1],
|
|
|
56008d |
namespace: 'Accounts',
|
|
|
56008d |
)
|
|
|
56008d |
sources += gdbus_sources
|
|
|
56008d |
gdbus_headers += gdbus_sources[1]
|
|
|
56008d |
endforeach
|
|
|
56008d |
|
|
|
56008d |
deps = [
|
|
|
56008d |
gio_dep,
|
|
|
56008d |
gio_unix_dep,
|
|
|
56008d |
]
|
|
|
56008d |
|
|
|
56008d |
cflags = [
|
|
|
56008d |
'-DLOCALSTATEDIR="@0@"'.format(act_localstatedir),
|
|
|
56008d |
'-DDATADIR="@0@"'.format(act_datadir),
|
|
|
56008d |
'-DICONDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'icons')),
|
|
|
56008d |
'-DUSERDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'users')),
|
|
|
56008d |
]
|
|
|
56008d |
|
|
|
56008d |
libaccounts_generated = static_library(
|
|
|
56008d |
'accounts-generated',
|
|
|
56008d |
sources: sources,
|
|
|
56008d |
include_directories: top_inc,
|
|
|
56008d |
dependencies: deps,
|
|
|
e53b6b |
diff --git a/src/org.freedesktop.realmd.xml b/src/org.freedesktop.realmd.xml
|
|
|
e53b6b |
new file mode 100644
|
|
|
e53b6b |
index 0000000..c34a47a
|
|
|
e53b6b |
--- /dev/null
|
|
|
e53b6b |
+++ b/src/org.freedesktop.realmd.xml
|
|
|
e53b6b |
@@ -0,0 +1,730 @@
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
|
|
|
e53b6b |
+<node name="/">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Provider:
|
|
|
e53b6b |
+ @short_description: a realm provider
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various realm providers represent different software implementations
|
|
|
e53b6b |
+ that provide access to realms or domains.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This interface is implemented by individual providers, but is
|
|
|
e53b6b |
+ aggregated globally at the system bus name
|
|
|
e53b6b |
+ <literal>org.freedesktop.realmd</literal>
|
|
|
e53b6b |
+ with the object path <literal>/org/freedesktop/realmd</literal>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Provider">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Name: the name of the provider
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The name of the provider. This is not normally displayed
|
|
|
e53b6b |
+ to the user, but may be useful for diagnostics or debugging.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Name" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Version: the version of the provider
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The version of the provider. This is not normally used in
|
|
|
e53b6b |
+ logic, but may be useful for diagnostics or debugging.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Version" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Realms: a list of realms
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ A list of known, enrolled or discovered realms. All realms
|
|
|
e53b6b |
+ that this provider knows about are listed here. As realms
|
|
|
e53b6b |
+ are discovered they are added to this list.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Each realm is represented by the DBus object path of the
|
|
|
e53b6b |
+ realm object.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Realms" type="ao" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Discover:
|
|
|
e53b6b |
+ @string: an input string to discover realms for
|
|
|
e53b6b |
+ @options: options for the discovery operation
|
|
|
e53b6b |
+ @relevance: the relevance of the returned results
|
|
|
e53b6b |
+ @realm: a list of realms discovered
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Discover realms for the given string. The input @string is
|
|
|
e53b6b |
+ usually a domain or realm name, perhaps typed by a user. If
|
|
|
e53b6b |
+ an empty string is provided, the realm provider should try to
|
|
|
e53b6b |
+ discover a default realm, if possible (e.g. from DHCP).
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>client-software</literal>: a string
|
|
|
e53b6b |
+ containing the client software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>server-software</literal>: a string
|
|
|
e53b6b |
+ containing the client software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>membership-software</literal>: a string
|
|
|
e53b6b |
+ containing the membership software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @relevance returned can be used to rank results from
|
|
|
e53b6b |
+ different discover calls to different providers. Implementors
|
|
|
e53b6b |
+ should return a positive number if the provider highly
|
|
|
e53b6b |
+ recommends that the realms be handled by this provider,
|
|
|
e53b6b |
+ or a zero if it can possibly handle the realms. Negative numbers
|
|
|
e53b6b |
+ should be returned if no realms are found.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method does not return an error when no realms are
|
|
|
e53b6b |
+ discovered. It simply returns an empty @realm list.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ To see diagnostic information about the discovery process,
|
|
|
e53b6b |
+ connect to the org.freedesktop.realmd.Service::Diagnostics
|
|
|
e53b6b |
+ signal.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.discover-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may
|
|
|
e53b6b |
+ return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the discovery could not be run for some reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to perform a discovery
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Discover">
|
|
|
e53b6b |
+ <arg name="string" type="s" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ <arg name="relevance" type="i" direction="out"/>
|
|
|
e53b6b |
+ <arg name="realm" type="ao" direction="out"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Service:
|
|
|
e53b6b |
+ @short_description: the realmd service
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Global calls for managing the realmd service. Usually you'll want
|
|
|
e53b6b |
+ to use #org.freedesktop.realmd.Provider instead.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This interface is implemented by the realmd service, and is always
|
|
|
e53b6b |
+ available at the object path <literal>/org/freedesktop/realmd</literal>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The service also implements the
|
|
|
e53b6b |
+ <literal>org.freedesktop.DBus.ObjectManager</literal> interface which
|
|
|
e53b6b |
+ makes it easy to retrieve all realmd objects and properties in one go.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Service">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Cancel:
|
|
|
e53b6b |
+ @operation: the operation to cancel
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Cancel a realmd operation. To be able to cancel an operation,
|
|
|
e53b6b |
+ pass a uniquely chosen <literal>operation</literal> string
|
|
|
e53b6b |
+ identifier as an option in the method's <literal>options</literal>
|
|
|
e53b6b |
+ argument.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ These operation string identifiers should be unique per client
|
|
|
e53b6b |
+ calling the realmd service.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ It is not guaranteed that the service can or will cancel the
|
|
|
e53b6b |
+ operation. For example, the operation may have already completed
|
|
|
e53b6b |
+ by the time this method is handled. The caller of the operation
|
|
|
e53b6b |
+ method will receive a
|
|
|
e53b6b |
+ <literal>org.freedesktop.realmd.Error.Cancelled</literal>
|
|
|
e53b6b |
+ if the operation was cancelled.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Cancel">
|
|
|
e53b6b |
+ <arg name="operation" type="s" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SetLocale:
|
|
|
e53b6b |
+ @locale: the locale for the client
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Set the language @locale for the client. This locale is used
|
|
|
e53b6b |
+ for error messages. The locale is used until the next time
|
|
|
e53b6b |
+ this method is called, the client disconnects, or the client
|
|
|
e53b6b |
+ calls #org.freedesktop.realmd.Service.Release().
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="SetLocale">
|
|
|
e53b6b |
+ <arg name="locale" type="s" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Diagnostics:
|
|
|
e53b6b |
+ @data: diagnostic data
|
|
|
e53b6b |
+ @operation: the operation this data resulted from
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This signal is fired when diagnostics result from an operation
|
|
|
e53b6b |
+ in the provider or one of its realms.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ It is not guaranteed that this signal is emitted once per line.
|
|
|
e53b6b |
+ More than one line may be contained in @data, or a partial
|
|
|
e53b6b |
+ line. New line characters are embedded in @data.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This signal is sent explicitly to the client which invoked an
|
|
|
e53b6b |
+ operation method. In order to tell which operation this
|
|
|
e53b6b |
+ diagnostic data results from, pass a unique
|
|
|
e53b6b |
+ <literal>operation</literal> string identifier in the
|
|
|
e53b6b |
+ <literal>options</literal> argument of the operation method.
|
|
|
e53b6b |
+ That same identifier will be passed back via the @operation
|
|
|
e53b6b |
+ argument of this signal.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <signal name="Diagnostics">
|
|
|
e53b6b |
+ <arg name="data" type="s"/>
|
|
|
e53b6b |
+ <arg name="operation" type="s"/>
|
|
|
e53b6b |
+ </signal>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Release:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Normally, realmd waits until all clients have disconnected
|
|
|
e53b6b |
+ before exiting itself sometime later. Long lived clients
|
|
|
e53b6b |
+ can call this method to allow the realmd service to quit.
|
|
|
e53b6b |
+ This is an optimization. The daemon will not exit immediately.
|
|
|
e53b6b |
+ It is safe to call this multiple times.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Release">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Realm:
|
|
|
e53b6b |
+ @short_description: a realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Represents one realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Contains generic information about a realm, and useful properties for
|
|
|
e53b6b |
+ introspecting what kind of realm this is and how to work with
|
|
|
e53b6b |
+ the realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Use #org.freedesktop.realmd.Provider:Realms or
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Provider.Discover() to get access to some
|
|
|
e53b6b |
+ kerberos realm objects.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Realms will always implement additional interfaces, such as
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos. Do not assume that all realms
|
|
|
e53b6b |
+ implement that kerberos interface. Use the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property to see
|
|
|
e53b6b |
+ which interfaces are supported.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Different realms support various ways to configure them on the
|
|
|
e53b6b |
+ system. Use the #org.freedesktop.realmd.Realm:Configured property
|
|
|
e53b6b |
+ to determine if a realm is configured. If it is configured, the
|
|
|
e53b6b |
+ property will be set to the interface of the mechanism that was
|
|
|
e53b6b |
+ used to configure it.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ To configure a realm, look in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property for a
|
|
|
e53b6b |
+ recognized purpose-specific interface that can be used for
|
|
|
e53b6b |
+ configuration, such as the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership interface and its
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.Join() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ To deconfigure a realm from the current system, you can use the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm.Deconfigure() method. In addition, some
|
|
|
e53b6b |
+ of the configuration specific interfaces provide methods to
|
|
|
e53b6b |
+ deconfigure a realm in a specific way, such as the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.Leave() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various properties are guaranteed to have been updated before
|
|
|
e53b6b |
+ the operation methods return, if they change state.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Realm">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Name: the realm name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This is the name of the realm, appropriate for display to
|
|
|
e53b6b |
+ end users where necessary.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Name" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Configured: whether this domain is configured and how
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ If this property is an empty string, then the realm is not
|
|
|
e53b6b |
+ configured. Otherwise the realm is configured, and contains
|
|
|
e53b6b |
+ a string which is the interface that represents how it was
|
|
|
e53b6b |
+ configured, for example #org.freedesktop.realmd.KerberosMembership.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Configured" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Deconfigure: deconfigure this realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Deconfigure this realm from the local machine with standard
|
|
|
e53b6b |
+ default behavior.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The behavior of this method depends on the which configuration
|
|
|
e53b6b |
+ interface is present in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm.Configured property. It does not
|
|
|
e53b6b |
+ always delete membership accounts in the realm, but just
|
|
|
e53b6b |
+ reconfigures the local machine so it no longer is configured
|
|
|
e53b6b |
+ for the given realm. In some cases the implementation may try
|
|
|
e53b6b |
+ to update membership accounts, but this is not guaranteed.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various configuration interfaces may support more specific ways
|
|
|
e53b6b |
+ to deconfigure a realm in a specific way, such as the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.Leave() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the deconfigure failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to deconfigure a
|
|
|
e53b6b |
+ realm.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
|
|
|
e53b6b |
+ returned if this realm is not configured on the machine.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Deconfigure">
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SupportedInterfaces:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Additional supported interfaces of this realm. This includes
|
|
|
e53b6b |
+ interfaces that contain more information about the realm,
|
|
|
e53b6b |
+ such as #org.freedesktop.realmd.Kerberos and interfaces
|
|
|
e53b6b |
+ which contain methods for configuring a realm, such as
|
|
|
e53b6b |
+ #org.freedesktop.realmd.KerberosMembership.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SupportedInterfaces" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Details: informational details about the realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Informational details about the realm. The following values
|
|
|
e53b6b |
+ should be present:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>server-software</literal>:
|
|
|
e53b6b |
+ identifier of the software running on the server (e.g.
|
|
|
e53b6b |
+ <literal>active-directory</literal>).</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>client-software</literal>:
|
|
|
e53b6b |
+ identifier of the software running on the client (e.g.
|
|
|
e53b6b |
+ <literal>sssd</literal>).</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="Details" type="a(ss)" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ RequiredPackages: prerequisite software
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Software packages that are required in order for a join to
|
|
|
e53b6b |
+ succeed. These are either simple strings like <literal>sssd</literal>,
|
|
|
e53b6b |
+ or strings with an operator and version number like
|
|
|
e53b6b |
+ <literal>sssd >= 1.9.0</literal>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ These values are specific to the packaging system that is
|
|
|
e53b6b |
+ being run.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="RequiredPackages" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ LoginFormats: supported formats for login names
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Supported formats for login to this realm. This is only
|
|
|
e53b6b |
+ relevant once the realm has been enrolled. The formats
|
|
|
e53b6b |
+ will contain a <literal>%U</literal> in the string, which
|
|
|
e53b6b |
+ indicate where the user name should be placed. The formats
|
|
|
e53b6b |
+ may contain a <literal>%D</literal> in the string which
|
|
|
e53b6b |
+ indicate where a domain name should be placed.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The first format in the list is the preferred format for
|
|
|
e53b6b |
+ login names.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="LoginFormats" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ LoginPolicy: the policy for logins using this realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The policy for logging into this computer using this realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The policy can be changed using the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The following policies are predefined. Not all providers
|
|
|
e53b6b |
+ support all these policies and there may be provider specific
|
|
|
e53b6b |
+ policies or multiple policies represented in the string:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>allow-any-login</literal>: allow
|
|
|
e53b6b |
+ login by any authenticated user present in this
|
|
|
e53b6b |
+ realm.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>allow-realm-logins</literal>: allow
|
|
|
e53b6b |
+ logins according to the realm or domain policy for logins
|
|
|
e53b6b |
+ on this machine. This usually defaults to allowing any realm
|
|
|
e53b6b |
+ user to log in.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>allow-permitted-logins</literal>:
|
|
|
e53b6b |
+ only allow the logins permitted in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:PermittedLogins
|
|
|
e53b6b |
+ property.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>deny-any-login</literal>:
|
|
|
e53b6b |
+ don't allow any logins via authenticated users of this
|
|
|
e53b6b |
+ realm.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="LoginPolicy" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ PermittedLogins: the permitted login names
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The list of permitted authenticated users allowed to login
|
|
|
e53b6b |
+ into this computer. This is only relevant if the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:LoginPolicy property
|
|
|
e53b6b |
+ contains the <literal>allow-permitted-logins</literal>
|
|
|
e53b6b |
+ string.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="PermittedLogins" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ PermittedGroups: the permitted group names
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The list of groups which users need to be in to be allowed
|
|
|
e53b6b |
+ to log into this computer. This is only relevant if the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:LoginPolicy property
|
|
|
e53b6b |
+ contains the <literal>allow-permitted-logins</literal>
|
|
|
e53b6b |
+ string.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="PermittedGroups" type="as" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ ChangeLoginPolicy:
|
|
|
e53b6b |
+ @login_policy: the new login policy, or an empty string
|
|
|
e53b6b |
+ @permitted_add: a list of logins to permit
|
|
|
e53b6b |
+ @permitted_remove: a list of logins to not permit
|
|
|
e53b6b |
+ @options: options for this operation
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Change the login policy and/or permitted logins for this realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Not all realms support all the various login policies. An
|
|
|
e53b6b |
+ error will be returned if the new login policy is not supported.
|
|
|
e53b6b |
+ You may specify an empty string for the @login_policy argument
|
|
|
e53b6b |
+ which will cause no change in the policy itself. If the policy
|
|
|
e53b6b |
+ is changed, it will be reflected in the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Realm:LoginPolicy property.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @permitted_add and @permitted_remove arguments represent
|
|
|
e53b6b |
+ lists of login names that should be added and removed from
|
|
|
e53b6b |
+ the #org.freedesktop.realmd.Kerberos:PermittedLogins property.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>groups</literal>: boolean which if
|
|
|
e53b6b |
+ set to <literal>TRUE</literal> means that the names in
|
|
|
e53b6b |
+ @permitted_add and @permitted_remove are group names instead
|
|
|
e53b6b |
+ of login names.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.login-policy</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the policy change failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to change login policy
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
|
|
|
e53b6b |
+ returned if the realm is not configured.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="ChangeLoginPolicy">
|
|
|
e53b6b |
+ <arg name="login_policy" type="s" direction="in"/>
|
|
|
e53b6b |
+ <arg name="permitted_add" type="as" direction="in"/>
|
|
|
e53b6b |
+ <arg name="permitted_remove" type="as" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.Kerberos:
|
|
|
e53b6b |
+ @short_description: a kerberos realm
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ An interface that describes a kerberos realm in more detail. This
|
|
|
e53b6b |
+ is always implemented on an DBus object path that also implements
|
|
|
e53b6b |
+ the #org.freedesktop.realmd.Realm interface.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.Kerberos">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ RealmName: the kerberos realm name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The kerberos name for this realm. This is usually in upper
|
|
|
e53b6b |
+ case.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="RealmName" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ DomainName: the DNS domain name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The DNS domain name for this realm.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="DomainName" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ org.freedesktop.realmd.KerberosMembership:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ An interface used to configure this machine by joining a realm.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ It sets up a computer/host account in the realm for this machine
|
|
|
e53b6b |
+ and a keytab to track the credentials for that account.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various properties are guaranteed to have been updated before
|
|
|
e53b6b |
+ the operation methods return, if they change state.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <interface name="org.freedesktop.realmd.KerberosMembership">
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SuggestedAdministrator: common administrator name
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The common administrator name for this type of realm. This
|
|
|
e53b6b |
+ can be used by clients as a hint when prompting the user for
|
|
|
e53b6b |
+ administrative authentication.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SuggestedAdministrator" type="s" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SupportedJoinCredentials: credentials supported for joining
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various kinds of credentials that are supported when calling the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos.Join() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Each credential is represented by a type and an owner. The type
|
|
|
e53b6b |
+ denotes which kind of credential is passed to the method. The
|
|
|
e53b6b |
+ owner indicates to the client how to prompt the user or obtain
|
|
|
e53b6b |
+ the credential, and to the service how to use the credential.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various types are:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>ccache</literal>:
|
|
|
e53b6b |
+ the credentials should contain an array of bytes as a
|
|
|
e53b6b |
+ <literal>ay</literal> containing the data from a kerberos
|
|
|
e53b6b |
+ credential cache file.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>password</literal>:
|
|
|
e53b6b |
+ the credentials should contain a pair of strings as a
|
|
|
e53b6b |
+ <literal>(ss)</literal> representing a name and
|
|
|
e53b6b |
+ password. The name may contain a realm in the standard
|
|
|
e53b6b |
+ kerberos format. If a realm is missing, it will default
|
|
|
e53b6b |
+ to this realm. </para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>secret</literal>:
|
|
|
e53b6b |
+ the credentials should contain a string secret as an
|
|
|
e53b6b |
+ <literal>ay</literal> array of bytes. This is usually used
|
|
|
e53b6b |
+ for one time passwords. To pass a string here, encode it
|
|
|
e53b6b |
+ in UTF-8, and place the resulting bytes in the
|
|
|
e53b6b |
+ value.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>automatic</literal>:
|
|
|
e53b6b |
+ the credentials should contain an empty string as a
|
|
|
e53b6b |
+ <literal>s</literal>. Using <literal>automatic</literal>
|
|
|
e53b6b |
+ indicates that default or system credentials are to be
|
|
|
e53b6b |
+ used.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The various owners are:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>administrator</literal>:
|
|
|
e53b6b |
+ the credentials belong to a kerberos administrator principal.
|
|
|
e53b6b |
+ The caller may use this as a hint to prompt the user
|
|
|
e53b6b |
+ for administrative credentials.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>user</literal>:
|
|
|
e53b6b |
+ the credentials belong to a kerberos user principal.
|
|
|
e53b6b |
+ The caller may use this as a hint to prompt the user
|
|
|
e53b6b |
+ for his (possibly non-administrative)
|
|
|
e53b6b |
+ credentials.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>computer</literal>:
|
|
|
e53b6b |
+ the credentials belong to a computer account.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>none</literal>:
|
|
|
e53b6b |
+ the credentials have an unspecified owner, such as a one
|
|
|
e53b6b |
+ time password.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SupportedJoinCredentials" type="a(ss)" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ SupportedLeaveCredentials: credentials supported for leaving
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Various kinds of credentials that are supported when calling the
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos.Leave() method.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for
|
|
|
e53b6b |
+ a discussion of what the values represent.
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <property name="SupportedLeaveCredentials" type="a(ss)" access="read"/>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Join:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Join this machine to the realm and enroll the machine.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ If this method returns successfully, then the machine will be
|
|
|
e53b6b |
+ joined to the realm. It is not necessary to restart services or the
|
|
|
e53b6b |
+ machine afterward. Relevant properties on the realm will be updated
|
|
|
e53b6b |
+ before the method returns.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @credentials should be set according to one of the
|
|
|
e53b6b |
+ supported credentials returned by
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
|
|
|
e53b6b |
+ The first string in the tuple is the type, the second string
|
|
|
e53b6b |
+ is the owner, and the variant contains the credential contents
|
|
|
e53b6b |
+ See the discussion at
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
|
|
|
e53b6b |
+ for more information.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>automatic-id-mapping</literal>: a boolean
|
|
|
e53b6b |
+ value whether to turn on automatic UID/GID mapping. If not
|
|
|
e53b6b |
+ specified the default will come from realmd.conf
|
|
|
e53b6b |
+ configuration.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>computer-ou</literal>: a string
|
|
|
e53b6b |
+ containing an LDAP DN for an organizational unit where the
|
|
|
e53b6b |
+ computer account should be created</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>user-principal</literal>: a string
|
|
|
e53b6b |
+ containing an kerberos user principal name to be set on the
|
|
|
e53b6b |
+ computer account</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>membership-software</literal>: a string
|
|
|
e53b6b |
+ containing the membership software identifier that the returned
|
|
|
e53b6b |
+ realms should match.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>manage-system</literal>: a boolean
|
|
|
e53b6b |
+ which controls whether this machine should be managed by
|
|
|
e53b6b |
+ the realm or domain or not. Defaults to true.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.configure-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the join failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to perform a join
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
|
|
|
e53b6b |
+ returned if the credentials passed did not authenticate against the realm
|
|
|
e53b6b |
+ correctly. It is appropriate to prompt the user again.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>:
|
|
|
e53b6b |
+ returned if already enrolled in this realm, or if already enrolled in another realm
|
|
|
e53b6b |
+ (if enrolling in multiple realms is not supported).</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.BadHostname</literal>:
|
|
|
e53b6b |
+ returned if the machine has a hostname that is not usable for a join
|
|
|
e53b6b |
+ or is in conflict with those in the domain.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Join">
|
|
|
e53b6b |
+ <arg name="credentials" type="(ssv)" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Leave:
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ Leave the realm and unenroll the machine.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ If this method returns successfully, then the machine will have
|
|
|
e53b6b |
+ left the domain and been unenrolled. It is not necessary to restart
|
|
|
e53b6b |
+ services or the machine afterward. Relevant properties on the realm
|
|
|
e53b6b |
+ will be updated before the method returns.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ The @credentials should be set according to one of the
|
|
|
e53b6b |
+ supported credentials returned by
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
|
|
|
e53b6b |
+ The first string in the tuple is the type, the second string
|
|
|
e53b6b |
+ is the owner, and the variant contains the credential contents
|
|
|
e53b6b |
+ See the discussion at
|
|
|
e53b6b |
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
|
|
|
e53b6b |
+ for more information.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ @options can contain, but is not limited to, the following values:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>operation</literal>: a string
|
|
|
e53b6b |
+ identifier chosen by the client, which can then later be
|
|
|
e53b6b |
+ passed to org.freedesktop.realmd.Service.Cancel() in order
|
|
|
e53b6b |
+ to cancel the operation</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ This method requires authorization for the PolicyKit action
|
|
|
e53b6b |
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ In addition to common DBus error results, this method may return:
|
|
|
e53b6b |
+ <itemizedlist>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
|
|
|
e53b6b |
+ may be returned if the unenroll failed for a generic reason.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
|
|
|
e53b6b |
+ returned if the operation was cancelled.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
|
|
|
e53b6b |
+ returned if the calling client is not permitted to perform an unenroll
|
|
|
e53b6b |
+ operation.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
|
|
|
e53b6b |
+ returned if the credentials passed did not authenticate against the realm
|
|
|
e53b6b |
+ correctly. It is appropriate to prompt the user again.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>:
|
|
|
e53b6b |
+ returned if not enrolled in this realm.</para></listitem>
|
|
|
e53b6b |
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
|
|
|
e53b6b |
+ returned if the service is currently performing another operation like
|
|
|
e53b6b |
+ join or leave.</para></listitem>
|
|
|
e53b6b |
+ </itemizedlist>
|
|
|
e53b6b |
+ -->
|
|
|
e53b6b |
+ <method name="Leave">
|
|
|
e53b6b |
+ <arg name="credentials" type="(ssv)" direction="in"/>
|
|
|
e53b6b |
+ <arg name="options" type="a{sv}" direction="in"/>
|
|
|
e53b6b |
+ </method>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+ </interface>
|
|
|
e53b6b |
+
|
|
|
e53b6b |
+</node>
|
|
|
e53b6b |
--
|
|
|
56008d |
2.27.0
|
|
|
e53b6b |
|