diff --git a/SOURCES/0001-ldap-add-socket-timeout.patch b/SOURCES/0001-ldap-add-socket-timeout.patch new file mode 100644 index 0000000..2ba2db6 --- /dev/null +++ b/SOURCES/0001-ldap-add-socket-timeout.patch @@ -0,0 +1,78 @@ +From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 24 Nov 2021 17:25:18 +0100 +Subject: [PATCH] ldap: add socket timeout + +During the discovery phase realmd tries to open LDAP connections to +multiple DC addresses returned by DNS. When cleaning up we have to call +ldap_destroy() to release the resources allocated for the LDAP context. +ldap_destroy() tries to send a LDAP unbind request independent of the +connection state. If the related address is block by a firewall or a not +properly routed IPv6 address there might be no reply on the TCP level +and the request might be stuck for quite some tome in the kernel. + +To avoid the unexpected long delays will block realmd this patch lowers +the timeout considerably to 5s. As multiple other timeouts this value is +currently hardcoded. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869 +--- + service/realm-ldap.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/service/realm-ldap.c b/service/realm-ldap.c +index bdfb96c..f7b6d13 100644 +--- a/service/realm-ldap.c ++++ b/service/realm-ldap.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + +@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = { + + /* Not included in ldap.h but documented */ + int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp); ++#define LDAP_SOCKET_TIMEOUT 5 + + GSource * + realm_ldap_connect_anonymous (GSocketAddress *address, +@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address, + int opt_rc; + int ldap_opt_val; + const char *errmsg = NULL; ++ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0}; ++ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000; + + g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL); + +@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address, + if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) + g_warning ("couldn't set to blocking"); + ++ /* Lower the kernel defaults which might be minutes to hours */ ++ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO, ++ &tv, sizeof (tv)); ++ if (rc != 0) { ++ g_warning ("couldn't set SO_RCVTIMEO"); ++ } ++ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO, ++ &tv, sizeof (tv)); ++ if (rc != 0) { ++ g_warning ("couldn't set SO_SNDTIMEO"); ++ } ++ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT, ++ &milli, sizeof (milli)); ++ if (rc != 0) { ++ g_warning ("couldn't set TCP_USER_TIMEOUT"); ++ } ++ + if (family == G_SOCKET_FAMILY_IPV4) { + url = g_strdup_printf ("%s://%s:%d", + use_ldaps ? "ldaps" : "ldap", +-- +2.34.1 + diff --git a/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch b/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch new file mode 100644 index 0000000..3200e8a --- /dev/null +++ b/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch @@ -0,0 +1,128 @@ +From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Dec 2021 15:32:32 +0100 +Subject: [PATCH] samba: use new Samba-4.15 command line options + +Samba-4.15 changed a couple of command line options of the net utility. +This patch adds a configure option to select the new or the old style. +If the option is not used configure tries to call the net utility to +check for the options. If this fails the old style is used. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530 +--- + configure.ac | 34 ++++++++++++++++++++++++++++++++++ + service/realm-samba-enroll.c | 18 +++++++++++++----- + 2 files changed, 47 insertions(+), 5 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ea51f92..ddc25d0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -227,6 +227,40 @@ LDAP_CFLAGS="" + AC_SUBST(LDAP_LIBS) + AC_SUBST(LDAP_CFLAGS) + ++# ------------------------------------------------------------------- ++# Samba ++ ++AC_ARG_WITH(new-samba-cli-options, ++ AS_HELP_STRING([--with-new-samba-cli-options=yes/no], ++ [Use new command line options introduced with Samba-4.15, ++ if not provided the output of 'net help' is checked or old ++ style options are used])) ++ ++if test "$with_new_samba_cli_options" = "no"; then ++ AC_MSG_RESULT([Using old Samba command line options]) ++elif test "$with_new_samba_cli_options" = "yes"; then ++ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1, ++ [Use new command line options introduced with Samba-4.15]) ++ AC_MSG_RESULT([Using new Samba command line options]) ++else ++ AC_PATH_PROG([SAMBA_NET], [net]) ++ if test ! -x "$SAMBA_NET"; then ++ AC_MSG_NOTICE([Could not find Samba's net utility, ] ++ [assuming old style command line options, ] ++ [please install the net utility for proper detection.]) ++ else ++ AC_MSG_CHECKING([for --debug-stdout option of net]) ++ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then ++ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1, ++ [Use new command line options introduced with Samba-4.15]) ++ AC_MSG_RESULT([yes]) ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++fi ++ ++ + # ------------------------------------------------------------------- + # Directories + +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index 5624a08..8b2ee38 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -37,6 +37,14 @@ + #include + #include + ++#ifdef WITH_NEW_SAMBA_CLI_OPTS ++#define SMBCLI_KERBEROS "--use-kerberos=required" ++#define SMBCLI_CONF "--configfile" ++#else ++#define SMBCLI_KERBEROS "-k" ++#define SMBCLI_CONF "-s" ++#endif ++ + typedef struct { + GDBusMethodInvocation *invocation; + gchar *join_args[8]; +@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join, + /* Use our custom smb.conf */ + g_ptr_array_add (args, (gpointer)realm_settings_path ("net")); + if (join->custom_smb_conf) { +- g_ptr_array_add (args, "-s"); ++ g_ptr_array_add (args, SMBCLI_CONF); + g_ptr_array_add (args, join->custom_smb_conf); + } + +@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source, + } else { + begin_net_process (join, NULL, + on_keytab_do_finish, g_object_ref (task), +- "-k", "ads", "keytab", "create", NULL); ++ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL); + } + + g_object_unref (task); +@@ -428,7 +436,7 @@ begin_join (GTask *task, + begin_net_process (join, join->password_input, + on_join_do_keytab, g_object_ref (task), + "-U", join->user_name, +- "-k", "ads", "join", join->disco->domain_name, ++ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name, + join->join_args[0], join->join_args[1], + join->join_args[2], join->join_args[3], + join->join_args[4], NULL); +@@ -437,7 +445,7 @@ begin_join (GTask *task, + } else { + begin_net_process (join, NULL, + on_join_do_keytab, g_object_ref (task), +- "-k", "ads", "join", join->disco->domain_name, ++ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name, + join->join_args[0], join->join_args[1], + join->join_args[2], join->join_args[3], + join->join_args[4], NULL); +@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, + join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file); + begin_net_process (join, NULL, + on_leave_complete, g_object_ref (task), +- "-k", "ads", "leave", NULL); ++ SMBCLI_KERBEROS, "ads", "leave", NULL); + break; + default: + g_return_if_reached (); +-- +2.33.1 + diff --git a/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch b/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch new file mode 100644 index 0000000..9e044bc --- /dev/null +++ b/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch @@ -0,0 +1,38 @@ +From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 25 Nov 2021 14:36:10 +0100 +Subject: [PATCH] syslog: avoid duplicate log messages + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248 +--- + service/realm-diagnostics.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c +index 850b2e3..6aa5288 100644 +--- a/service/realm-diagnostics.c ++++ b/service/realm-diagnostics.c +@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation, + while ((ptr = memchr (at, '\n', length)) != NULL) { + *ptr = '\0'; + if (line_buffer && line_buffer->len > 0) { ++#ifdef WITH_JOURNAL ++ /* Call realm_daemon_syslog directly to add ++ * REALMD_OPERATION to the jounrnal */ + realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at); ++#else + g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at); ++#endif + g_string_set_size (line_buffer, 0); + } else { ++#ifdef WITH_JOURNAL + realm_daemon_syslog (operation, log_level, "%s", at); ++#else + g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at); ++#endif + } + + *ptr = '\n'; +-- +2.33.1 + diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec index 2e893d8..25a4e2b 100644 --- a/SPECS/realmd.spec +++ b/SPECS/realmd.spec @@ -1,6 +1,6 @@ Name: realmd Version: 0.16.3 -Release: 23%{?dist} +Release: 25%{?dist} Summary: Kerberos realm enrollment service License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/realmd/ @@ -67,6 +67,16 @@ Patch36: 0003-service-make-TLS-check-more-releaxed.patch Patch37: 0001-doc-add-computer-name-to-realm-man-page.patch Patch38: 0001-build-add-with-vendor-error-message-configure-option.patch +# rhbz#2024248 - realmd logs are duplicated +Patch39: 0001-syslog-avoid-duplicate-log-messages.patch + +# rhbz#2028528 - realm join needs to updated to use the command line options of +# Samba's net command +Patch40: 0001-samba-use-new-Samba-4.15-command-line-options.patch + +# rhbz#2037864 - realmd operations hang if a DC is unreachable +Patch41: 0001-ldap-add-socket-timeout.patch + BuildRequires: gcc BuildRequires: automake BuildRequires: autoconf @@ -79,10 +89,14 @@ BuildRequires: krb5-devel BuildRequires: systemd-devel BuildRequires: libxslt BuildRequires: xmlto +BuildRequires: samba-common-tools BuildRequires: %{_bindir}/python3 Requires: authselect Requires: polkit +# This build will use Samba's new command line options so it cannot be used +# with older versions of Samba. +Conflicts: samba-common-tools < 4.15 %description realmd is a DBus system service which manages discovery and enrollment in realms @@ -104,6 +118,7 @@ applications that use %{name}. %build autoreconf -fi %configure --disable-silent-rules \ + --with-new-samba-cli-options=yes \ %if 0%{?rhel} --with-vendor-error-message='Please check\n https://red.ht/support_rhel_ad \nto get help for common issues.' \ %endif @@ -149,6 +164,15 @@ make install DESTDIR=%{buildroot} %doc ChangeLog %changelog +* Mon Jan 10 2022 Sumit Bose - 0.16.3-25 +- add LDAP socket timeout + Resolves: rhbz#2037864 + +* Wed Dec 15 2021 Sumit Bose - 0.16.3-24 +- Avoid duplicated log messages and use Samba's new CLI options + Resolves: rhbz#2024248 + Resolves: rhbz#2028528 + * Tue May 11 2021 Sumit Bose - 0.16.3-23 - Add restart macro and vendor message to spec file Resolves: rhbz#1926046