From deab74fbf5d87fa165a6c0dcf5a52d03bcd6225f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 23 2020 22:58:02 +0000 Subject: import realmd-0.16.3-18.el8 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..540b6ba --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/realmd-0.16.3.tar.gz diff --git a/.realmd.metadata b/.realmd.metadata new file mode 100644 index 0000000..c1809f4 --- /dev/null +++ b/.realmd.metadata @@ -0,0 +1 @@ +0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz diff --git a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch new file mode 100644 index 0000000..6daf79b --- /dev/null +++ b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch @@ -0,0 +1,113 @@ +From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Aug 2018 16:44:39 +0200 +Subject: [PATCH] Change qualified names default for IPA + +In a FreeIPA domain it is typically expected that the IPA accounts use +sort names while accounts from trusted domains have fully qualified +names. This is automatically done by SSSD's IPA provider so there is no +need to force fully qualified names in the SSSD configuration. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162 +--- + service/realm-options.c | 9 +++++---- + service/realm-options.h | 3 ++- + service/realm-samba-winbind.c | 2 +- + service/realm-sssd-ad.c | 2 +- + service/realm-sssd-ipa.c | 2 +- + 5 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/service/realm-options.c b/service/realm-options.c +index bd804ea..34a209f 100644 +--- a/service/realm-options.c ++++ b/service/realm-options.c +@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options, + + if (realm_name && !option) { + section = g_utf8_casefold (realm_name, -1); +- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE); ++ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE); + g_free (section); + } + +@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name) + gboolean mapping; + + section = g_utf8_casefold (realm_name, -1); +- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE); ++ mapping = realm_settings_boolean (section, "automatic-join", FALSE); + g_free (section); + + return mapping; + } + + gboolean +-realm_options_qualify_names (const gchar *realm_name) ++realm_options_qualify_names (const gchar *realm_name, ++ gboolean def) + { + gchar *section; + gboolean qualify; + + section = g_utf8_casefold (realm_name, -1); +- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE); ++ qualify = realm_settings_boolean (section, "fully-qualified-names", def); + g_free (section); + + return qualify; +diff --git a/service/realm-options.h b/service/realm-options.h +index 7a1355e..b71d219 100644 +--- a/service/realm-options.h ++++ b/service/realm-options.h +@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options, + gboolean realm_options_automatic_mapping (GVariant *options, + const gchar *realm_name); + +-gboolean realm_options_qualify_names (const gchar *realm_name); ++gboolean realm_options_qualify_names (const gchar *realm_name, ++ gboolean def); + + gboolean realm_options_check_domain_name (const gchar *domain_name); + +diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c +index 9335e26..61988eb 100644 +--- a/service/realm-samba-winbind.c ++++ b/service/realm-samba-winbind.c +@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + "winbind enum groups", "no", + "winbind offline logon", "yes", + "winbind refresh tickets", "yes", +- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes", ++ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes", + "template shell", realm_settings_string ("users", "default-shell"), + NULL); + +diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c +index 8543ca8..de7ce30 100644 +--- a/service/realm-sssd-ad.c ++++ b/service/realm-sssd-ad.c +@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config, + gchar *home; + + home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home")); +- qualify = realm_options_qualify_names (disco->domain_name); ++ qualify = realm_options_qualify_names (disco->domain_name, TRUE); + shell = realm_settings_string ("users", "default-shell"); + explicit_computer_name = realm_options_computer_name (options, disco->domain_name); + realmd_tags = g_string_new (""); +diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c +index ff1dc8a..5029f6b 100644 +--- a/service/realm-sssd-ipa.c ++++ b/service/realm-sssd-ipa.c +@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source, + + realm_sssd_config_update_domain (config, domain, &error, + "cache_credentials", "True", +- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False", ++ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False", + "krb5_store_password_if_offline", "True", + "default_shell", shell, + "fallback_homedir", home, +-- +2.17.1 + diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch new file mode 100644 index 0000000..69f6aa3 --- /dev/null +++ b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch @@ -0,0 +1,150 @@ +From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 31 May 2018 16:16:08 +0200 +Subject: [PATCH] Find NetBIOS name in keytab while leaving + +If realmd is used with Samba as membership software, i.e. Samba's net +utility, the NetBIOS name must be known when leaving a domain. The most +reliable way to find it is by searching the keytab for NAME$@REALM type +entries and use the NAME as the NetBIOS name. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457 +--- + service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++ + service/realm-kerberos.h | 2 ++ + service/realm-samba-enroll.c | 13 ++++++--- + 3 files changed, 76 insertions(+), 3 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index 54d1ed7..d6d109f 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name, + return ret; + + } ++ ++gchar * ++realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name) ++{ ++ krb5_error_code code; ++ krb5_keytab keytab = NULL; ++ krb5_context ctx; ++ krb5_kt_cursor cursor = NULL; ++ krb5_keytab_entry entry; ++ krb5_principal realm_princ = NULL; ++ gchar *princ_name = NULL; ++ gchar *netbios_name = NULL; ++ krb5_data *name_data; ++ ++ code = krb5_init_context (&ctx); ++ if (code != 0) { ++ return NULL; ++ } ++ ++ princ_name = g_strdup_printf ("user@%s", realm_name); ++ code = krb5_parse_name (ctx, princ_name, &realm_princ); ++ g_free (princ_name); ++ ++ if (code == 0) { ++ code = krb5_kt_default (ctx, &keytab); ++ } ++ ++ if (code == 0) { ++ code = krb5_kt_start_seq_get (ctx, keytab, &cursor); ++ } ++ ++ if (code == 0) { ++ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) { ++ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) { ++ name_data = krb5_princ_component (ctx, entry.principal, 0); ++ if (name_data != NULL ++ && name_data->length > 0 ++ && name_data->data[name_data->length - 1] == '$') { ++ netbios_name = g_strndup (name_data->data, name_data->length - 1); ++ if (netbios_name == NULL) { ++ code = krb5_kt_free_entry (ctx, &entry); ++ warn_if_krb5_failed (ctx, code); ++ break; ++ } ++ } ++ } ++ code = krb5_kt_free_entry (ctx, &entry); ++ warn_if_krb5_failed (ctx, code); ++ } ++ } ++ ++ code = krb5_kt_end_seq_get (ctx, keytab, &cursor); ++ warn_if_krb5_failed (ctx, code); ++ ++ code = krb5_kt_close (ctx, keytab); ++ warn_if_krb5_failed (ctx, code); ++ ++ krb5_free_principal (ctx, realm_princ); ++ ++ krb5_free_context (ctx); ++ ++ return netbios_name; ++ ++} +diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h +index 0447e4d..58cfe07 100644 +--- a/service/realm-kerberos.h ++++ b/service/realm-kerberos.h +@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self, + gboolean realm_kerberos_flush_keytab (const gchar *realm_name, + GError **error); + ++gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name); ++ + const gchar * realm_kerberos_get_name (RealmKerberos *self); + + const gchar * realm_kerberos_get_realm_name (RealmKerberos *self); +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index 76e7b79..03f56d0 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -85,7 +85,8 @@ static JoinClosure * + join_closure_init (GTask *task, + RealmDisco *disco, + GVariant *options, +- GDBusMethodInvocation *invocation) ++ GDBusMethodInvocation *invocation, ++ gboolean do_join) + { + JoinClosure *join; + gchar *workgroup; +@@ -106,6 +107,12 @@ join_closure_init (GTask *task, + else if (disco->explicit_netbios) + authid = disco->explicit_netbios; + ++ /* try to get the NetBIOS name from the keytab as last option while ++ * leaving the domain */ ++ if (authid == NULL && !do_join) { ++ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm); ++ } ++ + join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE); + realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, + "security", "ads", +@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco, + g_return_if_fail (cred != NULL); + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, options, invocation); ++ join = join_closure_init (task, disco, options, invocation, TRUE); + explicit_computer_name = realm_options_computer_name (options, disco->domain_name); + if (explicit_computer_name != NULL) { + realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", +@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, + JoinClosure *join; + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, options, invocation); ++ join = join_closure_init (task, disco, options, invocation, FALSE); + + switch (cred->type) { + case REALM_CREDENTIAL_PASSWORD: +-- +2.14.4 + diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch new file mode 100644 index 0000000..ee9e081 --- /dev/null +++ b/SOURCES/0001-Fix-issues-found-by-Coverity.patch @@ -0,0 +1,42 @@ +From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Aug 2018 14:09:48 +0200 +Subject: [PATCH] Fix issues found by Coverity + +--- + service/realm-kerberos.c | 5 ++++- + service/realm-packages.c | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index d6d109f..252e256 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self, + if (name == NULL) + break; + value = va_arg (va, const gchar *); +- g_return_if_fail (value != NULL); ++ if (value == NULL) { ++ va_end (va); ++ g_return_if_reached (); ++ } + + values[0] = g_variant_new_string (name); + values[1] = g_variant_new_string (value); +diff --git a/service/realm-packages.c b/service/realm-packages.c +index 9a6984c..5976439 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets, + g_ptr_array_add (packages, NULL); + *result_packages = (gchar **)g_ptr_array_free (packages, FALSE); + } else { +- g_ptr_array_free (files, TRUE); ++ g_ptr_array_free (packages, TRUE); + } + + if (result_files) { +-- +2.17.1 + diff --git a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch new file mode 100644 index 0000000..fe46620 --- /dev/null +++ b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch @@ -0,0 +1,24 @@ +From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Jul 2016 19:06:29 +0200 +Subject: [PATCH] Fix man page reference in systemd service file + +--- + dbus/realmd.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in +index b3bcf7a..64c1090 100644 +--- a/dbus/realmd.service.in ++++ b/dbus/realmd.service.in +@@ -1,6 +1,6 @@ + [Unit] + Description=Realm and Domain Configuration +-Documentation=man:realmd(8) ++Documentation=man:realm(8) + + [Service] + Type=dbus +-- +2.7.4 + diff --git a/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch b/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch new file mode 100644 index 0000000..5484209 --- /dev/null +++ b/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch @@ -0,0 +1,62 @@ +From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 27 Sep 2018 13:04:47 +0200 +Subject: [PATCH] IPA: do not call sssd-enable-logins + +It is expected that ipa-client-install will do all PAM and NSS +configuration. To avoid changing IPA default realmd will not try to +update the related configuration. +--- + service/realm-sssd-ipa.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c +index 5029f6b..70f8b0e 100644 +--- a/service/realm-sssd-ipa.c ++++ b/service/realm-sssd-ipa.c +@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data) + g_free (enroll); + } + +-static void +-on_enable_nss_done (GObject *source, +- GAsyncResult *result, +- gpointer user_data) +-{ +- GTask *task = G_TASK (user_data); +- GError *error = NULL; +- gint status; +- +- status = realm_command_run_finish (result, NULL, &error); +- if (error == NULL && status != 0) +- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL, +- _("Enabling SSSD in nsswitch.conf and PAM failed.")); +- if (error != NULL) +- g_task_return_error (task, error); +- else +- g_task_return_boolean (task, TRUE); +- g_object_unref (task); +-} +- + static void + on_restart_done (GObject *source, + GAsyncResult *result, + gpointer user_data) + { + GTask *task = G_TASK (user_data); +- EnrollClosure *enroll = g_task_get_task_data (task); + RealmSssd *sssd = g_task_get_source_object (task); + GError *error = NULL; + + realm_service_enable_and_restart_finish (result, &error); + if (error == NULL) { + realm_sssd_update_properties (sssd); +- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation, +- on_enable_nss_done, g_object_ref (task)); ++ g_task_return_boolean (task, TRUE); + } else { + g_task_return_error (task, error); + } +-- +2.17.1 + diff --git a/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch b/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch new file mode 100644 index 0000000..a61b602 --- /dev/null +++ b/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch @@ -0,0 +1,112 @@ +From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 5 Dec 2016 18:25:44 +0100 +Subject: [PATCH] Kerberos: fall back to tcp SRV lookup + +--- + service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++-------- + 1 file changed, 39 insertions(+), 9 deletions(-) + +diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c +index 2b3a0f8..1477ae8 100644 +--- a/service/realm-kerberos-provider.c ++++ b/service/realm-kerberos-provider.c +@@ -19,6 +19,7 @@ + #include "realm-kerberos-provider.h" + + #include ++#include + + struct _RealmKerberosProvider { + RealmProvider parent; +@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self) + + } + ++typedef struct { ++ gchar *name; ++ const char *prot; ++} NameProtPair; ++ ++static void ++name_prot_pair_free (gpointer data) ++{ ++ NameProtPair *name_prot_pair = data; ++ g_free (name_prot_pair->name); ++ g_free (name_prot_pair); ++} ++ + static void + on_kerberos_discover (GObject *source, + GAsyncResult *result, + gpointer user_data) + { + GTask *task = G_TASK (user_data); +- const gchar *domain = g_task_get_task_data (task); ++ NameProtPair *name_prot_pair = g_task_get_task_data (task); + GError *error = NULL; + RealmDisco *disco; + GList *targets; ++ GResolver *resolver; + + targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error); + if (targets) { + g_list_free_full (targets, (GDestroyNotify)g_srv_target_free); +- disco = realm_disco_new (domain); +- disco->kerberos_realm = g_ascii_strup (domain, -1); ++ disco = realm_disco_new (name_prot_pair->name); ++ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1); + g_task_return_pointer (task, disco, realm_disco_unref); + + } else if (error) { +- g_debug ("Resolving %s failed: %s", domain, error->message); ++ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message); + g_error_free (error); +- g_task_return_pointer (task, NULL, NULL); ++ ++ if (strcmp (name_prot_pair->prot, "tcp") == 0) { ++ g_task_return_pointer (task, NULL, NULL); ++ } else { ++ /* Try tcp */ ++ name_prot_pair->prot = "tcp"; ++ resolver = g_resolver_get_default (); ++ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot, ++ name_prot_pair->name, ++ g_task_get_cancellable (task), ++ on_kerberos_discover, g_object_ref (task)); ++ g_object_unref (resolver); ++ } + } + + g_object_unref (task); +@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider, + GTask *task; + const gchar *software; + GResolver *resolver; +- gchar *name; ++ NameProtPair *name_prot_pair; + + task = g_task_new (provider, NULL, callback, user_data); + +@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider, + g_task_return_pointer (task, NULL, NULL); + + } else { +- name = g_hostname_to_ascii (string); ++ name_prot_pair = g_new0 (NameProtPair, 1); ++ name_prot_pair->name = g_hostname_to_ascii (string); ++ name_prot_pair->prot = "udp"; + resolver = g_resolver_get_default (); +- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name, ++ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot, ++ name_prot_pair->name, + realm_invocation_get_cancellable (invocation), + on_kerberos_discover, g_object_ref (task)); +- g_task_set_task_data (task, name, g_free); ++ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free); + g_object_unref (resolver); + } + +-- +2.9.3 + diff --git a/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch b/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch new file mode 100644 index 0000000..09e9ccf --- /dev/null +++ b/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch @@ -0,0 +1,41 @@ +From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 25 Nov 2016 17:35:11 +0100 +Subject: [PATCH] LDAP: don't close LDAP socket twice + +ldap_destroy() will call close() on the LDAP socket so with an explicit +close() before the file descriptor will be closed twice. Even worse, +since the file descriptor can be reused after the explicit call of +close() by any other thread the close() called from ldap_destroy() might +close a file descriptor used by a different thread as seen e.g. in +https://bugzilla.redhat.com/show_bug.cgi?id=1398522. + +Additionally the patch makes sure that the closed connection cannot be +used again. + +https://bugzilla.redhat.com/show_bug.cgi?id=1398522 +--- + service/realm-ldap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/service/realm-ldap.c b/service/realm-ldap.c +index 061ed61..59817fb 100644 +--- a/service/realm-ldap.c ++++ b/service/realm-ldap.c +@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source) + { + LdapSource *ls = (LdapSource *)source; + +- /* Yeah, this is pretty rough, but we don't want blocking here */ +- close (ls->sock); + ldap_destroy (ls->ldap); + ++ ls->sock = -1; ++ ls->ldap = NULL; ++ + if (ls->cancellable) { + g_cancellable_release_fd (ls->cancellable); + g_object_unref (ls->cancellable); +-- +2.9.3 + diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch new file mode 100644 index 0000000..ea34960 --- /dev/null +++ b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch @@ -0,0 +1,185 @@ +From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 30 May 2018 13:10:57 +0200 +Subject: [PATCH] Use current idmap options for smb.conf + +Samba change some time ago the way how to configure id-mapping. With +this patch realmd will use the current supported options when creating +smb.conf. + +A new option --legacy-samba-config is added to use the old options if +realmd is used with Samba 3.5 or earlier. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072 +--- + dbus/realm-dbus-constants.h | 1 + + doc/manual/realmd.conf.xml | 17 ++++++++++++ + service/realm-samba-enroll.c | 2 +- + service/realm-samba-enroll.h | 3 +++ + service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++--------- + 5 files changed, 72 insertions(+), 14 deletions(-) + +diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h +index 9cd30ef..40ffa2d 100644 +--- a/dbus/realm-dbus-constants.h ++++ b/dbus/realm-dbus-constants.h +@@ -69,6 +69,7 @@ G_BEGIN_DECLS + #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name" + #define REALM_DBUS_OPTION_OS_NAME "os-name" + #define REALM_DBUS_OPTION_OS_VERSION "os-version" ++#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config" + + #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" + #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index 7853230..a2b577c 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -192,6 +192,23 @@ automatic-install = no + + + ++ ++ ++ ++ Set this to yes to create a Samba ++ configuration file with id-mapping options used by Samba-3.5 ++ and earlier version. ++ ++ ++ ++[service] ++legacy-samba-config = no ++# legacy-samba-config = yes ++ ++ ++ ++ ++ + + + +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index c81aed2..76e7b79 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -69,7 +69,7 @@ join_closure_free (gpointer data) + g_free (join); + } + +-static gchar * ++gchar * + fallback_workgroup (const gchar *realm) + { + const gchar *pos; +diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h +index 84e8b2f..310ec65 100644 +--- a/service/realm-samba-enroll.h ++++ b/service/realm-samba-enroll.h +@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco, + gboolean realm_samba_enroll_leave_finish (GAsyncResult *result, + GError **error); + ++gchar * ++fallback_workgroup (const gchar *realm); ++ + G_END_DECLS + + #endif /* __REALM_SAMBA_ENROLL_H__ */ +diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c +index a7ddec3..9335e26 100644 +--- a/service/realm-samba-winbind.c ++++ b/service/realm-samba-winbind.c +@@ -21,8 +21,10 @@ + #include "realm-options.h" + #include "realm-samba-config.h" + #include "realm-samba-winbind.h" ++#include "realm-samba-enroll.h" + #include "realm-settings.h" + #include "realm-service.h" ++#include "dbus/realm-dbus-constants.h" + + #include + +@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + RealmIniConfig *pwc; + GTask *task; + GError *error = NULL; ++ gchar *workgroup = NULL; ++ gchar *idmap_config_backend = NULL; ++ gchar *idmap_config_range = NULL; ++ gchar *idmap_config_schema_mode = NULL; + + g_return_if_fail (config != NULL); + g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation)); +@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + "template shell", realm_settings_string ("users", "default-shell"), + NULL); + +- if (realm_options_automatic_mapping (options, domain_name)) { +- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, +- "idmap uid", "10000-2000000", +- "idmap gid", "10000-2000000", +- "idmap backend", "tdb", +- "idmap schema", NULL, +- NULL); ++ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) { ++ if (realm_options_automatic_mapping (options, domain_name)) { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap uid", "10000-2000000", ++ "idmap gid", "10000-2000000", ++ "idmap backend", "tdb", ++ "idmap schema", NULL, ++ NULL); ++ } else { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap uid", "500-4294967296", ++ "idmap gid", "500-4294967296", ++ "idmap backend", "ad", ++ "idmap schema", "rfc2307", ++ NULL); ++ } + } else { +- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, +- "idmap uid", "500-4294967296", +- "idmap gid", "500-4294967296", +- "idmap backend", "ad", +- "idmap schema", "rfc2307", +- NULL); ++ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup"); ++ if (workgroup == NULL) { ++ workgroup = fallback_workgroup (domain_name); ++ } ++ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ g_free (workgroup); ++ ++ if (realm_options_automatic_mapping (options, domain_name)) { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap config * : backend", "tdb", ++ "idmap config * : range", "10000-999999", ++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid", ++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999", ++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL, ++ NULL); ++ } else { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap config * : backend", "tdb", ++ "idmap config * : range", "10000000-10999999", ++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad", ++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999", ++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307", ++ NULL); ++ } + } + + realm_ini_config_finish_change (config, &error); ++ g_free (idmap_config_backend); ++ g_free (idmap_config_range); + } + + /* Setup pam_winbind.conf with decent defaults matching our expectations */ +-- +2.14.4 + diff --git a/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch b/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch new file mode 100644 index 0000000..0fa9108 --- /dev/null +++ b/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch @@ -0,0 +1,32 @@ +From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 28 Nov 2019 18:51:30 +0100 +Subject: [PATCH] configure: do not inherit DISTRO from the environment + +The argument of the --with-distro configure option is stored in the +variable DISTRO. If DISTRO is already set in the build environment it +should not be used hence DISTRO must be cleared by the configure script +if not set by --with-distro. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396 +--- + configure.ac | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index e335247..a424a49 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -31,7 +31,8 @@ AC_ARG_WITH([distro], + [AS_HELP_STRING([--with-distro], + [Configure for a specific distribution (eg: redhat)] + )], +- [DISTRO=$withval]) ++ [DISTRO=$withval], ++ [DISTRO=]) + + if test -z $DISTRO; then + AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"]) +-- +2.21.0 + diff --git a/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch b/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch new file mode 100644 index 0000000..7185206 --- /dev/null +++ b/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch @@ -0,0 +1,158 @@ +From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Mon, 6 Feb 2017 12:25:52 +0100 +Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual + page + +And clean up the documentation for the various arguments. +--- + doc/manual/realm.xml | 70 +++++++++++++++++++++++--------------------- + 1 file changed, 37 insertions(+), 33 deletions(-) + +diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml +index 6724d80..9d9136a 100644 +--- a/doc/manual/realm.xml ++++ b/doc/manual/realm.xml +@@ -60,7 +60,7 @@ + + + +- ++ , + Run in install mode. This makes realmd + chroot into the specified directory and place files in + appropriate locations for use during an installer. No +@@ -73,7 +73,7 @@ + for input. + + +- ++ , + Display verbose diagnostics while doing + running commands. + +@@ -105,7 +105,7 @@ $ realm discover domain.example.com + + + +- ++ , + Show all discovered realms (in various + configurations). + +@@ -116,6 +116,10 @@ $ realm discover domain.example.com + sssd or + winbind. + ++ ++ , ++ Only show the names of the discovered realms. ++ + + + Only discover realms which run the +@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + in the domain already. + + +- +- The user name to be used to authenticate +- with when joining the machine to the realm. You will +- be prompted for a password. ++ ++ Only join realms for which we can ++ use the given client software. Possible values include ++ sssd or ++ winbind. Not all values are ++ supported for all realms. By default the client software ++ is automatically selected. + + + +@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + DSE portion of distinguished name. This is an Active + Directory specific option. + ++ ++ ++ The software to use when joining to the ++ realm. Possible values include samba or ++ adcli. Not all values are ++ supported for all realms. By default the membership software ++ is automatically selected. ++ + + + Perform the join automatically without +@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + all types of realms. + + +- +- Only join realms for which we can +- use the given client software. Possible values include +- sssd or +- winbind. Not all values are +- supported for all realms. By default the client software +- is automatically selected. ++ ++ The name of the operation system of the ++ client. When joining an AD domain the value is store in ++ the matching AD attribute. ++ ++ ++ ++ The version of the operation system of the ++ client. When joining an AD domain the value is store in ++ the matching AD attribute. + + + +@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + ipa. + + +- +- The software to use when joining to the +- realm. Possible values include samba or +- adcli. Not all values are +- supported for all realms. By default the membership software +- is automatically selected. ++ , ++ The user name to be used to authenticate ++ with when joining the machine to the realm. You will ++ be prompted for a password. + + + +@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + the value for this option, then a principal will be set + in the form of host/shortname@REALM + +- +- +- The name of the operation system of the +- client. When joining an AD domain the value is store in +- the matching AD attribute. +- +- +- +- The version of the operation system of the +- client. When joining an AD domain the value is store in +- the matching AD attribute. +- + + + +@@ -300,7 +304,7 @@ $ realm leave domain.example.com + for a pasword. + + +- ++ , + The user name to be used to authenticate + with when leaving the realm. You will be prompted for a + password. Implies . +-- +2.21.0 + diff --git a/SOURCES/0001-doc-extend-description-of-config-handling.patch b/SOURCES/0001-doc-extend-description-of-config-handling.patch new file mode 100644 index 0000000..b708739 --- /dev/null +++ b/SOURCES/0001-doc-extend-description-of-config-handling.patch @@ -0,0 +1,104 @@ +From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 29 Nov 2019 21:57:02 +0100 +Subject: [PATCH] doc: extend description of config handling + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005 +--- + doc/manual/Makefile.am | 8 ++++++++ + doc/manual/realmd.conf.xml | 15 +++++++++++---- + doc/privatedir.xml.in | 1 + + 4 files changed, 21 insertions(+), 4 deletions(-) + create mode 100644 doc/privatedir.xml.in + +diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am +index 8b33fdd..9812c45 100644 +--- a/doc/manual/Makefile.am ++++ b/doc/manual/Makefile.am +@@ -1,14 +1,20 @@ ++XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc + + man8_MANS += \ + doc/manual/realm.8 + man5_MANS += \ + doc/manual/realmd.conf.5 + ++$(man5_MANS): doc/privatedir.xml ++ + MAN_IN_FILES = \ + $(man8_MANS:.8=.xml) \ + $(man5_MANS:.5=.xml) \ + $(NULL) + ++doc/privatedir.xml: doc/privatedir.xml.in ++ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@ ++ + MANUAL_DOCBOOK = doc/manual/realmd-docs.xml + + MANUAL_INCLUDES = \ +@@ -41,6 +47,7 @@ MANUAL_XSLT = \ + $(NULL) + + EXTRA_DIST += \ ++ doc/privatedir.xml.in \ + $(MANUAL_DOCBOOK) \ + $(MANUAL_INCLUDES) \ + $(MAN_IN_FILES) \ +@@ -50,6 +57,7 @@ EXTRA_DIST += \ + + CLEANFILES += \ + realmd-org.freedesktop.realmd.generated \ ++ doc/privatedir.xml \ + $(DBUS_DOC_GENERATED) \ + $(DBUS_ESCAPED) \ + $(man8_MANS) \ +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index 1592291..9062252 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -1,6 +1,9 @@ + + ++ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" ++[ ++ ++]> + + + +@@ -35,7 +38,9 @@ + to act in specific ways. This is done by placing settings in a + /etc/realmd.conf. This file does not exist by + default. The syntax of this file is the same as an INI file or +- Desktop Entry file. ++ Desktop Entry file. If the file is changed and ++ realmd is running realmd must be ++ restarted to read the new values. + + In general, settings in this file only apply at the point of + joining a domain or realm. Once the realm has been setup the settings +@@ -46,8 +51,10 @@ + + Only specify the settings you wish to override in the + /etc/realmd.conf file. Settings not specified will +- be loaded from their packaged defaults. Only override the settings +- below. You may find other settings if you look through the ++ be loaded from their packaged defaults which can be found in ++ &privatedir;/realmd-defaults.conf and ++ &privatedir;/realmd-distro.conf. Only override the ++ settings below. You may find other settings if you look through the + realmd source code. However these are not guaranteed + to remain stable. + +diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in +new file mode 100644 +index 0000000..7f71afe +--- /dev/null ++++ b/doc/privatedir.xml.in +@@ -0,0 +1 @@ ++@privatedir@ +\ No newline at end of file +-- +2.21.0 + diff --git a/SOURCES/0001-doc-extend-user-principal-section.patch b/SOURCES/0001-doc-extend-user-principal-section.patch new file mode 100644 index 0000000..c6e4cdf --- /dev/null +++ b/SOURCES/0001-doc-extend-user-principal-section.patch @@ -0,0 +1,75 @@ +From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 29 Nov 2019 18:10:03 +0100 +Subject: [PATCH] doc: extend user-principal section + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814 +--- + doc/manual/realm.xml | 21 +++++++++++++++++++-- + doc/manual/realmd.conf.xml | 15 ++++++++++----- + 2 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml +index 7b73331..55a7640 100644 +--- a/doc/manual/realm.xml ++++ b/doc/manual/realm.xml +@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + + + +- Set the userPrincipalName field of the ++ Set the ++ field of the + computer account to this kerberos principal. If you omit + the value for this option, then a principal will be set +- in the form of host/shortname@REALM ++ based on the defaults of the membership software. ++ AD makes a distinction between user and service ++ principals. Only with user principals you can request a ++ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user ++ principals can be used with the kinit ++ command. By default the user principal and the canonical ++ principal name of an AD computer account is ++ shortname$@AD.DOMAIN, where shortname is ++ the NetBIOS name which is limited to 15 characters. ++ If there are applications which are not aware of ++ the AD default and are using a hard-coded default ++ principal the can be ++ used to make AD aware of this principal. Please note ++ that is a single ++ value LDAP attribute, i.e. only one alternative user ++ principal besides the AD default user principal can be ++ set. + + + +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index f0b0879..a26a60c 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -365,12 +365,17 @@ computer-name = SERVER01 + + + +- ++ + +- Set the to yes +- to create attributes for the +- computer account in the realm, in the form +- host/computer@REALM ++ Set the to yes ++ to create attribute for the ++ computer accounts in the realm. The exact value depends on the ++ defaults of the used membership software. To have full control ++ over the value please use the ++ option of the ++ realm command, see ++ realm ++ 8 for details. + + + +-- +2.21.0 + diff --git a/SOURCES/0001-doc-fix-discover-name-only.patch b/SOURCES/0001-doc-fix-discover-name-only.patch new file mode 100644 index 0000000..861f306 --- /dev/null +++ b/SOURCES/0001-doc-fix-discover-name-only.patch @@ -0,0 +1,26 @@ +From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 29 Nov 2019 18:49:15 +0100 +Subject: [PATCH 1/2] doc: fix discover name-only + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001 +--- + doc/manual/realmd.conf.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index a26a60c..fc6a785 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash + + + +-$ realm discover --name DOMAIN.example.com ++$ realm discover --name-only DOMAIN.example.com + domain.example.com + ... + +-- +2.21.0 + diff --git a/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch b/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch new file mode 100644 index 0000000..2cd54ec --- /dev/null +++ b/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch @@ -0,0 +1,1500 @@ +From 4f3c02dc14300c0b8e51a55d627c57f73c108f64 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 28 Sep 2018 10:36:19 +0200 +Subject: [PATCH] doc: make sure cross-reference ids are predictable + +To make sure the cross-reference ids are predictable in the +auto-generated DBus documentation as well the xsl and css files form the +gtk-doc package are updated as well. +--- + doc/manual/devhelp2.xsl | 173 ++++++++ + doc/manual/gtk-doc.xsl | 436 ++++++++----------- + doc/manual/realm.xml | 14 +- + doc/manual/realmd-guide-active-directory.xml | 4 +- + doc/manual/realmd-guide-ipa.xml | 2 +- + doc/manual/realmd-guide-kerberos.xml | 2 +- + doc/manual/realmd.conf.xml | 4 +- + doc/manual/static/gtk-doc.css | 420 +++++++++++++----- + 8 files changed, 688 insertions(+), 367 deletions(-) + create mode 100644 doc/manual/devhelp2.xsl + +diff --git a/doc/manual/devhelp2.xsl b/doc/manual/devhelp2.xsl +new file mode 100644 +index 0000000..bab6692 +--- /dev/null ++++ b/doc/manual/devhelp2.xsl +@@ -0,0 +1,173 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ book ++ ++ ++ .devhelp2 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ , ++ ++ ++ ++ ++ +diff --git a/doc/manual/gtk-doc.xsl b/doc/manual/gtk-doc.xsl +index 9c0901b..3471e6c 100644 +--- a/doc/manual/gtk-doc.xsl ++++ b/doc/manual/gtk-doc.xsl +@@ -5,20 +5,19 @@ + version="1.0"> + + +- ++ + ++ + + +- +- ++ ++ + + + ++ + 2 + + book toc +@@ -28,16 +27,17 @@ + part toc + reference toc + ++ 1 + + + + + +- + + + + ++ + + + +@@ -60,6 +60,9 @@ + + + ++ ++ ++ + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- <ANCHOR id=" +- +- " href=" +- +- +- / +- +- +- "> +- +- +- +- +- +- <ONLINE href=" +- +- "> +- ++ ++ + + + +@@ -387,6 +341,15 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + + ++ ++ ++ ++ ++ ++ <xsl:copy-of select="$title"/>: <xsl:apply-templates select="$home" mode="object.title.markup"/> ++ ++ ++ + + + +@@ -399,10 +362,10 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ +
+ + +- Generated by GTK-Doc V ++ Generated by GTK-Doc V + + +- Generated by GTK-Doc ++ Generated by GTK-Doc + + + +@@ -451,21 +414,119 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + + ++ summary = "Navigation header" cellpadding="2" cellspacing="5"> + ++ + +- ++ + + + +- ++ + + + +- ++ + + + +- ++ + + +- + + + + + +- ++ + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- + + +
+@@ -758,32 +678,32 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + +- +@@ -803,6 +723,21 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + + ++ ++ ++ ++ ++ ++ em-dash ++ ++ ++ ++ ++ ++ + + + idx +@@ -825,12 +760,12 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + + +-  |  ++   |  + + + + +-  ] ++   ] + + + +@@ -861,11 +796,6 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + + +- +- + + + +@@ -878,7 +808,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ + + + http://foldoc.org/ +- ++ + + + +diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml +index 9d9136a..7b73331 100644 +--- a/doc/manual/realm.xml ++++ b/doc/manual/realm.xml +@@ -49,7 +49,7 @@ + + + +- ++ + Description + realm is a command line tool that + can be used to manage enrollment in kerberos realms, like Active +@@ -81,7 +81,7 @@ + + + +- ++ + Discover + + Discover a realm and its capabilities. +@@ -138,7 +138,7 @@ $ realm discover domain.example.com + + + +- ++ + Join + + Configure the local machine for use with a realm. +@@ -263,7 +263,7 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + + + +- ++ + Leave + + Deconfigure the local machine for use with a realm. +@@ -313,7 +313,7 @@ $ realm leave domain.example.com + + + +- ++ + List + + List all the discovered and configured realms. +@@ -345,7 +345,7 @@ $ realm list + + + +- ++ + Permit + + Permit local login by users of the realm. +@@ -392,7 +392,7 @@ $ realm permit --withdraw user@example.com + + + +- ++ + Deny + + Deny local login by realm accounts. +diff --git a/doc/manual/realmd-guide-active-directory.xml b/doc/manual/realmd-guide-active-directory.xml +index 362cf94..c88e8af 100644 +--- a/doc/manual/realmd-guide-active-directory.xml ++++ b/doc/manual/realmd-guide-active-directory.xml +@@ -69,7 +69,7 @@ $ realm discover --verbose domain.example.com + Winbind. + By default SSSD is used. + +-
++
+ Using SSSD with Active Directory + SSSD + provides client software for various kerberos and/or LDAP +@@ -91,7 +91,7 @@ $ realm join --client-software=sssd domain.example.com + +
+ +-
++
+ Using Winbind with Active Directory + Samba + Winbind +diff --git a/doc/manual/realmd-guide-ipa.xml b/doc/manual/realmd-guide-ipa.xml +index bba6504..c3ad450 100644 +--- a/doc/manual/realmd-guide-ipa.xml ++++ b/doc/manual/realmd-guide-ipa.xml +@@ -13,7 +13,7 @@ + users locally, and log into the local machine with IPA domain + credentials. + +-
++
+ Discovering IPA domains + realmd discovers which domains or + realms it can use or configure. It can discover and identify +diff --git a/doc/manual/realmd-guide-kerberos.xml b/doc/manual/realmd-guide-kerberos.xml +index a57e964..5b9d4b1 100644 +--- a/doc/manual/realmd-guide-kerberos.xml ++++ b/doc/manual/realmd-guide-kerberos.xml +@@ -12,7 +12,7 @@ + Since there is no standard way to enroll a computer against a Kerberos + server, it is not possible to do this with realmd. + +-
++
+ Discovering Kerberos realms + realmd discovers which domains or + realms it can use or configure. It can discover and identify +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index a2b577c..f0b0879 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -28,7 +28,7 @@ + Tweak behavior of realmd + + +- ++ + Configuration File + + realmd can be tweaked by network administrators +@@ -297,7 +297,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash + + + +- ++ + Realm specific settings + These options should go in an section with the same name + as the realm in the /etc/realmd.conf file. +diff --git a/doc/manual/static/gtk-doc.css b/doc/manual/static/gtk-doc.css +index 5618926..af6ce9c 100644 +--- a/doc/manual/static/gtk-doc.css ++++ b/doc/manual/static/gtk-doc.css +@@ -1,15 +1,23 @@ ++body ++{ ++ font-family: cantarell, sans-serif; ++} + .synopsis, .classsynopsis + { + /* tango:aluminium 1/2 */ + background: #eeeeec; +- border: solid 1px #d3d7cf; ++ background: rgba(238, 238, 236, 0.5); ++ border: solid 1px rgb(238, 238, 236); + padding: 0.5em; + } + .programlisting + { + /* tango:sky blue 0/1 */ ++ /* fallback for no rgba support */ + background: #e6f3ff; + border: solid 1px #729fcf; ++ background: rgba(114, 159, 207, 0.1); ++ border: solid 1px rgba(114, 159, 207, 0.2); + padding: 0.5em; + } + .variablelist +@@ -22,86 +30,8 @@ + vertical-align: top; + } + +-@media screen { +- sup a.footnote +- { +- position: relative; +- top: 0em ! important; +- } +- /* this is needed so that the local anchors are displayed below the naviagtion */ +- div.footnote a[name], div.refnamediv a[name], div.refsect1 a[name], div.refsect2 a[name], div.index a[name], div.glossary a[name], div.sect1 a[name] +- { +- display: inline-block; +- position: relative; +- top:-5em; +- } +- /* this seems to be a bug in the xsl style sheets when generating indexes */ +- div.index div.index +- { +- top: 0em; +- } +- /* make space for the fixed navigation bar and add space at the bottom so that +- * link targets appear somewhat close to top +- */ +- body +- { +- padding-top: 3.2em; +- padding-bottom: 20em; +- } +- /* style and size the navigation bar */ +- table.navigation#top +- { +- position: fixed; +- /* tango:scarlet red 0/1 */ +- background: #ffe6e6; +- border: solid 1px #ef2929; +- margin-top: 0; +- margin-bottom: 0; +- top: 0; +- left: 0; +- height: 3em; +- z-index: 10; +- } +- .navigation a, .navigation a:visited +- { +- /* tango:scarlet red 3 */ +- color: #a40000; +- } +- .navigation a:hover +- { +- /* tango:scarlet red 1 */ +- color: #ef2929; +- } +- td.shortcuts +- { +- /* tango:scarlet red 1 */ +- color: #ef2929; +- font-size: 80%; +- white-space: nowrap; +- } +-} +-@media print { +- table.navigation { +- visibility: collapse; +- display: none; +- } +- div.titlepage table.navigation { +- visibility: visible; +- display: table; +- /* tango:scarlet red 0/1 */ +- background: #ffe6e6; +- border: solid 1px #ef2929; +- margin-top: 0; +- margin-bottom: 0; +- top: 0; +- left: 0; +- height: 3em; +- } +-} +- +-.navigation .title +-{ +- font-size: 200%; ++span.nowrap { ++ white-space: nowrap; + } + + div.gallery-float +@@ -131,6 +61,72 @@ a:hover + color: #729fcf; + } + ++div.informaltable table ++{ ++ border-collapse: separate; ++ border-spacing: 1em 0.3em; ++ border: none; ++} ++ ++div.informaltable table td, div.informaltable table th ++{ ++ vertical-align: top; ++} ++ ++.function_type, ++.variable_type, ++.property_type, ++.signal_type, ++.parameter_name, ++.struct_member_name, ++.union_member_name, ++.define_keyword, ++.datatype_keyword, ++.typedef_keyword ++{ ++ text-align: right; ++} ++ ++/* dim non-primary columns */ ++.c_punctuation, ++.function_type, ++.variable_type, ++.property_type, ++.signal_type, ++.define_keyword, ++.datatype_keyword, ++.typedef_keyword, ++.property_flags, ++.signal_flags, ++.parameter_annotations, ++.enum_member_annotations, ++.struct_member_annotations, ++.union_member_annotations ++{ ++ color: #888a85; ++} ++ ++.function_type a, ++.function_type a:visited, ++.function_type a:hover, ++.property_type a, ++.property_type a:visited, ++.property_type a:hover, ++.signal_type a, ++.signal_type a:visited, ++.signal_type a:hover, ++.signal_flags a, ++.signal_flags a:visited, ++.signal_flags a:hover ++{ ++ color: #729fcf; ++} ++ ++td p ++{ ++ margin: 0.25em; ++} ++ + div.table table + { + border-collapse: collapse; +@@ -153,14 +149,44 @@ div.table table th + background-color: #d3d7cf; + } + ++h4 ++{ ++ color: #555753; ++ margin-top: 1em; ++ margin-bottom: 1em; ++} ++ + hr + { +- /* tango:aluminium 3 */ +- color: #babdb6; +- background: #babdb6; ++ /* tango:aluminium 1 */ ++ color: #d3d7cf; ++ background: #d3d7cf; + border: none 0px; + height: 1px; + clear: both; ++ margin: 2.0em 0em 2.0em 0em; ++} ++ ++dl.toc dt ++{ ++ padding-bottom: 0.25em; ++} ++ ++dl.toc > dt ++{ ++ padding-top: 0.25em; ++ padding-bottom: 0.25em; ++ font-weight: bold; ++} ++ ++dl.toc > dl ++{ ++ padding-bottom: 0.5em; ++} ++ ++.parameter ++{ ++ font-style: normal; + } + + .footer +@@ -172,31 +198,70 @@ hr + font-size: 80%; + } + ++.informalfigure, ++.figure ++{ ++ margin: 1em; ++} ++ ++.informalexample, ++.example ++{ ++ margin-top: 1em; ++ margin-bottom: 1em; ++} ++ + .warning + { + /* tango:orange 0/1 */ + background: #ffeed9; ++ background: rgba(252, 175, 62, 0.1); + border-color: #ffb04f; ++ border-color: rgba(252, 175, 62, 0.2); + } + .note + { + /* tango:chameleon 0/0.5 */ + background: #d8ffb2; ++ background: rgba(138, 226, 52, 0.1); + border-color: #abf562; ++ border-color: rgba(138, 226, 52, 0.2); + } +-.note, .warning ++div.blockquote ++{ ++ border-color: #eeeeec; ++} ++.note, .warning, div.blockquote + { + padding: 0.5em; + border-width: 1px; + border-style: solid; ++ margin: 2em; + } +-.note h3, .warning h3 ++.note p, .warning p + { +- margin-top: 0.0em ++ margin: 0; + } +-.note p, .warning p ++ ++div.warning h3.title, ++div.note h3.title ++{ ++ display: none; ++} ++ ++p + div.section ++{ ++ margin-top: 1em; ++} ++ ++div.refnamediv, ++div.refsynopsisdiv, ++div.refsect1, ++div.refsect2, ++div.toc, ++div.section + { +- margin-bottom: 0.0em ++ margin-bottom: 1em; + } + + /* blob links */ +@@ -209,33 +274,52 @@ h2 .extralinks, h3 .extralinks + font-weight: normal; + } + ++.lineart ++{ ++ color: #d3d7cf; ++ font-weight: normal; ++} ++ + .annotation + { + /* tango:aluminium 5 */ + color: #555753; +- font-size: 80%; + font-weight: normal; + } + ++.structfield ++{ ++ font-style: normal; ++ font-weight: normal; ++} ++ ++acronym,abbr ++{ ++ border-bottom: 1px dotted gray; ++} ++ + /* code listings */ + +-.listing_code .programlisting .cbracket { color: #a40000; } /* tango: scarlet red 3 */ +-.listing_code .programlisting .comment { color: #a1a39d; } /* tango: aluminium 4 */ +-.listing_code .programlisting .function { color: #000000; font-weight: bold; } +-.listing_code .programlisting .function a { color: #11326b; font-weight: bold; } /* tango: sky blue 4 */ +-.listing_code .programlisting .keyword { color: #4e9a06; } /* tango: chameleon 3 */ ++.listing_code .programlisting .normal, ++.listing_code .programlisting .normal a, ++.listing_code .programlisting .number, ++.listing_code .programlisting .cbracket, ++.listing_code .programlisting .symbol { color: #555753; } ++.listing_code .programlisting .comment, + .listing_code .programlisting .linenum { color: #babdb6; } /* tango: aluminium 3 */ +-.listing_code .programlisting .normal { color: #000000; } +-.listing_code .programlisting .number { color: #75507b; } /* tango: plum 2 */ ++.listing_code .programlisting .function, ++.listing_code .programlisting .function a, + .listing_code .programlisting .preproc { color: #204a87; } /* tango: sky blue 3 */ +-.listing_code .programlisting .string { color: #c17d11; } /* tango: chocolate 2 */ +-.listing_code .programlisting .type { color: #000000; } +-.listing_code .programlisting .type a { color: #11326b; } /* tango: sky blue 4 */ +-.listing_code .programlisting .symbol { color: #ce5c00; } /* tango: orange 3 */ ++.listing_code .programlisting .string { color: #ad7fa8; } /* tango: plum */ ++.listing_code .programlisting .keyword, ++.listing_code .programlisting .usertype, ++.listing_code .programlisting .type, ++.listing_code .programlisting .type a { color: #4e9a06; } /* tango: chameleon 3 */ + + .listing_frame { + /* tango:sky blue 1 */ + border: solid 1px #729fcf; ++ border: solid 1px rgba(114, 159, 207, 0.2); + padding: 0px; + } + +@@ -247,18 +331,152 @@ h2 .extralinks, h3 .extralinks + .listing_lines { + /* tango:sky blue 0.5 */ + background: #a6c5e3; ++ background: rgba(114, 159, 207, 0.2); + /* tango:aluminium 6 */ + color: #2e3436; + } + .listing_code { + /* tango:sky blue 0 */ + background: #e6f3ff; ++ background: rgba(114, 159, 207, 0.1); + } + .listing_code .programlisting { + /* override from previous */ + border: none 0px; + padding: 0px; ++ background: none; + } + .listing_lines pre, .listing_code pre { + margin: 0px; + } ++ ++@media screen { ++ /* these have a as a first child, but since there are no parent selectors ++ * we can't use that. */ ++ a.footnote ++ { ++ position: relative; ++ top: 0em ! important; ++ } ++ /* this is needed so that the local anchors are displayed below the naviagtion */ ++ div.footnote a[name], div.refnamediv a[name], div.refsect1 a[name], div.refsect2 a[name], div.index a[name], div.glossary a[name], div.sect1 a[name] ++ { ++ display: inline-block; ++ position: relative; ++ top:-5em; ++ } ++ /* this seems to be a bug in the xsl style sheets when generating indexes */ ++ div.index div.index ++ { ++ top: 0em; ++ } ++ /* make space for the fixed navigation bar and add space at the bottom so that ++ * link targets appear somewhat close to top ++ */ ++ body ++ { ++ padding-top: 2.5em; ++ padding-bottom: 500px; ++ max-width: 60em; ++ } ++ p ++ { ++ max-width: 60em; ++ } ++ /* style and size the navigation bar */ ++ table.navigation#top ++ { ++ position: fixed; ++ background: #e2e2e2; ++ border-bottom: solid 1px #babdb6; ++ border-spacing: 5px; ++ margin-top: 0; ++ margin-bottom: 0; ++ top: 0; ++ left: 0; ++ z-index: 10; ++ } ++ table.navigation#top td ++ { ++ padding-left: 6px; ++ padding-right: 6px; ++ } ++ .navigation a, .navigation a:visited ++ { ++ /* tango:sky blue 3 */ ++ color: #204a87; ++ } ++ .navigation a:hover ++ { ++ /* tango:sky blue 2 */ ++ color: #3465a4; ++ } ++ td.shortcuts ++ { ++ /* tango:sky blue 2 */ ++ color: #3465a4; ++ font-size: 80%; ++ white-space: nowrap; ++ } ++ td.shortcuts .dim ++ { ++ color: #babdb6; ++ } ++ .navigation .title ++ { ++ font-size: 80%; ++ max-width: none; ++ margin: 0px; ++ font-weight: normal; ++ } ++} ++@media screen and (min-width: 60em) { ++ /* screen larger than 60em */ ++ body { margin: auto; } ++} ++@media screen and (max-width: 60em) { ++ /* screen less than 60em */ ++ #nav_hierarchy { display: none; } ++ #nav_interfaces { display: none; } ++ #nav_prerequisites { display: none; } ++ #nav_derived_interfaces { display: none; } ++ #nav_implementations { display: none; } ++ #nav_child_properties { display: none; } ++ #nav_style_properties { display: none; } ++ #nav_index { display: none; } ++ #nav_glossary { display: none; } ++ .gallery_image { display: none; } ++ .property_flags { display: none; } ++ .signal_flags { display: none; } ++ .parameter_annotations { display: none; } ++ .enum_member_annotations { display: none; } ++ .struct_member_annotations { display: none; } ++ .union_member_annotations { display: none; } ++ /* now that a column is hidden, optimize space */ ++ col.parameters_name { width: auto; } ++ col.parameters_description { width: auto; } ++ col.struct_members_name { width: auto; } ++ col.struct_members_description { width: auto; } ++ col.enum_members_name { width: auto; } ++ col.enum_members_description { width: auto; } ++ col.union_members_name { width: auto; } ++ col.union_members_description { width: auto; } ++ .listing_lines { display: none; } ++} ++@media print { ++ table.navigation { ++ visibility: collapse; ++ display: none; ++ } ++ div.titlepage table.navigation { ++ visibility: visible; ++ display: table; ++ background: #e2e2e2; ++ border: solid 1px #babdb6; ++ margin-top: 0; ++ margin-bottom: 0; ++ top: 0; ++ left: 0; ++ height: 3em; ++ } ++} +-- +2.21.0 + diff --git a/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch b/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch new file mode 100644 index 0000000..8b8f633 --- /dev/null +++ b/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch @@ -0,0 +1,96 @@ +From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Fri, 28 Oct 2016 20:27:48 +0200 +Subject: [PATCH] service: Add nss and pam sssd.conf services after joining + +After adding a domain to sssd.conf add the nss and pam services +to the [sssd] block. + +https://bugs.freedesktop.org/show_bug.cgi?id=98479 +--- + service/realm-sssd-ad.c | 3 +++ + service/realm-sssd-config.c | 2 -- + service/realm-sssd-ipa.c | 3 +++ + tests/test-sssd-config.c | 4 ++-- + 4 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c +index 5ed384d..5fa81ce 100644 +--- a/service/realm-sssd-ad.c ++++ b/service/realm-sssd-ad.c +@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config, + gboolean use_adcli, + GError **error) + { ++ const gchar *services[] = { "nss", "pam", NULL }; + GString *realmd_tags; + const gchar *access_provider; + const gchar *shell; +@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config, + "ldap_sasl_authid", authid, + NULL); + ++ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); ++ + g_free (authid); + g_string_free (realmd_tags, TRUE); + +diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c +index 2096afd..d4398b9 100644 +--- a/service/realm-sssd-config.c ++++ b/service/realm-sssd-config.c +@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config, + g_strfreev (already); + + /* Setup a default sssd section */ +- if (!realm_ini_config_have (config, "section", "services")) +- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL); + if (!realm_ini_config_have (config, "sssd", "config_file_version")) + realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL); + +diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c +index b12136e..001870d 100644 +--- a/service/realm-sssd-ipa.c ++++ b/service/realm-sssd-ipa.c +@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source, + GAsyncResult *result, + gpointer user_data) + { ++ const gchar *services[] = { "nss", "pam", NULL }; + GTask *task = G_TASK (user_data); + EnrollClosure *enroll = g_task_get_task_data (task); + RealmSssd *sssd = g_task_get_source_object (task); +@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source, + "realmd_tags", realmd_tags, + NULL); + ++ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); ++ + g_free (home); + } + +diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c +index 59eab75..892b9d5 100644 +--- a/tests/test-sssd-config.c ++++ b/tests/test-sssd-config.c +@@ -90,7 +90,7 @@ test_add_domain (Test *test, + gconstpointer unused) + { + const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one"; +- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; ++ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; + GError *error = NULL; + gchar *output; + gboolean ret; +@@ -140,7 +140,7 @@ static void + test_add_domain_only (Test *test, + gconstpointer unused) + { +- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; ++ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; + GError *error = NULL; + gchar *output; + gboolean ret; +-- +2.9.3 + diff --git a/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch b/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch new file mode 100644 index 0000000..6c44727 --- /dev/null +++ b/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch @@ -0,0 +1,98 @@ +From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 25 Apr 2017 07:20:17 +0200 +Subject: [PATCH] service: Add "pam" and "nss" services in + realm_sssd_config_add_domain() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +realm_sssd_config_add_domain() must setup the services line in sssd.conf +otherwise SSSD won't be able to start any of its services. + +It's a regression caused by 402cbab which leaves SSSD with no services +line when joining to an ad client doing "realm join ad.example". + +https://bugs.freedesktop.org/show_bug.cgi?id=98479 + +Signed-off-by: Fabiano FidĂȘncio +--- + service/realm-sssd-ad.c | 3 ++- + service/realm-sssd-config.c | 2 ++ + service/realm-sssd-ipa.c | 3 ++- + tests/test-sssd-config.c | 4 ++-- + 4 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c +index 5fa81ce..8543ca8 100644 +--- a/service/realm-sssd-ad.c ++++ b/service/realm-sssd-ad.c +@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config, + "ldap_sasl_authid", authid, + NULL); + +- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); ++ if (ret) ++ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error); + + g_free (authid); + g_string_free (realmd_tags, TRUE); +diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c +index d4398b9..140d7dc 100644 +--- a/service/realm-sssd-config.c ++++ b/service/realm-sssd-config.c +@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config, + gchar **already; + gboolean ret; + gchar *section; ++ const gchar *services[] = { "nss", "pam", NULL }; + va_list va; + gint i; + +@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config, + g_strfreev (already); + + /* Setup a default sssd section */ ++ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); + if (!realm_ini_config_have (config, "sssd", "config_file_version")) + realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL); + +diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c +index 001870d..ff1dc8a 100644 +--- a/service/realm-sssd-ipa.c ++++ b/service/realm-sssd-ipa.c +@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source, + "realmd_tags", realmd_tags, + NULL); + +- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); ++ if (error == NULL) ++ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error); + + g_free (home); + } +diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c +index 892b9d5..59eab75 100644 +--- a/tests/test-sssd-config.c ++++ b/tests/test-sssd-config.c +@@ -90,7 +90,7 @@ test_add_domain (Test *test, + gconstpointer unused) + { + const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one"; +- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; ++ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; + GError *error = NULL; + gchar *output; + gboolean ret; +@@ -140,7 +140,7 @@ static void + test_add_domain_only (Test *test, + gconstpointer unused) + { +- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; ++ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; + GError *error = NULL; + gchar *output; + gboolean ret; +-- +2.9.3 + diff --git a/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch b/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch new file mode 100644 index 0000000..69674e4 --- /dev/null +++ b/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch @@ -0,0 +1,30 @@ +From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 21 Feb 2020 14:06:16 +0100 +Subject: [PATCH] service: use "kerberos method" "secrets and keytab" + +When using Samba with Winbind the host password stored in secrets.tdb is +still important so the "secrets and keytab" should be the preferred +"kerberos method". + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195 +--- + service/realm-samba.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/service/realm-samba.c b/service/realm-samba.c +index e2a3608..4940b38 100644 +--- a/service/realm-samba.c ++++ b/service/realm-samba.c +@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source, + "template shell", realm_settings_string ("users", "default-shell"), + "netbios name", computer_name, + "password server", enroll->disco->explicit_server, +- "kerberos method", "system keytab", ++ "kerberos method", "secrets and keytab", + NULL); + } + +-- +2.24.1 + diff --git a/SOURCES/0001-switch-to-authselect.patch b/SOURCES/0001-switch-to-authselect.patch new file mode 100644 index 0000000..d750d6d --- /dev/null +++ b/SOURCES/0001-switch-to-authselect.patch @@ -0,0 +1,36 @@ +From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 19 Feb 2018 11:51:06 +0100 +Subject: [PATCH] switch to authselect + +--- + service/realmd-redhat.conf | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf +index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644 +--- a/service/realmd-redhat.conf ++++ b/service/realmd-redhat.conf +@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli + freeipa-client = /usr/sbin/ipa-client-install + + [commands] +-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" +-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart ++winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" ++winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir + winbind-enable-service = /usr/bin/systemctl enable winbind.service + winbind-disable-service = /usr/bin/systemctl disable winbind.service + winbind-restart-service = /usr/bin/systemctl restart winbind.service + winbind-stop-service = /usr/bin/systemctl stop winbind.service + +-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" +-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart ++sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" ++sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir + sssd-enable-service = /usr/bin/systemctl enable sssd.service + sssd-disable-service = /usr/bin/systemctl disable sssd.service + sssd-restart-service = /usr/bin/systemctl restart sssd.service +-- +2.9.3 + diff --git a/SOURCES/0001-tests-run-tests-with-python3.patch b/SOURCES/0001-tests-run-tests-with-python3.patch new file mode 100644 index 0000000..607afa4 --- /dev/null +++ b/SOURCES/0001-tests-run-tests-with-python3.patch @@ -0,0 +1,374 @@ +From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 4 Jul 2018 16:41:16 +0200 +Subject: [PATCH] tests: run tests with python3 + +To allow the test to run with python3 build/tap-driver and +build/tap-gtester are updated to the latest version provided by the +cockpit project https://github.com/cockpit-project/cockpit. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813 +--- + build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++----------- + build/tap-gtester | 59 ++++++++++++++++++++++--------- + 2 files changed, 125 insertions(+), 38 deletions(-) + +diff --git a/build/tap-driver b/build/tap-driver +index 42f57c8..241fd50 100755 +--- a/build/tap-driver ++++ b/build/tap-driver +@@ -1,4 +1,5 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 ++# This can also be run with Python 2. + + # Copyright (C) 2013 Red Hat, Inc. + # +@@ -29,20 +30,58 @@ + # + + import argparse ++import fcntl + import os + import select ++import struct + import subprocess + import sys ++import termios ++import errno ++ ++_PY3 = sys.version[0] >= '3' ++_str = _PY3 and str or unicode ++ ++def out(data, stream=None, flush=False): ++ if not isinstance(data, bytes): ++ data = data.encode("UTF-8") ++ if not stream: ++ stream = _PY3 and sys.stdout.buffer or sys.stdout ++ while True: ++ try: ++ if data: ++ stream.write(data) ++ data = None ++ if flush: ++ stream.flush() ++ flush = False ++ break ++ except IOError as e: ++ if e.errno == errno.EAGAIN: ++ continue ++ raise ++ ++def terminal_width(): ++ try: ++ h, w, hp, wp = struct.unpack('HHHH', ++ fcntl.ioctl(1, termios.TIOCGWINSZ, ++ struct.pack('HHHH', 0, 0, 0, 0))) ++ return w ++ except IOError as e: ++ if e.errno != errno.ENOTTY: ++ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info())) ++ return sys.maxsize + + class Driver: + def __init__(self, args): + self.argv = args.command + self.test_name = args.test_name +- self.log = open(args.log_file, "w") +- self.log.write("# %s\n" % " ".join(sys.argv)) ++ self.log = open(args.log_file, "wb") ++ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8")) + self.trs = open(args.trs_file, "w") + self.color_tests = args.color_tests + self.expect_failure = args.expect_failure ++ self.width = terminal_width() - 9 + + def report(self, code, *args): + CODES = { +@@ -57,17 +96,18 @@ class Driver: + # Print out to console + if self.color_tests: + if code in CODES: +- sys.stdout.write(CODES[code]) +- sys.stdout.write(code) ++ out(CODES[code]) ++ out(code) + if self.color_tests: +- sys.stdout.write('\x1b[m') +- sys.stdout.write(": ") +- sys.stdout.write(self.test_name) +- sys.stdout.write(" ") +- for arg in args: +- sys.stdout.write(str(arg)) +- sys.stdout.write("\n") +- sys.stdout.flush() ++ out('\x1b[m') ++ out(": ") ++ msg = "".join([ self.test_name + " " ] + list(map(_str, args))) ++ if code == "PASS" and len(msg) > self.width: ++ out(msg[:self.width]) ++ out("...") ++ else: ++ out(msg) ++ out("\n", flush=True) + + # Book keeping + if code in CODES: +@@ -100,12 +140,14 @@ class Driver: + def execute(self): + try: + proc = subprocess.Popen(self.argv, close_fds=True, ++ stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) +- except OSError, ex: ++ except OSError as ex: + self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex))) + return + ++ proc.stdin.close() + outf = proc.stdout.fileno() + errf = proc.stderr.fileno() + rset = [outf, errf] +@@ -113,18 +155,25 @@ class Driver: + ret = select.select(rset, [], [], 10) + if outf in ret[0]: + data = os.read(outf, 1024) +- if data == "": ++ if data == b"": + rset.remove(outf) + self.log.write(data) + self.process(data) + if errf in ret[0]: + data = os.read(errf, 1024) +- if data == "": ++ if data == b"": + rset.remove(errf) + self.log.write(data) +- sys.stderr.write(data) ++ stream = _PY3 and sys.stderr.buffer or sys.stderr ++ out(data, stream=stream, flush=True) + + proc.wait() ++ ++ # Make sure the test didn't change blocking output ++ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0 ++ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0 ++ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0 ++ + return proc.returncode + + +@@ -137,6 +186,7 @@ class TapDriver(Driver): + self.late_plan = False + self.errored = False + self.bail_out = False ++ self.skip_all_reason = None + + def report(self, code, num, *args): + if num: +@@ -170,13 +220,19 @@ class TapDriver(Driver): + else: + self.result_fail(num, description) + +- def consume_test_plan(self, first, last): ++ def consume_test_plan(self, line): + # Only one test plan is supported + if self.test_plan: + self.report_error("Get a second TAP test plan") + return + ++ if line.lower().startswith('1..0 # skip'): ++ self.skip_all_reason = line[5:].strip() ++ self.bail_out = True ++ return ++ + try: ++ (first, unused, last) = line.partition("..") + first = int(first) + last = int(last) + except ValueError: +@@ -192,7 +248,7 @@ class TapDriver(Driver): + + def process(self, output): + if output: +- self.output += output ++ self.output += output.decode("UTF-8") + elif self.output: + self.output += "\n" + (ready, unused, self.output) = self.output.rpartition("\n") +@@ -202,8 +258,7 @@ class TapDriver(Driver): + elif line.startswith("not ok "): + self.consume_test_line(False, line[7:]) + elif line and line[0].isdigit() and ".." in line: +- (first, unused, last) = line.partition("..") +- self.consume_test_plan(first, last) ++ self.consume_test_plan(line) + elif line.lower().startswith("bail out!"): + self.consume_bail_out(line) + +@@ -213,6 +268,13 @@ class TapDriver(Driver): + failed = False + skipped = True + ++ if self.skip_all_reason is not None: ++ self.result_skip("skipping:", self.skip_all_reason) ++ self.trs.write(":global-test-result: SKIP\n") ++ self.trs.write(":test-global-result: SKIP\n") ++ self.trs.write(":recheck: no\n") ++ return 0 ++ + # Basic collation of results + for (num, code) in self.reported.items(): + if code == "ERROR": +diff --git a/build/tap-gtester b/build/tap-gtester +index 7e667d4..bbda266 100755 +--- a/build/tap-gtester ++++ b/build/tap-gtester +@@ -1,4 +1,5 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 ++# This can also be run with Python 2. + + # Copyright (C) 2014 Red Hat, Inc. + # +@@ -30,9 +31,19 @@ + import argparse + import os + import select ++import signal + import subprocess + import sys + ++# Yes, it's dumb, but strsignal is not exposed in python ++# In addition signal numbers varify heavily from arch to arch ++def strsignal(sig): ++ for name in dir(signal): ++ if name.startswith("SIG") and sig == getattr(signal, name): ++ return name ++ return str(sig) ++ ++ + class NullCompiler: + def __init__(self, command): + self.command = command +@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler): + elif cmd == "result": + if self.test_name: + if data == "OK": +- print "ok %d %s" % (self.test_num, self.test_name) ++ print("ok %d %s" % (self.test_num, self.test_name)) + if data == "FAIL": +- print "not ok %d %s", (self.test_num, self.test_name) ++ print("not ok %d %s" % (self.test_num, self.test_name)) + self.test_name = None + elif cmd == "skipping": + if "/subprocess" not in data: +- print "ok %d # skip -- %s" % (self.test_num, data) ++ print("ok %d # skip -- %s" % (self.test_num, data)) + self.test_name = None + elif data: +- print "# %s: %s" % (cmd, data) ++ print("# %s: %s" % (cmd, data)) + else: +- print "# %s" % cmd ++ print("# %s" % cmd) + elif line.startswith("(MSG: "): +- print "# %s" % line[6:-1] ++ print("# %s" % line[6:-1]) + elif line: +- print "# %s" % line ++ print("# %s" % line) + sys.stdout.flush() + + def run(self, proc, output=""): +@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler): + if line.startswith("/"): + self.test_remaining.append(line.strip()) + if not self.test_remaining: +- print "Bail out! No tests found in GTest: %s" % self.command[0] ++ print("Bail out! No tests found in GTest: %s" % self.command[0]) + return 0 + +- print "1..%d" % len(self.test_remaining) ++ print("1..%d" % len(self.test_remaining)) + + # First try to run all the tests in a batch +- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE) ++ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, ++ stdout=subprocess.PIPE, universal_newlines=True) + result = self.process(proc) + if result == 0: + return 0 + ++ if result < 0: ++ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result))) ++ + # Now pick up any stragglers due to failures + while True: + # Assume that the last test failed + if self.test_name: +- print "not ok %d %s" % (self.test_num, self.test_name) ++ print("not ok %d %s" % (self.test_num, self.test_name)) + self.test_name = None + + # Run any tests which didn't get run +@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler): + break + + proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]], +- close_fds=True, stdout=subprocess.PIPE) ++ close_fds=True, stdout=subprocess.PIPE, ++ universal_newlines=True) + result = self.process(proc) + + # The various exit codes and signals we continue for +@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler): + return result + + def main(argv): +- parser = argparse.ArgumentParser(description='Automake TAP compiler') ++ parser = argparse.ArgumentParser(description='Automake TAP compiler', ++ usage="tap-gtester [--format FORMAT] command ...") + parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ], + default="auto", help='The input format to compile') + parser.add_argument('--verbose', action='store_true', + default=True, help='Verbose mode (ignored)') +- parser.add_argument('command', nargs='+', help="A test command to run") ++ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run") + args = parser.parse_args(argv[1:]) + + output = None + format = args.format + cmd = args.command ++ if not cmd: ++ sys.stderr.write("tap-gtester: specify a command to run\n") ++ return 2 ++ if cmd[0] == '--': ++ cmd.pop(0) ++ + proc = None + + os.environ['HARNESS_ACTIVE'] = '1' + + if format in ["auto", "gtest"]: + list_cmd = cmd + ["-l", "--verbose"] +- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE) ++ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE, ++ universal_newlines=True) + output = proc.stdout.readline() + # Smell whether we're dealing with GTest list output from first line + if "random seed" in output or "GTest" in output or output.startswith("/"): +@@ -164,7 +188,8 @@ def main(argv): + else: + format = "tap" + else: +- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE) ++ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE, ++ universal_newlines=True) + + if format == "gtest": + compiler = GTestCompiler(cmd) +-- +2.14.4 + diff --git a/SOURCES/0002-doc-add-see-also-to-man-pages.patch b/SOURCES/0002-doc-add-see-also-to-man-pages.patch new file mode 100644 index 0000000..87d8b26 --- /dev/null +++ b/SOURCES/0002-doc-add-see-also-to-man-pages.patch @@ -0,0 +1,46 @@ +From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 29 Nov 2019 18:49:51 +0100 +Subject: [PATCH 2/2] doc: add see also to man pages + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001 +--- + doc/manual/realm.xml | 7 +++++++ + doc/manual/realmd.conf.xml | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml +index 55a7640..e5d4608 100644 +--- a/doc/manual/realm.xml ++++ b/doc/manual/realm.xml +@@ -440,4 +440,11 @@ $ realm deny --all + + + ++ ++ SEE ALSO ++ ++ realmd.conf ++ 5 ++ ++ + +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index fc6a785..1592291 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -471,4 +471,11 @@ fully-qualified-names = no + + + ++ ++ SEE ALSO ++ ++ realm ++ 8 ++ ++ + +-- +2.21.0 + diff --git a/SOURCES/ipa-packages.patch b/SOURCES/ipa-packages.patch new file mode 100644 index 0000000..67df543 --- /dev/null +++ b/SOURCES/ipa-packages.patch @@ -0,0 +1,13 @@ +diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf +index da2de55..856b36d 100644 +--- a/service/realmd-redhat.conf ++++ b/service/realmd-redhat.conf +@@ -20,7 +20,7 @@ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir + adcli = /usr/sbin/adcli + + [ipa-packages] +-freeipa-client = /usr/sbin/ipa-client-install ++ipa-client = /usr/sbin/ipa-client-install + + [commands] + winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec new file mode 100644 index 0000000..b1c6cf7 --- /dev/null +++ b/SPECS/realmd.spec @@ -0,0 +1,399 @@ +Name: realmd +Version: 0.16.3 +Release: 18%{?dist} +Summary: Kerberos realm enrollment service +License: LGPLv2+ +URL: http://cgit.freedesktop.org/realmd/realmd/ +Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz + +Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch +Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch +Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch +Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch +Patch5: 0001-switch-to-authselect.patch +Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch +Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch +Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch +Patch9: 0001-tests-run-tests-with-python3.patch +Patch10: ipa-packages.patch +Patch11: 0001-Fix-issues-found-by-Coverity.patch + +Patch12: 0001-Change-qualified-names-default-for-IPA.patch + +Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch + +# rhbz#1747454 - rebuild fails if DISTRO variable is exported +Patch14: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch + +# rhbz#1747452 - realmd.conf user-principal RFE and clarification (plus dependencies) +Patch15: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch +Patch16: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch +Patch17: 0001-doc-extend-user-principal-section.patch + +# rhbz#1747457 - realmd.conf documentation incorrect +Patch18: 0001-doc-fix-discover-name-only.patch +Patch19: 0002-doc-add-see-also-to-man-pages.patch + +# rhbz#1747456 - Document realmd.conf and how realmd reads the configuration +Patch20: 0001-doc-extend-description-of-config-handling.patch + +# rhbz#1801195 +Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch + +BuildRequires: gcc +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: intltool pkgconfig +BuildRequires: gettext-devel +BuildRequires: glib2-devel >= 2.32.0 +BuildRequires: openldap-devel +BuildRequires: polkit-devel +BuildRequires: krb5-devel +BuildRequires: systemd-devel +BuildRequires: libxslt +BuildRequires: xmlto +BuildRequires: %{_bindir}/python3 + +Requires: authselect +Requires: polkit + +%description +realmd is a DBus system service which manages discovery and enrollment in realms +and domains like Active Directory or IPA. The control center uses realmd as the +back end to 'join' a domain simply and automatically configure things correctly. + +%package devel-docs +Summary: Developer documentation files for %{name} + +%description devel-docs +The %{name}-devel package contains developer documentation for developing +applications that use %{name}. + +%define _hardened_build 1 + +%prep +%autosetup -p1 + +%build +autoreconf -fi +%configure --disable-silent-rules +make %{?_smp_mflags} + +%check +make check + +%install +make install DESTDIR=%{buildroot} + +%find_lang realmd + +%files -f realmd.lang +%doc AUTHORS COPYING NEWS README +%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf +%{_sbindir}/realm +%dir %{_prefix}/lib/realmd +%{_prefix}/lib/realmd/realmd +%{_prefix}/lib/realmd/realmd-defaults.conf +%{_prefix}/lib/realmd/realmd-distro.conf +%{_unitdir}/realmd.service +%{_datadir}/dbus-1/system-services/org.freedesktop.realmd.service +%{_datadir}/polkit-1/actions/org.freedesktop.realmd.policy +%{_mandir}/man8/realm.8.gz +%{_mandir}/man5/realmd.conf.5.gz +%{_localstatedir}/cache/realmd/ + +%files devel-docs +%doc %{_datadir}/doc/realmd/ +%doc ChangeLog + +%changelog +* Fri Feb 21 2020 Sumit Bose - 0.16.3-18 +- Fix kerberos method + Resolves: rhbz#1801195 + +* Sun Dec 01 2019 Sumit Bose - 0.16.3-17 +- rebuild fails if DISTRO variable is exported + Resolves: rhbz#1747454 +- realmd.conf user-principal RFE and clarification + Resolves: rhbz#1747452 +- realmd.conf documentation incorrect + Resolves: rhbz#1747457 +- Document realmd.conf and how realmd reads the configuration + Resolves: rhbz#1747456 + +* Thu Sep 27 2018 Sumit Bose - 0.16.3-16 +- Do not call authselect for IPA domains + Resolves: rhbz#1633572 + +* Wed Aug 22 2018 Sumit Bose - 0.16.3-15 +- Change IPA defaults + Resolves: rhbz#1619162 + +* Tue Aug 14 2018 Sumit Bose - 0.16.3-14 +- Fix python BuildRequires + Resolves: rhbz#1615564 +- Add RHEL specific patch for IPA + Resolves: rhbz#1615320 +- Fix issues found by Coverity + Resolves: rhbz#1602677 + +* Wed Jul 04 2018 Sumit Bose - 0.16.3-13 +- Add latests patches from RHEL7 +- Add polkit runtime dependency + Resolves: rhbz#1577179 +- Drop python2 build dependency + Resolves: rhbz#1595813 +- Fix documentation reference in systemd unit file + Resolves: rhbz#1596325 +* Sun Mar 18 2018 RenĂ© Genz - 0.16.3-12 +- use correct authselect syntax for *-disable-logins to fix rhbz#1558245 +- Iryna Shcherbina + Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Thu Mar 01 2018 Sumit Bose - 0.16.3-11 +- Require authselect instead of authconfig, related: rhbz#1537246 + +* Tue Feb 20 2018 Sumit Bose - 0.16.3-10 +- added BuildRequires gcc +- Use authselect instead of authconfig, related: rhbz#1537246 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.16.3-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Sep 05 2017 Petr Pisar - 0.16.3-8 +- Update all m4 macros to prevent from mismatching between Automake versions + +* Thu Aug 03 2017 Fedora Release Engineering - 0.16.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.16.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Apr 25 2017 Sumit Bose - 0.16.3-5 +- Resolves: rhbz#1445017 + +* Sat Feb 11 2017 Fedora Release Engineering - 0.16.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 19 2017 Merlin Mathesius - 0.16.3-3 +- Add BuildRequires: python to fix FTBFS (BZ#1415000). + +* Tue Dec 13 2016 Sumit Bose - 0.16.3-2 +- Resolves: rhbz#1401605 + +* Wed Nov 30 2016 Sumit Bose - 0.16.3-1 +- Updated to upstream 0.16.3 plus patches from git master + +* Fri Jun 03 2016 Sumit Bose - 0.16.2-5 +- properly apply patch for rhbz#1330766 +- Resolves: rhbz#1330766 + +* Wed May 18 2016 Sumit Bose - 0.16.2-4 +- Resolves: rhbz#1330766 + +* Thu Feb 04 2016 Fedora Release Engineering - 0.16.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Sep 11 2015 Stef Walter - 0.16.2-2 +- Fixed --computer-ou regression +- Show message when installing packages + +* Fri Jul 31 2015 Stef Walter - 0.16.2-1 +- Updated to upstream 0.16.2 +- Install to $prefix/lib instead of $libdir +- Resolves: rhbz#1246741 + +* Tue Jul 14 2015 Stef Walter - 0.16.1-1 +- Updated to upstream 0.16.1 +- Resolves: rhbz#1231128 + +* Thu Jun 18 2015 Fedora Release Engineering - 0.16.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Apr 14 2015 Stef Walter - 0.16.0-1 +- Updated to upstream 0.16.0 +- Resolves: rhbz#1205753 +- Resolves: rhbz#1142190 +- Resolves: rhbz#1061091 +- Resolves: rhbz#1205752 + +* Thu Apr 09 2015 Stephen Gallagher - 0.15.2-2 +- Resolves: rhbz#1210483 + +* Mon Oct 06 2014 Stef Walter - 0.15.2-1 +- Update to upstream 0.15.2 + +* Sun Aug 17 2014 Fedora Release Engineering - 0.15.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 0.15.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat May 31 2014 Peter Robinson 0.15.1-2 +- Move ChangeLog to devel-docs. NEWS is probably riveting enough for users + +* Fri May 23 2014 Stef Walter - 0.15.1-1 +- Update to upstream 0.15.1 +- Remove the packagekit patch that's now integrated upstream + +* Thu Jan 30 2014 Richard Hughes - 0.15.0-2 +- Rebuild for libpackagekit-glib soname bump + +* Tue Jan 07 2014 Stef Walter - 0.15.0-1 +- Update to upstream 0.15.0 release, fixing various bugs + +* Mon Sep 09 2013 Stef Walter - 0.14.6-1 +- Update to upstream 0.14.6 point release +- Set 'kerberos method = system keytab' in smb.conf properly +- Limit Netbios name to 15 chars when joining AD domain + +* Thu Aug 15 2013 Stef Walter - 0.14.5-1 +- Update to upstream 0.14.5 point release +- Fix regression conflicting --unattended and -U as in --user args +- Pass discovered server address to adcli tool + +* Wed Aug 07 2013 Stef Walter - 0.14.4-1 +- Update to upstream 0.14.4 point release +- Fix up the [sssd] section in sssd.conf if it's screwed up +- Add an --unattended argument to realm command line client +- Clearer 'realm permit' manual page example + +* Wed Aug 07 2013 Stef Walter - 0.14.3-1 +- Update to upstream 0.14.3 point release +- Populate LoginFormats correctly [#961442] +- Documentation clarifications +- Set sssd.conf default_shell per domain +- Notify in terminal output when installing packages +- If joined via adcli, delete computer with adcli too [#961244] +- If input is not a tty, read from stdin without getpass() [#983153] +- Configure pam_winbind.conf appropriately [#983153] +- Refer to FreeIPA as IPA +- Support use of kerberos ccache to join when winbind + +* Sun Aug 04 2013 Fedora Release Engineering - 0.14.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Stef Walter - 0.14.2-4 +- Build with verbose automake output + +* Tue Jun 11 2013 Stef Walter - 0.14.2-3 +- Run test suite when building the package +- Fix rpmlint errors + +* Thu Jun 06 2013 Stef Walter - 0.14.2-2 +- Install oddjobd and oddjob-mkhomedir when joining domains [#969441] + +* Mon May 27 2013 Stef Walter - 0.14.2-1 +- Update to upstream 0.14.2 version +- Discover FreeIPA 3.0 with AD trust correctly [#966148] +- Only allow joining one realm by default [#966650] +- Enable the oddjobd service after joining a domain [#964971] +- Remove sssd.conf allow lists when permitting all [#965760] +- Add dependency on authconfig [#964675] +- Remove glib-networking dependency now that we no longer use SSL. + +* Mon May 13 2013 Stef Walter - 0.14.1-1 +- Update to upstream 0.14.1 version +- Fix crasher/regression using passwords with joins [#961435] +- Make second Ctrl-C just quit realm tool [#961325] +- Fix critical warning when leaving IPA realm [#961320] +- Don't print out journalctl command in obvious situations [#961230] +- Document the --all option to 'realm discover' [#961279] +- No need to require sssd-tools package [#961254] +- Enable services even in install mode [#960887] +- Use the AD domain name in sssd.conf directly [#960270] +- Fix critical warning when service Release() method [#961385] + +* Mon May 06 2013 Stef Walter - 0.14.0-1 +- Work around broken krb5 with empty passwords [#960001] +- Add manual page for realmd.conf [#959357] +- Update to upstream 0.14.0 version + +* Thu May 02 2013 Stef Walter - 0.13.91-1 +- Fix regression when using one time password [#958667] +- Support for permitting logins by group [#887675] + +* Mon Apr 29 2013 Stef Walter - 0.13.90-1 +- Add option to disable package-kit installs [#953852] +- Add option to use unqualified names [#953825] +- Better discovery of domains [#953153] +- Concept of managing parts of the system [#914892] +- Fix problems with cache directory [#913457] +- Clearly explain when realm cannot be joined [#878018] +- Many other upstream enhancements and fixes + +* Wed Apr 17 2013 Stef Walter - 0.13.3-2 +- Add missing glib-networking dependency, currently used + for FreeIPA discovery [#953151] + +* Wed Apr 17 2013 Stef Walter - 0.13.3-1 +- Update for upstream 0.13.3 version +- Add dependency on systemd for installing service file + +* Tue Apr 16 2013 Stef Walter - 0.13.2-2 +- Fix problem with sssd not starting after joining + +* Mon Feb 18 2013 Stef Walter - 0.13.2-1 +- Update to upstream 0.13.2 version + +* Mon Feb 18 2013 Stef Walter - 0.13.1-1 +- Update to upstream 0.13.1 version for bug fixes + +* Thu Feb 14 2013 Fedora Release Engineering - 0.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Stef Walter - 0.12-1 +- Update to upstream 0.12 version for bug fixes + +* Tue Oct 30 2012 Stef Walter - 0.11-1 +- Update to upstream 0.11 version + +* Sat Oct 20 2012 Stef Walter - 0.10-1 +- Update to upstream 0.10 version + +* Wed Oct 17 2012 Stef Walter - 0.9-1 +- Update to upstream 0.9 version + +* Wed Sep 19 2012 Stef Walter - 0.8-2 +- Add openldap-devel build requirement + +* Wed Sep 19 2012 Stef Walter - 0.8-1 +- Update to upstream 0.8 version +- Add support for translations + +* Mon Aug 20 2012 Stef Walter - 0.7-2 +- Build requires gtk-doc + +* Mon Aug 20 2012 Stef Walter - 0.7-1 +- Update to upstream 0.7 version +- Remove files no longer present in upstream version +- Put documentation in its own realmd-devel-docs subpackage +- Update upstream URLs + +* Mon Aug 6 2012 Stef Walter - 0.6-1 +- Update to upstream 0.6 version + +* Tue Jul 17 2012 Stef Walter - 0.5-2 +- Remove missing SssdIpa.service file from the files list. + This file will return upstream in 0.6 + +* Tue Jul 17 2012 Stef Walter - 0.5-1 +- Update to upstream 0.5 version + +* Tue Jun 19 2012 Stef Walter - 0.4-1 +- Update to upstream 0.4 version +- Cleanup various rpmlint warnings + +* Tue Jun 19 2012 Stef Walter - 0.3-2 +- Add doc files +- Own directories +- Remove obsolete parts of spec file +- Remove explicit dependencies +- Updated License line to LGPLv2+ + +* Tue Jun 19 2012 Stef Walter - 0.3 +- Build fixes + +* Mon Jun 18 2012 Stef Walter - 0.2 +- Initial RPM
+ +- +- +-

+- +- +- +-

+-
+- +-

+- +- +- +- +- +- +- +- +-

+-
+-
+-

++ ++ ++

++ ++ ++ ++

++ ++ ++

++ ++ ++ ++ ++ ++ ++ ++ ++

++
++ ++

+ +

+
++