From 3d166f3d6eda9134f860770ea5f22a768c20c875 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 17 2020 18:34:30 +0000 Subject: import realmd-0.16.3-19.el8 --- diff --git a/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch b/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch new file mode 100644 index 0000000..6f3cd34 --- /dev/null +++ b/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch @@ -0,0 +1,166 @@ +From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 12 Aug 2020 12:58:27 +0200 +Subject: [PATCH] service: use 'additional dns hostnames' with net ads join + +With newer versions of Samba the net ads join does not add services +principals with the configured host name anymore but added the new +option 'additional dns hostnames' for this. + +realmd will try to figure out a fully-qualified host name and use it +with the new option if it is from a different domain. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912 +--- + service/realm-disco.c | 1 + + service/realm-disco.h | 1 + + service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++- + service/realm-samba.c | 6 ++++ + 4 files changed, 64 insertions(+), 1 deletion(-) + +diff --git a/service/realm-disco.c b/service/realm-disco.c +index ab06939..a12be50 100644 +--- a/service/realm-disco.c ++++ b/service/realm-disco.c +@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data) + g_free (disco->explicit_netbios); + g_free (disco->kerberos_realm); + g_free (disco->workgroup); ++ g_free (disco->dns_fqdn); + if (disco->server_address) + g_object_unref (disco->server_address); + g_free (disco); +diff --git a/service/realm-disco.h b/service/realm-disco.h +index 5f3e5e9..35532d2 100644 +--- a/service/realm-disco.h ++++ b/service/realm-disco.h +@@ -30,6 +30,7 @@ typedef struct { + gchar *explicit_server; + gchar *explicit_netbios; + GSocketAddress *server_address; ++ gchar *dns_fqdn; + } RealmDisco; + + #define REALM_TYPE_DISCO (realm_disco_get_type ()) +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index 3f86c51..5624a08 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -33,6 +33,9 @@ + #include + #include + #include ++#include ++#include ++#include + + typedef struct { + GDBusMethodInvocation *invocation; +@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm) + return g_utf8_strup (realm, pos - realm); + } + ++static char * ++try_to_get_fqdn (void) ++{ ++ char hostname[HOST_NAME_MAX + 1]; ++ gchar *fqdn = NULL; ++ int ret; ++ struct addrinfo *res; ++ struct addrinfo hints; ++ ++ ret = gethostname (hostname, sizeof (hostname)); ++ if (ret < 0) { ++ return NULL; ++ } ++ ++ if (strchr (hostname, '.') == NULL) { ++ memset (&hints, 0, sizeof (struct addrinfo)); ++ hints.ai_socktype = SOCK_DGRAM; ++ hints.ai_flags = AI_CANONNAME; ++ ++ ret = getaddrinfo (hostname, NULL, &hints, &res); ++ if (ret != 0) { ++ return NULL; ++ } ++ ++ /* Only use a fully-qualified name */ ++ if (strchr (res->ai_canonname, '.') != NULL) { ++ fqdn = g_strdup (res->ai_canonname); ++ } ++ ++ freeaddrinfo (res); ++ ++ } else { ++ fqdn = g_strdup (hostname); ++ } ++ ++ return fqdn; ++} ++ + static JoinClosure * + join_closure_init (GTask *task, + RealmDisco *disco, +@@ -95,5 +136,7 @@ join_closure_init (GTask *task, + const gchar *explicit_computer_name = NULL; + const gchar *authid = NULL; ++ gchar *fqdn = NULL; ++ gchar *fqdn_dom = NULL; + + join = g_new0 (JoinClosure, 1); + join->disco = realm_disco_ref (disco); +@@ -124,7 +167,7 @@ join_closure_init (GTask *task, + "netbios name", authid, + NULL); + +- /* ++ /* + * Samba complains if we don't set a 'workgroup' setting for the realm we're + * going to join. If we didn't yet manage to lookup the workgroup, then go ahead + * and assume that the first domain component is the workgroup name. +@@ -144,6 +187,18 @@ join_closure_init (GTask *task, + g_free (workgroup); + } + ++ /* Add the fully-qualified DNS hostname as additional name if it is from ++ * a different domain. */ ++ fqdn = try_to_get_fqdn (); ++ if (fqdn != NULL && join->disco->domain_name != NULL ++ && (fqdn_dom = strchr (fqdn, '.')) != NULL ++ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) { ++ disco->dns_fqdn = g_strdup (fqdn); ++ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, ++ "additional dns hostnames", disco->dns_fqdn, NULL); ++ } ++ g_free (fqdn); ++ + /* Write out the config file for use by various net commands */ + join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL); + temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR); +diff --git a/service/realm-samba.c b/service/realm-samba.c +index 4940b38..fe33600 100644 +--- a/service/realm-samba.c ++++ b/service/realm-samba.c +@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source, + NULL); + } + ++ if (error == NULL && enroll->disco->dns_fqdn != NULL) { ++ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error, ++ "additional dns hostnames", enroll->disco->dns_fqdn, ++ NULL); ++ } + + if (error == NULL) { + name = realm_kerberos_get_name (REALM_KERBEROS (self)); +@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self, + if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error, + "workgroup", NULL, + "realm", NULL, ++ "additional dns hostnames", NULL, + "security", "user", + NULL)) { + g_task_return_error (task, error); +-- +2.26.2 + diff --git a/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch b/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch new file mode 100644 index 0000000..27a881c --- /dev/null +++ b/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch @@ -0,0 +1,32 @@ +From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 11 Aug 2020 11:18:17 +0200 +Subject: [PATCH] service: use net ads join with -k for user join as well + +The NTLM authentication used by 'net ads join' does only support crypto +algorithms which e.g. are not allowed by FIPS. It would be better to +tell 'net ads join' to try Kerberos first before falling back to NTLM by +adding the '-k' option. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503 +--- + service/realm-samba-enroll.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index f5edca3..3f86c51 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -372,7 +372,8 @@ begin_join (GTask *task, + } else if (join->user_name) { + begin_net_process (join, join->password_input, + on_join_do_keytab, g_object_ref (task), +- "-U", join->user_name, "ads", "join", join->disco->domain_name, ++ "-U", join->user_name, ++ "-k", "ads", "join", join->disco->domain_name, + join->join_args[0], join->join_args[1], + join->join_args[2], join->join_args[3], + join->join_args[4], NULL); +-- +2.26.2 + diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec index b1c6cf7..86db8b5 100644 --- a/SPECS/realmd.spec +++ b/SPECS/realmd.spec @@ -1,6 +1,6 @@ Name: realmd Version: 0.16.3 -Release: 18%{?dist} +Release: 19%{?dist} Summary: Kerberos realm enrollment service License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/realmd/ @@ -40,6 +40,13 @@ Patch20: 0001-doc-extend-description-of-config-handling.patch # rhbz#1801195 Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch +# rhbz#1859503 - Realm join fails with error 'Failed to join domain: failed to +# lookup DC info ...' +Patch22: 0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch + +# rhbz#1867912 - realm command to use option like dnshostname=fqdn +Patch23: 0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch + BuildRequires: gcc BuildRequires: automake BuildRequires: autoconf @@ -107,6 +114,13 @@ make install DESTDIR=%{buildroot} %doc ChangeLog %changelog +* Thu Aug 13 2020 Sumit Bose - 0.16.3-19 +- Realm join fails with error 'Failed to join domain: failed to lookup + DC info ...' + Resolves: rhbz#1859503 +- realm command to use option like dnshostname=fqdn + Resolves: rhbz#1867912 + * Fri Feb 21 2020 Sumit Bose - 0.16.3-18 - Fix kerberos method Resolves: rhbz#1801195