diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..db1c834 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/realmd-0.16.1.tar.gz diff --git a/.realmd.metadata b/.realmd.metadata new file mode 100644 index 0000000..1a53878 --- /dev/null +++ b/.realmd.metadata @@ -0,0 +1 @@ +f761e3a1b1c9843e195581c77b0c0bbf6263ce17 SOURCES/realmd-0.16.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Add-os-name-and-os-version-command-line-options.patch b/SOURCES/0001-Add-os-name-and-os-version-command-line-options.patch new file mode 100644 index 0000000..6d282c4 --- /dev/null +++ b/SOURCES/0001-Add-os-name-and-os-version-command-line-options.patch @@ -0,0 +1,182 @@ +From ca6684a68d2a9887c2e06e58a7fdfa3d327c8052 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 28 Jun 2016 18:14:09 +0200 +Subject: [PATCH] Add os-name and os-version command line options + +--- + dbus/realm-dbus-constants.h | 2 ++ + doc/manual/realm.xml | 12 ++++++++++++ + doc/manual/realmd.conf.xml | 5 +++++ + service/realm-adcli-enroll.c | 4 ++-- + service/realm-options.c | 18 ++++++++++++++++++ + service/realm-options.h | 3 +++ + service/realm-samba-enroll.c | 4 ++-- + tools/realm-join.c | 8 ++++++++ + 8 files changed, 52 insertions(+), 4 deletions(-) + +diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h +index 3a67a00..9cd30ef 100644 +--- a/dbus/realm-dbus-constants.h ++++ b/dbus/realm-dbus-constants.h +@@ -67,6 +67,8 @@ G_BEGIN_DECLS + #define REALM_DBUS_OPTION_USER_PRINCIPAL "user-principal" + #define REALM_DBUS_OPTION_MANAGE_SYSTEM "manage-system" + #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name" ++#define REALM_DBUS_OPTION_OS_NAME "os-name" ++#define REALM_DBUS_OPTION_OS_VERSION "os-version" + + #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" + #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" +diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml +index baa0d8c..6724d80 100644 +--- a/doc/manual/realm.xml ++++ b/doc/manual/realm.xml +@@ -243,6 +243,18 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + the value for this option, then a principal will be set + in the form of host/shortname@REALM + ++ ++ ++ The name of the operation system of the ++ client. When joining an AD domain the value is store in ++ the matching AD attribute. ++ ++ ++ ++ The version of the operation system of the ++ client. When joining an AD domain the value is store in ++ the matching AD attribute. ++ + + + +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index f8c87b9..7853230 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -149,6 +149,11 @@ domain.example.com + + This is an Active Directory specific option. + ++ It is also possible to use the ++ or argument of the ++ realm command to override the default ++ values. ++ + + + [active-directory] +diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c +index 0c506f9..05947fa 100644 +--- a/service/realm-adcli-enroll.c ++++ b/service/realm-adcli-enroll.c +@@ -139,13 +139,13 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + g_ptr_array_add (args, (gpointer)computer_ou); + } + +- os = realm_settings_value ("active-directory", "os-name"); ++ os = realm_options_ad_specific (options, "os-name"); + if (os != NULL && !g_str_equal (os, "")) { + g_ptr_array_add (args, "--os-name"); + g_ptr_array_add (args, (gpointer)os); + } + +- os = realm_settings_value ("active-directory", "os-version"); ++ os = realm_options_ad_specific (options, "os-version"); + if (os != NULL && !g_str_equal (os, "")) { + g_ptr_array_add (args, "--os-version"); + g_ptr_array_add (args, (gpointer)os); +diff --git a/service/realm-options.c b/service/realm-options.c +index b9f59c6..bd804ea 100644 +--- a/service/realm-options.c ++++ b/service/realm-options.c +@@ -180,3 +180,21 @@ realm_options_computer_name (GVariant *options, + + return g_strdup (computer_name); + } ++ ++const gchar * ++realm_options_ad_specific (GVariant *options, ++ const gchar *option_name) ++{ ++ const gchar *value = NULL; ++ ++ if (options) { ++ if (!g_variant_lookup (options, option_name, "&s", &value)) ++ value = NULL; ++ } ++ ++ if (!value) { ++ value = realm_settings_value ("active-directory", option_name); ++ } ++ ++ return g_strdup (value); ++} +diff --git a/service/realm-options.h b/service/realm-options.h +index e31cddc..7a1355e 100644 +--- a/service/realm-options.h ++++ b/service/realm-options.h +@@ -44,6 +44,9 @@ gboolean realm_options_check_domain_name (const gchar *domain_name) + const gchar * realm_options_computer_name (GVariant *options, + const gchar *realm_name); + ++const gchar * realm_options_ad_specific (GVariant *options, ++ const gchar *option_name); ++ + G_END_DECLS + + #endif /* __REALM_OPTIONS_H__ */ +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index f2392a9..c81aed2 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -335,11 +335,11 @@ begin_join (GTask *task, + } + } + +- os = realm_settings_value ("active-directory", "os-name"); ++ os = realm_options_ad_specific(options, "os-name"); + if (os != NULL && !g_str_equal (os, "")) + join->join_args[at++] = g_strdup_printf ("osName=%s", os); + +- os = realm_settings_value ("active-directory", "os-version"); ++ os = realm_options_ad_specific(options, "os-version"); + if (os != NULL && !g_str_equal (os, "")) + join->join_args[at++] = g_strdup_printf ("osVer=%s", os); + +diff --git a/tools/realm-join.c b/tools/realm-join.c +index 3685bb9..8e46c20 100644 +--- a/tools/realm-join.c ++++ b/tools/realm-join.c +@@ -169,6 +169,8 @@ typedef struct { + gchar *user; + gchar *computer_ou; + gchar *computer_name; ++ gchar *os_name; ++ gchar *os_version; + gchar *client_software; + gchar *server_software; + gchar *membership_software; +@@ -241,6 +243,8 @@ perform_join (RealmClient *client, + + options = realm_build_options (REALM_DBUS_OPTION_COMPUTER_OU, args->computer_ou, + REALM_DBUS_OPTION_COMPUTER_NAME, args->computer_name, ++ REALM_DBUS_OPTION_OS_NAME, args->os_name, ++ REALM_DBUS_OPTION_OS_VERSION, args->os_version, + REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software, + REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal, + args->automatic_id_mapping_set ? +@@ -288,6 +292,10 @@ realm_join (RealmClient *client, + N_("Computer OU DN to join"), NULL }, + { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name, + N_("Use specific computer name instead of hostname"), NULL }, ++ { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name, ++ N_("Use specific operation system name"), NULL }, ++ { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version, ++ N_("Use specific operation system version"), NULL }, + { "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software, + N_("Use specific client software"), NULL }, + { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software, +-- +2.7.4 + diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch new file mode 100644 index 0000000..894fe93 --- /dev/null +++ b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch @@ -0,0 +1,168 @@ +From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 31 May 2018 16:16:08 +0200 +Subject: [PATCH] Find NetBIOS name in keytab while leaving + +If realmd is used with Samba as membership software, i.e. Samba's net +utility, the NetBIOS name must be known when leaving a domain. The most +reliable way to find it is by searching the keytab for NAME$@REALM type +entries and use the NAME as the NetBIOS name. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457 +--- + service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++ + service/realm-kerberos.h | 2 ++ + service/realm-samba-enroll.c | 17 ++++++++-- + 3 files changed, 80 insertions(+), 3 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index 54d1ed7..d6d109f 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name, + return ret; + + } ++ ++gchar * ++realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name) ++{ ++ krb5_error_code code; ++ krb5_keytab keytab = NULL; ++ krb5_context ctx; ++ krb5_kt_cursor cursor = NULL; ++ krb5_keytab_entry entry; ++ krb5_principal realm_princ = NULL; ++ gchar *princ_name = NULL; ++ gchar *netbios_name = NULL; ++ krb5_data *name_data; ++ ++ code = krb5_init_context (&ctx); ++ if (code != 0) { ++ return NULL; ++ } ++ ++ princ_name = g_strdup_printf ("user@%s", realm_name); ++ code = krb5_parse_name (ctx, princ_name, &realm_princ); ++ g_free (princ_name); ++ ++ if (code == 0) { ++ code = krb5_kt_default (ctx, &keytab); ++ } ++ ++ if (code == 0) { ++ code = krb5_kt_start_seq_get (ctx, keytab, &cursor); ++ } ++ ++ if (code == 0) { ++ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) { ++ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) { ++ name_data = krb5_princ_component (ctx, entry.principal, 0); ++ if (name_data != NULL ++ && name_data->length > 0 ++ && name_data->data[name_data->length - 1] == '$') { ++ netbios_name = g_strndup (name_data->data, name_data->length - 1); ++ if (netbios_name == NULL) { ++ code = krb5_kt_free_entry (ctx, &entry); ++ warn_if_krb5_failed (ctx, code); ++ break; ++ } ++ } ++ } ++ code = krb5_kt_free_entry (ctx, &entry); ++ warn_if_krb5_failed (ctx, code); ++ } ++ } ++ ++ code = krb5_kt_end_seq_get (ctx, keytab, &cursor); ++ warn_if_krb5_failed (ctx, code); ++ ++ code = krb5_kt_close (ctx, keytab); ++ warn_if_krb5_failed (ctx, code); ++ ++ krb5_free_principal (ctx, realm_princ); ++ ++ krb5_free_context (ctx); ++ ++ return netbios_name; ++ ++} +diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h +index 0447e4d..58cfe07 100644 +--- a/service/realm-kerberos.h ++++ b/service/realm-kerberos.h +@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self, + gboolean realm_kerberos_flush_keytab (const gchar *realm_name, + GError **error); + ++gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name); ++ + const gchar * realm_kerberos_get_name (RealmKerberos *self); + + const gchar * realm_kerberos_get_realm_name (RealmKerberos *self); +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index 76e7b79..f5edca3 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -85,7 +85,8 @@ static JoinClosure * + join_closure_init (GTask *task, + RealmDisco *disco, + GVariant *options, +- GDBusMethodInvocation *invocation) ++ GDBusMethodInvocation *invocation, ++ gboolean do_join) + { + JoinClosure *join; + gchar *workgroup; +@@ -93,6 +94,7 @@ join_closure_init (GTask *task, + int temp_fd; + const gchar *explicit_computer_name = NULL; + const gchar *authid = NULL; ++ gchar *name_from_keytab = NULL; + + join = g_new0 (JoinClosure, 1); + join->disco = realm_disco_ref (disco); +@@ -106,6 +108,14 @@ join_closure_init (GTask *task, + else if (disco->explicit_netbios) + authid = disco->explicit_netbios; + ++ /* try to get the NetBIOS name from the keytab while leaving the domain */ ++ if (explicit_computer_name == NULL && !do_join) { ++ name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm); ++ if (name_from_keytab != NULL) { ++ authid = name_from_keytab; ++ } ++ } ++ + join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE); + realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, + "security", "ads", +@@ -151,6 +161,7 @@ join_closure_init (GTask *task, + g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ()); + } + ++ g_free (name_from_keytab); + return join; + } + +@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco, + g_return_if_fail (cred != NULL); + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, options, invocation); ++ join = join_closure_init (task, disco, options, invocation, TRUE); + explicit_computer_name = realm_options_computer_name (options, disco->domain_name); + if (explicit_computer_name != NULL) { + realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", +@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, + JoinClosure *join; + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, options, invocation); ++ join = join_closure_init (task, disco, options, invocation, FALSE); + + switch (cred->type) { + case REALM_CREDENTIAL_PASSWORD: +-- +2.17.1 + diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch new file mode 100644 index 0000000..ee9e081 --- /dev/null +++ b/SOURCES/0001-Fix-issues-found-by-Coverity.patch @@ -0,0 +1,42 @@ +From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Aug 2018 14:09:48 +0200 +Subject: [PATCH] Fix issues found by Coverity + +--- + service/realm-kerberos.c | 5 ++++- + service/realm-packages.c | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index d6d109f..252e256 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self, + if (name == NULL) + break; + value = va_arg (va, const gchar *); +- g_return_if_fail (value != NULL); ++ if (value == NULL) { ++ va_end (va); ++ g_return_if_reached (); ++ } + + values[0] = g_variant_new_string (name); + values[1] = g_variant_new_string (value); +diff --git a/service/realm-packages.c b/service/realm-packages.c +index 9a6984c..5976439 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets, + g_ptr_array_add (packages, NULL); + *result_packages = (gchar **)g_ptr_array_free (packages, FALSE); + } else { +- g_ptr_array_free (files, TRUE); ++ g_ptr_array_free (packages, TRUE); + } + + if (result_files) { +-- +2.17.1 + diff --git a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch new file mode 100644 index 0000000..fe46620 --- /dev/null +++ b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch @@ -0,0 +1,24 @@ +From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 27 Jul 2016 19:06:29 +0200 +Subject: [PATCH] Fix man page reference in systemd service file + +--- + dbus/realmd.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in +index b3bcf7a..64c1090 100644 +--- a/dbus/realmd.service.in ++++ b/dbus/realmd.service.in +@@ -1,6 +1,6 @@ + [Unit] + Description=Realm and Domain Configuration +-Documentation=man:realmd(8) ++Documentation=man:realm(8) + + [Service] + Type=dbus +-- +2.7.4 + diff --git a/SOURCES/0001-Make-DBus-aware-of-systemd.patch b/SOURCES/0001-Make-DBus-aware-of-systemd.patch new file mode 100644 index 0000000..a12ff02 --- /dev/null +++ b/SOURCES/0001-Make-DBus-aware-of-systemd.patch @@ -0,0 +1,53 @@ +From 03f949a0b394ab954fc68f33e092dc0bb1fec406 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 28 Jun 2016 14:41:01 +0200 +Subject: [PATCH] Make DBus aware of systemd + +--- + Makefile.am | 1 + + configure.ac | 7 +++++++ + dbus/org.freedesktop.realmd.service.in | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/Makefile.am b/Makefile.am +index 52de3dc..c81f048 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -49,6 +49,7 @@ SED_SUBST = sed \ + -e 's,[@]abs_srcdir[@],$(abs_srcdir),g' \ + -e 's,[@]srcdir[@],$(srcdir),g' \ + -e 's,[@]privatedir[@],$(privatedir),g' \ ++ -e 's,[@]dbus_systemd_service[@],$(dbus_systemd_service),g' \ + -e 's,[@]PACKAGE[@],$(PACKAGE),g' \ + -e 's,[@]VERSION[@],$(VERSION),g' \ + $(NULL) +diff --git a/configure.ac b/configure.ac +index 032cdaa..0376887 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -110,6 +110,13 @@ fi + SYSTEMD_UNIT_DIR="$with_systemd_unit_dir" + AC_SUBST(SYSTEMD_UNIT_DIR) + AM_CONDITIONAL(WITH_SYSTEMD, [test -n "$with_systemd_unit_dir"]) ++ ++dbus_systemd_service="" ++if test -n "$with_systemd_unit_dir"; then ++ dbus_systemd_service="SystemdService=realmd.service" ++fi ++AC_SUBST(dbus_systemd_service) ++ + AC_MSG_RESULT($with_systemd_unit_dir) + + AC_ARG_WITH(systemd-journal, +diff --git a/dbus/org.freedesktop.realmd.service.in b/dbus/org.freedesktop.realmd.service.in +index 834e23f..51132f6 100644 +--- a/dbus/org.freedesktop.realmd.service.in ++++ b/dbus/org.freedesktop.realmd.service.in +@@ -2,3 +2,4 @@ + Name=org.freedesktop.realmd + Exec=@privatedir@/realmd + User=root ++@dbus_systemd_service@ +-- +2.7.4 + diff --git a/SOURCES/0001-Support-manually-setting-computer-name.patch b/SOURCES/0001-Support-manually-setting-computer-name.patch new file mode 100644 index 0000000..985e340 --- /dev/null +++ b/SOURCES/0001-Support-manually-setting-computer-name.patch @@ -0,0 +1,261 @@ +From ec3c397cf50ace03f920502f34bca612f62333bf Mon Sep 17 00:00:00 2001 +From: Andrew Austin +Date: Sun, 17 Apr 2016 12:17:04 -0500 +Subject: [PATCH 1/3] Support manually setting computer name + +This change adds a computer-name option to the realm configuration. +When set, the computer-name string will be used in place of either the +system's hostname or an automatically truncated netbios name when joining +an active directory domain. + +https://bugs.freedesktop.org/show_bug.cgi?id=93739 + +Signed-off-by: Stef Walter + * Squashed fixup patch +--- + dbus/realm-dbus-constants.h | 1 + + service/realm-adcli-enroll.c | 11 +++++++++-- + service/realm-options.c | 21 +++++++++++++++++++++ + service/realm-options.h | 3 +++ + service/realm-samba-enroll.c | 26 ++++++++++++++++++++------ + service/realm-samba.c | 10 +++++++++- + service/realm-sssd-ad.c | 9 ++++++--- + 7 files changed, 69 insertions(+), 12 deletions(-) + +diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h +index c68e958..3a67a00 100644 +--- a/dbus/realm-dbus-constants.h ++++ b/dbus/realm-dbus-constants.h +@@ -66,6 +66,7 @@ G_BEGIN_DECLS + #define REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE "membership-software" + #define REALM_DBUS_OPTION_USER_PRINCIPAL "user-principal" + #define REALM_DBUS_OPTION_MANAGE_SYSTEM "manage-system" ++#define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name" + + #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" + #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" +diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c +index ef1b563..0c506f9 100644 +--- a/service/realm-adcli-enroll.c ++++ b/service/realm-adcli-enroll.c +@@ -84,6 +84,7 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + gchar *upn_arg = NULL; + gchar *server_arg = NULL; + gchar *ou_arg = NULL; ++ const gchar *computer_name = NULL; + + g_return_if_fail (cred != NULL); + g_return_if_fail (disco != NULL); +@@ -114,7 +115,14 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + g_ptr_array_add (args, (gpointer)disco->explicit_server); + } + +- if (disco->explicit_netbios) { ++ /* Pass manually configured or truncated computer name to adcli */ ++ computer_name = realm_options_computer_name (options, disco->domain_name); ++ if (computer_name != NULL) { ++ realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", ++ computer_name); ++ g_ptr_array_add (args, "--computer-name"); ++ g_ptr_array_add (args, (gpointer)computer_name); ++ } else if (disco->explicit_netbios) { + realm_diagnostics_info (invocation, "Joining using a truncated netbios name: %s", + disco->explicit_netbios); + g_ptr_array_add (args, "--computer-name"); +@@ -192,7 +200,6 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + + if (input) + g_bytes_unref (input); +- + free (ccache_arg); + free (upn_arg); + free (server_arg); +diff --git a/service/realm-options.c b/service/realm-options.c +index bba3ee4..b9f59c6 100644 +--- a/service/realm-options.c ++++ b/service/realm-options.c +@@ -159,3 +159,24 @@ realm_options_check_domain_name (const gchar *name) + + return TRUE; + } ++ ++const gchar * ++realm_options_computer_name (GVariant *options, ++ const gchar *realm_name) ++{ ++ const gchar *computer_name = NULL; ++ gchar *section; ++ ++ if (options) { ++ if (!g_variant_lookup (options, REALM_DBUS_OPTION_COMPUTER_NAME, "&s", &computer_name)) ++ computer_name = NULL; ++ } ++ ++ if (realm_name && !computer_name) { ++ section = g_utf8_casefold (realm_name, -1); ++ computer_name = realm_settings_value (section, REALM_DBUS_OPTION_COMPUTER_NAME); ++ g_free (section); ++ } ++ ++ return g_strdup (computer_name); ++} +diff --git a/service/realm-options.h b/service/realm-options.h +index 4890cba..e31cddc 100644 +--- a/service/realm-options.h ++++ b/service/realm-options.h +@@ -41,6 +41,9 @@ gboolean realm_options_qualify_names (const gchar *realm_name); + + gboolean realm_options_check_domain_name (const gchar *domain_name); + ++const gchar * realm_options_computer_name (GVariant *options, ++ const gchar *realm_name); ++ + G_END_DECLS + + #endif /* __REALM_OPTIONS_H__ */ +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index e749764..f2392a9 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -84,27 +84,37 @@ fallback_workgroup (const gchar *realm) + static JoinClosure * + join_closure_init (GTask *task, + RealmDisco *disco, ++ GVariant *options, + GDBusMethodInvocation *invocation) + { + JoinClosure *join; + gchar *workgroup; + GError *error = NULL; + int temp_fd; ++ const gchar *explicit_computer_name = NULL; ++ const gchar *authid = NULL; + + join = g_new0 (JoinClosure, 1); + join->disco = realm_disco_ref (disco); + join->invocation = invocation ? g_object_ref (invocation) : NULL; + g_task_set_task_data (task, join, join_closure_free); + ++ explicit_computer_name = realm_options_computer_name (options, disco->domain_name); ++ /* Set netbios name to explicit or truncated name if available */ ++ if (explicit_computer_name != NULL) ++ authid = explicit_computer_name; ++ else if (disco->explicit_netbios) ++ authid = disco->explicit_netbios; ++ + join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE); + realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, + "security", "ads", + "kerberos method", "system keytab", + "realm", disco->kerberos_realm, +- "netbios name", disco->explicit_netbios, ++ "netbios name", authid, + NULL); + +- /* ++ /* + * Samba complains if we don't set a 'workgroup' setting for the realm we're + * going to join. If we didn't yet manage to lookup the workgroup, then go ahead + * and assume that the first domain component is the workgroup name. +@@ -377,14 +387,18 @@ realm_samba_enroll_join_async (RealmDisco *disco, + { + GTask *task; + JoinClosure *join; ++ const gchar *explicit_computer_name; + + g_return_if_fail (disco != NULL); + g_return_if_fail (cred != NULL); + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, invocation); +- +- if (disco->explicit_netbios) { ++ join = join_closure_init (task, disco, options, invocation); ++ explicit_computer_name = realm_options_computer_name (options, disco->domain_name); ++ if (explicit_computer_name != NULL) { ++ realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", ++ explicit_computer_name); ++ } else if (disco->explicit_netbios) { + realm_diagnostics_info (invocation, "Joining using a truncated netbios name: %s", + disco->explicit_netbios); + } +@@ -448,7 +462,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, + JoinClosure *join; + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, invocation); ++ join = join_closure_init (task, disco, options, invocation); + + switch (cred->type) { + case REALM_CREDENTIAL_PASSWORD: +diff --git a/service/realm-samba.c b/service/realm-samba.c +index eca65aa..5cf2aa8 100644 +--- a/service/realm-samba.c ++++ b/service/realm-samba.c +@@ -183,6 +183,13 @@ on_join_do_winbind (GObject *source, + GHashTable *settings = NULL; + GError *error = NULL; + const gchar *name; ++ const gchar *computer_name; ++ ++ computer_name = realm_options_computer_name (enroll->options, enroll->disco->domain_name); ++ /* Use truncated name if set and explicit name is not available */ ++ if (enroll->disco->explicit_netbios && computer_name == NULL) ++ computer_name = enroll->disco->explicit_netbios; ++ + + realm_samba_enroll_join_finish (result, &error); + if (error == NULL) { +@@ -192,12 +199,13 @@ on_join_do_winbind (GObject *source, + "workgroup", enroll->disco->workgroup, + "template homedir", realm_settings_string ("users", "default-home"), + "template shell", realm_settings_string ("users", "default-shell"), +- "netbios name", enroll->disco->explicit_netbios, ++ "netbios name", computer_name, + "password server", enroll->disco->explicit_server, + "kerberos method", "system keytab", + NULL); + } + ++ + if (error == NULL) { + name = realm_kerberos_get_name (REALM_KERBEROS (self)); + realm_samba_winbind_configure_async (self->config, name, enroll->options, +diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c +index c7ffe8a..5ed384d 100644 +--- a/service/realm-sssd-ad.c ++++ b/service/realm-sssd-ad.c +@@ -163,6 +163,7 @@ configure_sssd_for_domain (RealmIniConfig *config, + GString *realmd_tags; + const gchar *access_provider; + const gchar *shell; ++ const gchar *explicit_computer_name; + gchar *authid = NULL; + gboolean qualify; + gboolean ret; +@@ -172,17 +173,19 @@ configure_sssd_for_domain (RealmIniConfig *config, + home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home")); + qualify = realm_options_qualify_names (disco->domain_name); + shell = realm_settings_string ("users", "default-shell"); +- ++ explicit_computer_name = realm_options_computer_name (options, disco->domain_name); + realmd_tags = g_string_new (""); + if (realm_options_manage_system (options, disco->domain_name)) + g_string_append (realmd_tags, "manages-system "); + g_string_append (realmd_tags, use_adcli ? "joined-with-adcli " : "joined-with-samba "); + + /* +- * Explicitly set the netbios authid for sssd to use in this case, since ++ * Explicitly set the netbios authid for sssd to use in these cases, since + * otherwise sssd won't know which kerberos principal to use + */ +- if (disco->explicit_netbios) ++ if (explicit_computer_name != NULL) ++ authid = g_strdup_printf ("%s$", explicit_computer_name); ++ else if (disco->explicit_netbios) + authid = g_strdup_printf ("%s$", disco->explicit_netbios); + + ret = realm_sssd_config_add_domain (config, disco->domain_name, error, +-- +2.7.4 + diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch new file mode 100644 index 0000000..ea34960 --- /dev/null +++ b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch @@ -0,0 +1,185 @@ +From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 30 May 2018 13:10:57 +0200 +Subject: [PATCH] Use current idmap options for smb.conf + +Samba change some time ago the way how to configure id-mapping. With +this patch realmd will use the current supported options when creating +smb.conf. + +A new option --legacy-samba-config is added to use the old options if +realmd is used with Samba 3.5 or earlier. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072 +--- + dbus/realm-dbus-constants.h | 1 + + doc/manual/realmd.conf.xml | 17 ++++++++++++ + service/realm-samba-enroll.c | 2 +- + service/realm-samba-enroll.h | 3 +++ + service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++--------- + 5 files changed, 72 insertions(+), 14 deletions(-) + +diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h +index 9cd30ef..40ffa2d 100644 +--- a/dbus/realm-dbus-constants.h ++++ b/dbus/realm-dbus-constants.h +@@ -69,6 +69,7 @@ G_BEGIN_DECLS + #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name" + #define REALM_DBUS_OPTION_OS_NAME "os-name" + #define REALM_DBUS_OPTION_OS_VERSION "os-version" ++#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config" + + #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" + #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index 7853230..a2b577c 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -192,6 +192,23 @@ automatic-install = no + + + ++ ++ ++ ++ Set this to yes to create a Samba ++ configuration file with id-mapping options used by Samba-3.5 ++ and earlier version. ++ ++ ++ ++[service] ++legacy-samba-config = no ++# legacy-samba-config = yes ++ ++ ++ ++ ++ + + + +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index c81aed2..76e7b79 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -69,7 +69,7 @@ join_closure_free (gpointer data) + g_free (join); + } + +-static gchar * ++gchar * + fallback_workgroup (const gchar *realm) + { + const gchar *pos; +diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h +index 84e8b2f..310ec65 100644 +--- a/service/realm-samba-enroll.h ++++ b/service/realm-samba-enroll.h +@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco, + gboolean realm_samba_enroll_leave_finish (GAsyncResult *result, + GError **error); + ++gchar * ++fallback_workgroup (const gchar *realm); ++ + G_END_DECLS + + #endif /* __REALM_SAMBA_ENROLL_H__ */ +diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c +index a7ddec3..9335e26 100644 +--- a/service/realm-samba-winbind.c ++++ b/service/realm-samba-winbind.c +@@ -21,8 +21,10 @@ + #include "realm-options.h" + #include "realm-samba-config.h" + #include "realm-samba-winbind.h" ++#include "realm-samba-enroll.h" + #include "realm-settings.h" + #include "realm-service.h" ++#include "dbus/realm-dbus-constants.h" + + #include + +@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + RealmIniConfig *pwc; + GTask *task; + GError *error = NULL; ++ gchar *workgroup = NULL; ++ gchar *idmap_config_backend = NULL; ++ gchar *idmap_config_range = NULL; ++ gchar *idmap_config_schema_mode = NULL; + + g_return_if_fail (config != NULL); + g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation)); +@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + "template shell", realm_settings_string ("users", "default-shell"), + NULL); + +- if (realm_options_automatic_mapping (options, domain_name)) { +- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, +- "idmap uid", "10000-2000000", +- "idmap gid", "10000-2000000", +- "idmap backend", "tdb", +- "idmap schema", NULL, +- NULL); ++ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) { ++ if (realm_options_automatic_mapping (options, domain_name)) { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap uid", "10000-2000000", ++ "idmap gid", "10000-2000000", ++ "idmap backend", "tdb", ++ "idmap schema", NULL, ++ NULL); ++ } else { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap uid", "500-4294967296", ++ "idmap gid", "500-4294967296", ++ "idmap backend", "ad", ++ "idmap schema", "rfc2307", ++ NULL); ++ } + } else { +- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, +- "idmap uid", "500-4294967296", +- "idmap gid", "500-4294967296", +- "idmap backend", "ad", +- "idmap schema", "rfc2307", +- NULL); ++ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup"); ++ if (workgroup == NULL) { ++ workgroup = fallback_workgroup (domain_name); ++ } ++ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ g_free (workgroup); ++ ++ if (realm_options_automatic_mapping (options, domain_name)) { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap config * : backend", "tdb", ++ "idmap config * : range", "10000-999999", ++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid", ++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999", ++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL, ++ NULL); ++ } else { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap config * : backend", "tdb", ++ "idmap config * : range", "10000000-10999999", ++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad", ++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999", ++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307", ++ NULL); ++ } + } + + realm_ini_config_finish_change (config, &error); ++ g_free (idmap_config_backend); ++ g_free (idmap_config_range); + } + + /* Setup pam_winbind.conf with decent defaults matching our expectations */ +-- +2.14.4 + diff --git a/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch b/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch new file mode 100644 index 0000000..c12ee98 --- /dev/null +++ b/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch @@ -0,0 +1,36 @@ +From e427f89fa4f41356525797170729c2dc5d9fa045 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 25 Jul 2016 15:25:20 +0200 +Subject: [PATCH] doc: add computer-name to realm man page + +--- + doc/manual/realm.xml | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml +index 6724d80..ebaebd3 100644 +--- a/doc/manual/realm.xml ++++ b/doc/manual/realm.xml +@@ -202,6 +202,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com + Directory specific option. + + ++ ++ ++ This option only applies to Active ++ Directory realms. Specify this option to ++ override the default name used when creating ++ the computer account. The system's FQDN will ++ still be saved in the dNSHostName attribute. ++ Specify the name as a string of 15 or ++ fewer characters that is a valid NetBIOS ++ computer name. ++ ++ ++ + + Perform the join automatically without + a password. +-- +2.7.4 + diff --git a/SOURCES/0002-Add-computer-name-support-to-realm-join-CLI.patch b/SOURCES/0002-Add-computer-name-support-to-realm-join-CLI.patch new file mode 100644 index 0000000..c4ceb81 --- /dev/null +++ b/SOURCES/0002-Add-computer-name-support-to-realm-join-CLI.patch @@ -0,0 +1,56 @@ +From 92087e73c87b4afc01c32f572d202919cac09d41 Mon Sep 17 00:00:00 2001 +From: Andrew Austin +Date: Sun, 17 Apr 2016 12:52:15 -0500 +Subject: [PATCH 2/3] Add computer-name support to realm join CLI + +This exposes the computer-name option on the CLI for use +when joining an active directory domain. + +https://bugs.freedesktop.org/show_bug.cgi?id=93739 + +Signed-off-by: Stef Walter + * Squashed fixup patch +--- + tools/realm-join.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/realm-join.c b/tools/realm-join.c +index feb6edc..3685bb9 100644 +--- a/tools/realm-join.c ++++ b/tools/realm-join.c +@@ -168,6 +168,7 @@ perform_user_join (RealmClient *client, + typedef struct { + gchar *user; + gchar *computer_ou; ++ gchar *computer_name; + gchar *client_software; + gchar *server_software; + gchar *membership_software; +@@ -184,6 +185,7 @@ realm_join_args_clear (gpointer data) + RealmJoinArgs *args = data; + g_free (args->user); + g_free (args->computer_ou); ++ g_free (args->computer_name); + g_free (args->client_software); + g_free (args->server_software); + g_free (args->user_principal); +@@ -238,6 +240,7 @@ perform_join (RealmClient *client, + } + + options = realm_build_options (REALM_DBUS_OPTION_COMPUTER_OU, args->computer_ou, ++ REALM_DBUS_OPTION_COMPUTER_NAME, args->computer_name, + REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software, + REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal, + args->automatic_id_mapping_set ? +@@ -283,6 +286,8 @@ realm_join (RealmClient *client, + N_("User name to use for enrollment"), NULL }, + { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou, + N_("Computer OU DN to join"), NULL }, ++ { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name, ++ N_("Use specific computer name instead of hostname"), NULL }, + { "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software, + N_("Use specific client software"), NULL }, + { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software, +-- +2.7.4 + diff --git a/SOURCES/0003-Add-documentation-for-computer-name-setting.patch b/SOURCES/0003-Add-documentation-for-computer-name-setting.patch new file mode 100644 index 0000000..259581d --- /dev/null +++ b/SOURCES/0003-Add-documentation-for-computer-name-setting.patch @@ -0,0 +1,65 @@ +From 5482e0e3b4e59de0c30b37e7e3ed8b54eff1c493 Mon Sep 17 00:00:00 2001 +From: Andrew Austin +Date: Fri, 22 Apr 2016 00:08:43 +0000 +Subject: [PATCH 3/3] Add documentation for computer-name setting. + +https://bugs.freedesktop.org/show_bug.cgi?id=93739 + +Signed-off-by: Stef Walter + * Fixed up indentation +--- + doc/manual/realmd-guide-active-directory.xml | 5 ++++- + doc/manual/realmd.conf.xml | 20 ++++++++++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/doc/manual/realmd-guide-active-directory.xml b/doc/manual/realmd-guide-active-directory.xml +index 9b4535d..362cf94 100644 +--- a/doc/manual/realmd-guide-active-directory.xml ++++ b/doc/manual/realmd-guide-active-directory.xml +@@ -166,7 +166,10 @@ $ getent passwd DOMAIN\Administrator + The join operation will create or update a computer account + in the domain. If you wish to specify a specific organizational unit + where this account is created, you can use the +- setting. ++ setting. ++ Additonally, you can override the default name for the computer account with the ++ ++ setting. + + Specify the to choose a different + user name than the default Administrator user. +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index d9703f6..f8c87b9 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -321,7 +321,27 @@ computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com + create a computer account at a specific OU. + + ++ ++ ++ ++ This option only applied to Active Directory realms. Specify this ++ option to override the default name used when creating the computer ++ account. The system's FQDN will still be saved in the dNSHostName attribute. ++ ++ ++[domain.example.com] ++computer-name = SERVER01 ++ ++ ++ ++ Specify the name as a string of 15 or fewer characters that is ++ a valid NetBIOS computer name. + ++ It is also possible to use the ++ argument of the realm command to override the default ++ computer account name. ++ ++ + + + +-- +2.7.4 + diff --git a/SOURCES/Fix-invalid-unrefs-on-realm_invocation_get_cancellab.patch b/SOURCES/Fix-invalid-unrefs-on-realm_invocation_get_cancellab.patch new file mode 100644 index 0000000..b52d6aa --- /dev/null +++ b/SOURCES/Fix-invalid-unrefs-on-realm_invocation_get_cancellab.patch @@ -0,0 +1,37 @@ +From 8b8b7bf8eb651c56d6e85101d9ff277155981cb3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 May 2016 14:42:46 +0200 +Subject: [PATCH] Fix invalid unrefs on realm_invocation_get_cancellable() + retval + +https://bugzilla.redhat.com/show_bug.cgi?id=1330766 + +Signed-off-by: Stef Walter +--- + service/realm-packages.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/service/realm-packages.c b/service/realm-packages.c +index 321921a..9a6984c 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -479,8 +479,6 @@ on_install_resolved (GObject *source, + packages_install_async (install->connection, + (const gchar **)package_ids, cancellable, + on_install_installed, g_object_ref (task)); +- if (cancellable) +- g_object_unref (cancellable); + } + + g_free (missing); +@@ -649,7 +647,6 @@ realm_packages_install_async (const gchar **package_sets, + cancellable = realm_invocation_get_cancellable (install->invocation); + packages_resolve_async (connection, (const gchar **)install->packages, cancellable, + on_install_resolved, g_object_ref (task)); +- g_object_unref (cancellable); + } + + g_object_unref (task); +-- +2.7.4 + diff --git a/SOURCES/computer-ou.patch b/SOURCES/computer-ou.patch new file mode 100644 index 0000000..add7d8c --- /dev/null +++ b/SOURCES/computer-ou.patch @@ -0,0 +1,894 @@ +From 3db35ad73ec57c8af499a0dcef96ffd4da914236 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Mon, 7 Sep 2015 13:49:10 +0200 +Subject: [PATCH 2/2] service: Fully qualify --computer-ou DN before passing to + adcli + +This allows us to have a similar behavior for both the Samba and +adcli membership software. +--- + service/Makefile.am | 4 +- + service/realm-adcli-enroll.c | 11 +- + service/realm-dn-util.c | 239 +++++++++++++++++++++++++++++++++++++++++++ + service/realm-dn-util.h | 32 ++++++ + service/realm-samba-enroll.c | 4 +- + service/realm-samba-util.c | 172 ------------------------------- + service/realm-samba-util.h | 29 ------ + tests/Makefile.am | 16 +-- + tests/test-dn-util.c | 129 +++++++++++++++++++++++ + tests/test-samba-ou-format.c | 89 ---------------- + 11 files changed, 422 insertions(+), 305 deletions(-) + create mode 100644 service/realm-dn-util.c + create mode 100644 service/realm-dn-util.h + delete mode 100644 service/realm-samba-util.c + delete mode 100644 service/realm-samba-util.h + create mode 100644 tests/test-dn-util.c + delete mode 100644 tests/test-samba-ou-format.c + +diff --git a/service/Makefile.am b/service/Makefile.am +index 06a95ef..88ee780 100644 +--- a/service/Makefile.am ++++ b/service/Makefile.am +@@ -43,6 +43,8 @@ realmd_SOURCES = \ + service/realm-disco-mscldap.h \ + service/realm-disco-rootdse.c \ + service/realm-disco-rootdse.h \ ++ service/realm-dn-util.c \ ++ service/realm-dn-util.h \ + service/realm-errors.c \ + service/realm-errors.h \ + service/realm-example.c \ +@@ -79,8 +81,6 @@ realmd_SOURCES = \ + service/realm-samba-enroll.h \ + service/realm-samba-provider.c \ + service/realm-samba-provider.h \ +- service/realm-samba-util.c \ +- service/realm-samba-util.h \ + service/realm-samba-winbind.c \ + service/realm-samba-winbind.h \ + service/realm-service.c \ +diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c +index 7448647..ef1b563 100644 +--- a/service/realm-adcli-enroll.c ++++ b/service/realm-adcli-enroll.c +@@ -18,6 +18,7 @@ + #include "realm-command.h" + #include "realm-daemon.h" + #include "realm-diagnostics.h" ++#include "realm-dn-util.h" + #include "realm-errors.h" + #include "realm-ini-config.h" + #include "realm-options.h" +@@ -82,6 +83,7 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + gchar *ccache_arg = NULL; + gchar *upn_arg = NULL; + gchar *server_arg = NULL; ++ gchar *ou_arg = NULL; + + g_return_if_fail (cred != NULL); + g_return_if_fail (disco != NULL); +@@ -120,9 +122,13 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + } + + computer_ou = realm_options_computer_ou (options, disco->domain_name); +- if (computer_ou) { ++ if (computer_ou != NULL) { ++ ou_arg = realm_dn_util_build_qualified (computer_ou, disco->domain_name); + g_ptr_array_add (args, "--computer-ou"); +- g_ptr_array_add (args, (gpointer)computer_ou); ++ if (ou_arg) ++ g_ptr_array_add (args, ou_arg); ++ else ++ g_ptr_array_add (args, (gpointer)computer_ou); + } + + os = realm_settings_value ("active-directory", "os-name"); +@@ -190,6 +196,7 @@ realm_adcli_enroll_join_async (RealmDisco *disco, + free (ccache_arg); + free (upn_arg); + free (server_arg); ++ free (ou_arg); + } + + gboolean +diff --git a/service/realm-dn-util.c b/service/realm-dn-util.c +new file mode 100644 +index 0000000..85bcdb9 +--- /dev/null ++++ b/service/realm-dn-util.c +@@ -0,0 +1,239 @@ ++/* realmd -- Realm configuration service ++ * ++ * Copyright 2012 Red Hat Inc ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as published ++ * by the Free Software Foundation; either version 2 of the licence or (at ++ * your option) any later version. ++ * ++ * See the included COPYING file for more information. ++ * ++ * Author: Stef Walter ++ */ ++ ++#include "config.h" ++ ++#include "realm-dn-util.h" ++ ++#include ++ ++#include ++ ++static gboolean ++berval_is_string (const struct berval *bv, ++ const gchar *string, ++ gsize length) ++{ ++ return (bv->bv_len == length && ++ g_ascii_strncasecmp (bv->bv_val, string, length) == 0); ++ ++} ++ ++static gboolean ++berval_case_equals (const struct berval *v1, ++ const struct berval *v2) ++{ ++ return (v1->bv_len == v2->bv_len && ++ g_ascii_strncasecmp (v1->bv_val, v2->bv_val, v1->bv_len) == 0); ++} ++ ++static gboolean ++dn_equals_domain (LDAPDN dn, ++ const gchar *domain_dn_str, ++ const gchar *domain) ++{ ++ LDAPDN domain_dn; ++ gboolean ret; ++ int rc; ++ gint i, j; ++ ++ rc = ldap_str2dn (domain_dn_str, &domain_dn, LDAP_DN_FORMAT_LDAPV3); ++ g_return_val_if_fail (rc == LDAP_SUCCESS, FALSE); ++ ++ for (i = 0; dn[i] != NULL && domain_dn[i] != NULL; i++) { ++ for (j = 0; dn[i][j] != NULL && domain_dn[i][j] != NULL; j++) { ++ if (!berval_case_equals (&(dn[i][j]->la_attr), &(domain_dn[i][j]->la_attr)) || ++ !berval_case_equals (&(dn[i][j]->la_value), &(domain_dn[i][j]->la_value))) ++ break; ++ } ++ ++ if (dn[i][j] != NULL && domain_dn[i][j] != NULL) ++ break; ++ } ++ ++ /* Did we reach end of both DNs? */ ++ ret = (dn[i] == NULL && domain_dn[i] == NULL); ++ ++ ldap_dnfree (domain_dn); ++ ++ return ret; ++} ++ ++gchar * ++realm_dn_util_build_samba_ou (const gchar *ldap_dn, ++ const gchar *domain) ++{ ++ gchar *domain_dn_str = NULL; ++ GArray *parts; ++ GString *part; ++ gchar **strv; ++ gchar *str; ++ LDAPAVA* ava; ++ gboolean ret; ++ LDAPDN dn; ++ int rc; ++ gint i, j; ++ ++ /* ++ * Here we convert a standard LDAP DN to the strange samba net format, ++ * as "documented" here: ++ * ++ * createcomputer=OU Precreate the computer account in a specific OU. ++ * The OU string read from top to bottom without RDNs and delimited by a '/'. ++ * E.g. "createcomputer=Computers/Servers/Unix" ++ * NB: A backslash '\' is used as escape at multiple levels and may ++ * need to be doubled or even quadrupled. It is not used as a separator. ++ */ ++ ++ /* ldap_str2dn doesn't like empty strings */ ++ while (g_ascii_isspace (ldap_dn[0])) ++ ldap_dn++; ++ if (g_str_equal (ldap_dn, "")) ++ return NULL; ++ ++ rc = ldap_str2dn (ldap_dn, &dn, LDAP_DN_FORMAT_LDAPV3); ++ if (rc != LDAP_SUCCESS) ++ return NULL; ++ ++ ret = TRUE; ++ parts = g_array_new (TRUE, TRUE, sizeof (gchar *)); ++ ++ for (i = 0; dn[i] != NULL; i++) { ++ ava = dn[i][0]; ++ ++ /* ++ * Make sure this is a valid DN, we only support one value per ++ * RDN, string values, and must be an OU. DC values are allowed ++ * but only at the end of the DN. ++ */ ++ ++ if (ava == NULL || dn[i][1] != NULL || !(ava->la_flags & LDAP_AVA_STRING)) { ++ ret = FALSE; ++ break; ++ ++ /* A DC, remainder must match the domain */ ++ } else if (berval_is_string (&ava->la_attr, "DC", 2)) { ++ rc = ldap_domain2dn (domain, &domain_dn_str); ++ if (rc != LDAP_SUCCESS) ++ ret = FALSE; ++ else ++ ret = dn_equals_domain (dn + i, domain_dn_str, domain); ++ break; ++ ++ /* An OU, include */ ++ } else if (berval_is_string (&ava->la_attr, "OU", 2)) { ++ part = g_string_sized_new (ava->la_value.bv_len); ++ for (j = 0; j < ava->la_value.bv_len; j++) { ++ switch (ava->la_value.bv_val[j]) { ++ case '\\': ++ g_string_append (part, "\\\\"); ++ break; ++ case '/': ++ g_string_append (part, "\\/"); ++ break; ++ default: ++ g_string_append_c (part, ava->la_value.bv_val[j]); ++ break; ++ } ++ } ++ str = g_string_free (part, FALSE); ++ g_array_insert_val (parts, 0, str); ++ ++ /* Invalid, stop */ ++ } else { ++ ret = FALSE; ++ break; ++ } ++ } ++ ++ ldap_dnfree (dn); ++ if (domain_dn_str) ++ ldap_memfree (domain_dn_str); ++ ++ strv = (gchar **)g_array_free (parts, FALSE); ++ str = NULL; ++ ++ /* Loop completed successfully */ ++ if (ret) ++ str = g_strjoinv ("/", strv); ++ ++ g_strfreev (strv); ++ ++ return str; ++} ++ ++gchar * ++realm_dn_util_build_qualified (const gchar *ldap_dn, ++ const gchar *domain) ++{ ++ gchar *domain_dn_str = NULL; ++ gboolean had_dc = FALSE; ++ gchar *str; ++ LDAPAVA* ava; ++ gboolean ret; ++ LDAPDN dn; ++ int rc; ++ gint i; ++ ++ /* ldap_str2dn doesn't like empty strings */ ++ while (g_ascii_isspace (ldap_dn[0])) ++ ldap_dn++; ++ if (g_str_equal (ldap_dn, "")) ++ return NULL; ++ ++ rc = ldap_str2dn (ldap_dn, &dn, LDAP_DN_FORMAT_LDAPV3); ++ if (rc != LDAP_SUCCESS) ++ return NULL; ++ ++ rc = ldap_domain2dn (domain, &domain_dn_str); ++ if (rc != LDAP_SUCCESS) { ++ ldap_dnfree (dn); ++ return NULL; ++ } ++ ++ ret = TRUE; ++ ++ for (i = 0; dn[i] != NULL; i++) { ++ ava = dn[i][0]; ++ ++ /* ++ * Make sure this is a valid DN, we only support one value per ++ * RDN, string values. DC values are allowed but only at the end of the DN. ++ */ ++ ++ if (ava == NULL || dn[i][1] != NULL || !(ava->la_flags & LDAP_AVA_STRING)) { ++ ret = FALSE; ++ break; ++ ++ /* A DC, remainder must match the domain */ ++ } else if (berval_is_string (&ava->la_attr, "DC", 2)) { ++ had_dc = TRUE; ++ ret = dn_equals_domain (dn + i, domain_dn_str, domain); ++ break; ++ } ++ } ++ ++ ldap_dnfree (dn); ++ ++ if (!ret) ++ return NULL; ++ ++ if (had_dc) ++ str = g_strdup (ldap_dn); ++ else ++ str = g_strdup_printf ("%s,%s", ldap_dn, domain_dn_str); ++ ++ ldap_memfree (domain_dn_str); ++ return str; ++} +diff --git a/service/realm-dn-util.h b/service/realm-dn-util.h +new file mode 100644 +index 0000000..f5e5e69 +--- /dev/null ++++ b/service/realm-dn-util.h +@@ -0,0 +1,32 @@ ++/* realmd -- Realm configuration service ++ * ++ * Copyright 2012 Red Hat Inc ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as published ++ * by the Free Software Foundation; either version 2 of the licence or (at ++ * your option) any later version. ++ * ++ * See the included COPYING file for more information. ++ * ++ * Author: Stef Walter ++ */ ++ ++#include "config.h" ++ ++#ifndef __REALM_DN_UTIL_H__ ++#define __REALM_DN_UTIL_H__ ++ ++#include ++ ++G_BEGIN_DECLS ++ ++gchar * realm_dn_util_build_samba_ou (const gchar *ldap_dn, ++ const gchar *domain); ++ ++gchar * realm_dn_util_build_qualified (const gchar *ldap_dn, ++ const gchar *domain); ++ ++G_END_DECLS ++ ++#endif /* __REALM_DN_UTIL_H__ */ +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index e8739d7..e749764 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -18,12 +18,12 @@ + #include "realm-daemon.h" + #include "realm-dbus-constants.h" + #include "realm-diagnostics.h" ++#include "realm-dn-util.h" + #include "realm-errors.h" + #include "realm-options.h" + #include "realm-samba-config.h" + #include "realm-samba-enroll.h" + #include "realm-samba-provider.h" +-#include "realm-samba-util.h" + #include "realm-settings.h" + + #include +@@ -314,7 +314,7 @@ begin_join (GTask *task, + + computer_ou = realm_options_computer_ou (options, join->disco->domain_name); + if (computer_ou != NULL) { +- strange_ou = realm_samba_util_build_strange_ou (computer_ou, join->disco->domain_name); ++ strange_ou = realm_dn_util_build_samba_ou (computer_ou, join->disco->domain_name); + if (strange_ou) { + if (!g_str_equal (strange_ou, "")) + join->join_args[at++] = g_strdup_printf ("createcomputer=%s", strange_ou); +diff --git a/service/realm-samba-util.c b/service/realm-samba-util.c +deleted file mode 100644 +index 3f6a53e..0000000 +--- a/service/realm-samba-util.c ++++ /dev/null +@@ -1,172 +0,0 @@ +-/* realmd -- Realm configuration service +- * +- * Copyright 2012 Red Hat Inc +- * +- * This program is free software: you can redistribute it and/or modify +- * it under the terms of the GNU Lesser General Public License as published +- * by the Free Software Foundation; either version 2 of the licence or (at +- * your option) any later version. +- * +- * See the included COPYING file for more information. +- * +- * Author: Stef Walter +- */ +- +-#include "config.h" +- +-#include "realm-samba-util.h" +- +-#include +- +-#include +- +-static gboolean +-berval_is_string (const struct berval *bv, +- const gchar *string, +- gsize length) +-{ +- return (bv->bv_len == length && +- g_ascii_strncasecmp (bv->bv_val, string, length) == 0); +- +-} +- +-static gboolean +-berval_case_equals (const struct berval *v1, +- const struct berval *v2) +-{ +- return (v1->bv_len == v2->bv_len && +- g_ascii_strncasecmp (v1->bv_val, v2->bv_val, v1->bv_len) == 0); +-} +- +-static gboolean +-dn_equals_domain (LDAPDN dn, +- const gchar *domain) +-{ +- LDAPDN domain_dn; +- gchar *domain_dn_str; +- gboolean ret; +- int rc; +- gint i, j; +- +- rc = ldap_domain2dn (domain, &domain_dn_str); +- g_return_val_if_fail (rc == LDAP_SUCCESS, FALSE); +- +- rc = ldap_str2dn (domain_dn_str, &domain_dn, LDAP_DN_FORMAT_LDAPV3); +- g_return_val_if_fail (rc == LDAP_SUCCESS, FALSE); +- +- ldap_memfree (domain_dn_str); +- +- for (i = 0; dn[i] != NULL && domain_dn[i] != NULL; i++) { +- for (j = 0; dn[i][j] != NULL && domain_dn[i][j] != NULL; j++) { +- if (!berval_case_equals (&(dn[i][j]->la_attr), &(domain_dn[i][j]->la_attr)) || +- !berval_case_equals (&(dn[i][j]->la_value), &(domain_dn[i][j]->la_value))) +- break; +- } +- +- if (dn[i][j] != NULL && domain_dn[i][j] != NULL) +- break; +- } +- +- /* Did we reach end of both DNs? */ +- ret = (dn[i] == NULL && domain_dn[i] == NULL); +- +- ldap_dnfree (domain_dn); +- +- return ret; +-} +- +-gchar * +-realm_samba_util_build_strange_ou (const gchar *ldap_dn, +- const gchar *domain) +-{ +- GArray *parts; +- GString *part; +- gchar **strv; +- gchar *str; +- LDAPAVA* ava; +- gboolean ret; +- LDAPDN dn; +- int rc; +- gint i, j; +- +- /* +- * Here we convert a standard LDAP DN to the strange samba net format, +- * as "documented" here: +- * +- * createcomputer=OU Precreate the computer account in a specific OU. +- * The OU string read from top to bottom without RDNs and delimited by a '/'. +- * E.g. "createcomputer=Computers/Servers/Unix" +- * NB: A backslash '\' is used as escape at multiple levels and may +- * need to be doubled or even quadrupled. It is not used as a separator. +- */ +- +- /* ldap_str2dn doesn't like empty strings */ +- while (g_ascii_isspace (ldap_dn[0])) +- ldap_dn++; +- if (g_str_equal (ldap_dn, "")) +- return NULL; +- +- rc = ldap_str2dn (ldap_dn, &dn, LDAP_DN_FORMAT_LDAPV3); +- if (rc != LDAP_SUCCESS) +- return NULL; +- +- ret = TRUE; +- parts = g_array_new (TRUE, TRUE, sizeof (gchar *)); +- +- for (i = 0; dn[i] != NULL; i++) { +- ava = dn[i][0]; +- +- /* +- * Make sure this is a valid DN, we only support one value per +- * RDN, string values, and must be an OU. DC values are allowed +- * but only at the end of the DN. +- */ +- +- if (ava == NULL || dn[i][1] != NULL || !(ava->la_flags & LDAP_AVA_STRING)) { +- ret = FALSE; +- break; +- +- /* A DC, remainder must match the domain */ +- } else if (berval_is_string (&ava->la_attr, "DC", 2)) { +- ret = dn_equals_domain (dn + i, domain); +- break; +- +- /* An OU, include */ +- } else if (berval_is_string (&ava->la_attr, "OU", 2)) { +- part = g_string_sized_new (ava->la_value.bv_len); +- for (j = 0; j < ava->la_value.bv_len; j++) { +- switch (ava->la_value.bv_val[j]) { +- case '\\': +- g_string_append (part, "\\\\"); +- break; +- case '/': +- g_string_append (part, "\\/"); +- break; +- default: +- g_string_append_c (part, ava->la_value.bv_val[j]); +- break; +- } +- } +- str = g_string_free (part, FALSE); +- g_array_insert_val (parts, 0, str); +- +- /* Invalid, stop */ +- } else { +- ret = FALSE; +- break; +- } +- } +- +- ldap_dnfree (dn); +- +- strv = (gchar **)g_array_free (parts, FALSE); +- str = NULL; +- +- /* Loop completed successfully */ +- if (ret) +- str = g_strjoinv ("/", strv); +- +- g_strfreev (strv); +- +- return str; +-} +diff --git a/service/realm-samba-util.h b/service/realm-samba-util.h +deleted file mode 100644 +index 2a680e7..0000000 +--- a/service/realm-samba-util.h ++++ /dev/null +@@ -1,29 +0,0 @@ +-/* realmd -- Realm configuration service +- * +- * Copyright 2012 Red Hat Inc +- * +- * This program is free software: you can redistribute it and/or modify +- * it under the terms of the GNU Lesser General Public License as published +- * by the Free Software Foundation; either version 2 of the licence or (at +- * your option) any later version. +- * +- * See the included COPYING file for more information. +- * +- * Author: Stef Walter +- */ +- +-#include "config.h" +- +-#ifndef __REALM_SAMBA_UTIL_H__ +-#define __REALM_SAMBA_UTIL_H__ +- +-#include +- +-G_BEGIN_DECLS +- +-gchar * realm_samba_util_build_strange_ou (const gchar *ldap_dn, +- const gchar *suffix_dn); +- +-G_END_DECLS +- +-#endif /* __REALM_SAMBA_UTIL_H__ */ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index ddeba4d..3b05066 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -12,11 +12,11 @@ TEST_LIBS = \ + $(GLIB_LIBS) + + TEST_PROGS = \ ++ test-dn-util \ + test-ini-config \ + test-sssd-config \ + test-safe-format \ + test-login-name \ +- test-samba-ou-format \ + test-settings \ + $(NULL) + +@@ -27,6 +27,13 @@ noinst_PROGRAMS += \ + frob-install-packages \ + $(NULL) + ++test_dn_util_SOURCES = \ ++ tests/test-dn-util.c \ ++ service/realm-dn-util.c \ ++ $(NULL) ++test_dn_util_LDADD = $(TEST_LIBS) ++test_dn_util_CFLAGS = $(TEST_CFLAGS) ++ + test_ini_config_SOURCES = \ + tests/test-ini-config.c \ + service/realm-ini-config.c \ +@@ -59,13 +66,6 @@ test_login_name_SOURCES = \ + test_login_name_LDADD = $(TEST_LIBS) + test_login_name_CFLAGS = $(TEST_CFLAGS) + +-test_samba_ou_format_SOURCES = \ +- tests/test-samba-ou-format.c \ +- service/realm-samba-util.c \ +- $(NULL) +-test_samba_ou_format_LDADD = $(TEST_LIBS) +-test_samba_ou_format_CFLAGS = $(TEST_CFLAGS) +- + test_settings_SOURCES = \ + tests/test-settings.c \ + service/realm-settings.c \ +diff --git a/tests/test-dn-util.c b/tests/test-dn-util.c +new file mode 100644 +index 0000000..c62a40f +--- /dev/null ++++ b/tests/test-dn-util.c +@@ -0,0 +1,129 @@ ++/* realmd -- Realm configuration service ++ * ++ * Copyright 2012 Red Hat Inc ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as published ++ * by the Free Software Foundation; either version 2 of the licence or (at ++ * your option) any later version. ++ * ++ * See the included COPYING file for more information. ++ * ++ * Author: Stef Walter ++ */ ++ ++#include "config.h" ++ ++#include "service/realm-dn-util.h" ++ ++#include ++ ++#include ++ ++typedef struct { ++ const gchar *ldap_dn; ++ const gchar *domain; ++ const gchar *result; ++} Fixture; ++ ++static void ++test_samba_ou_format (gconstpointer user_data) ++{ ++ const Fixture *fixture = user_data; ++ gchar *result; ++ ++ result = realm_dn_util_build_samba_ou (fixture->ldap_dn, fixture->domain); ++ g_assert_cmpstr (result, ==, fixture->result); ++ g_free (result); ++} ++ ++static const Fixture samba_ou_fixtures[] = { ++ { "OU=One", "domain.example.com", "One" }, ++ { "OU=One,ou=two", "domain.example.com", "two/One" }, ++ { "Ou=One Long,OU=two", "domain.example.com", "two/One Long" }, ++ { "Ou=One,OU=two, ou=Three", "domain.example.com", "Three/two/One" }, ++ { "Ou=Test/Escape,Ou=Two", "domain.example.com", "Two/Test\\/Escape" }, ++ { "Ou=Test\\\\Escape,Ou=Two", "domain.example.com", "Two/Test\\\\Escape" }, ++ { "OU=One,DC=domain,dc=example,Dc=COM", "domain.example.com", "One" }, ++ { "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM", "domain.example.com", "Two Here/One" }, ++ { "OU=One,OU=Two Here,DC=invalid,Dc=COM", "domain.example.com", NULL }, ++ { " ", "domain.example.com", NULL }, ++ { "", "domain.example.com", NULL }, ++ { "OU", "domain.example.com", NULL }, ++ { "OU=One,", "domain.example.com", NULL }, ++ { "CN=Unsupported", "domain.example.com", NULL }, ++ { "OU=One+CN=Unsupported", "domain.example.com", NULL }, ++ { "DC=radi07, DC=segad, DC=lab, DC=sjc, DC=redhat, DC=com", "radi08.segad.lab.sjc.redhat.com", NULL }, ++ ++}; ++ ++static void ++test_qualify_dn (gconstpointer user_data) ++{ ++ const Fixture *fixture = user_data; ++ gchar *result; ++ ++ result = realm_dn_util_build_qualified (fixture->ldap_dn, fixture->domain); ++ g_assert_cmpstr (result, ==, fixture->result); ++ g_free (result); ++} ++ ++static const Fixture qualify_fixtures[] = { ++ { "OU=One", "domain.example.com", "OU=One,dc=domain,dc=example,dc=com" }, ++ { "OU=One,ou=two", "domain.example.com", "OU=One,ou=two,dc=domain,dc=example,dc=com" }, ++ { "Ou=One Long,OU=two", "domain.example.com", "Ou=One Long,OU=two,dc=domain,dc=example,dc=com" }, ++ { "OU=One,DC=domain,dc=example,Dc=COM", "domain.example.com", "OU=One,DC=domain,dc=example,Dc=COM" }, ++ { "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM", "domain.example.com", "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM" }, ++ { "OU=One,OU=Two Here,DC=invalid,Dc=COM", "domain.example.com", NULL }, ++ { " ", "domain.example.com", NULL }, ++ { "", "domain.example.com", NULL }, ++ { "OU", "domain.example.com", NULL }, ++ { "OU=One,", "domain.example.com", NULL }, ++ { "CN=Test", "domain.example.com", "CN=Test,dc=domain,dc=example,dc=com" }, ++ { "OU=One+CN=Unsupported", "domain.example.com", NULL }, ++ { "DC=radi07, DC=segad, DC=lab, DC=sjc, DC=redhat, DC=com", "radi08.segad.lab.sjc.redhat.com", NULL }, ++}; ++ ++int ++main (int argc, ++ char **argv) ++{ ++ gchar *escaped; ++ gchar *name; ++ gint i; ++ ++#if !GLIB_CHECK_VERSION(2, 36, 0) ++ g_type_init (); ++#endif ++ ++ g_test_init (&argc, &argv, NULL); ++ g_set_prgname ("test-dn-util"); ++ ++ for (i = 0; i < G_N_ELEMENTS (samba_ou_fixtures); i++) { ++ if (g_str_equal (samba_ou_fixtures[i].ldap_dn, "")) ++ escaped = g_strdup ("_empty_"); ++ else ++ escaped = g_strdup (samba_ou_fixtures[i].ldap_dn); ++ g_strdelimit (escaped, ", =\\/", '_'); ++ name = g_strdup_printf ("/realmd/samba-ou-format/%s", escaped); ++ g_free (escaped); ++ ++ g_test_add_data_func (name, samba_ou_fixtures + i, test_samba_ou_format); ++ g_free (name); ++ } ++ ++ for (i = 0; i < G_N_ELEMENTS (qualify_fixtures); i++) { ++ if (g_str_equal (qualify_fixtures[i].ldap_dn, "")) ++ escaped = g_strdup ("_empty_"); ++ else ++ escaped = g_strdup (qualify_fixtures[i].ldap_dn); ++ g_strdelimit (escaped, ", =\\/", '_'); ++ name = g_strdup_printf ("/realmd/qualify-dn/%s", escaped); ++ g_free (escaped); ++ ++ g_test_add_data_func (name, qualify_fixtures + i, test_qualify_dn); ++ g_free (name); ++ } ++ ++ return g_test_run (); ++} +diff --git a/tests/test-samba-ou-format.c b/tests/test-samba-ou-format.c +deleted file mode 100644 +index 0a482ee..0000000 +--- a/tests/test-samba-ou-format.c ++++ /dev/null +@@ -1,89 +0,0 @@ +-/* realmd -- Realm configuration service +- * +- * Copyright 2012 Red Hat Inc +- * +- * This program is free software: you can redistribute it and/or modify +- * it under the terms of the GNU Lesser General Public License as published +- * by the Free Software Foundation; either version 2 of the licence or (at +- * your option) any later version. +- * +- * See the included COPYING file for more information. +- * +- * Author: Stef Walter +- */ +- +-#include "config.h" +- +-#include "service/realm-samba-util.h" +- +-#include +- +-#include +- +-typedef struct { +- const gchar *ldap_dn; +- const gchar *domain; +- const gchar *ou_format; +-} Fixture; +- +-static void +-test_samba_ou_format (gconstpointer user_data) +-{ +- const Fixture *fixture = user_data; +- gchar *result; +- +- result = realm_samba_util_build_strange_ou (fixture->ldap_dn, fixture->domain); +- g_assert_cmpstr (result, ==, fixture->ou_format); +- g_free (result); +-} +- +-static const Fixture samba_ou_fixtures[] = { +- { "OU=One", "domain.example.com", "One" }, +- { "OU=One,ou=two", "domain.example.com", "two/One" }, +- { "Ou=One Long,OU=two", "domain.example.com", "two/One Long" }, +- { "Ou=One,OU=two, ou=Three", "domain.example.com", "Three/two/One" }, +- { "Ou=Test/Escape,Ou=Two", "domain.example.com", "Two/Test\\/Escape" }, +- { "Ou=Test\\\\Escape,Ou=Two", "domain.example.com", "Two/Test\\\\Escape" }, +- { "OU=One,DC=domain,dc=example,Dc=COM", "domain.example.com", "One" }, +- { "OU=One,OU=Two Here,DC=domain,dc=example,Dc=COM", "domain.example.com", "Two Here/One" }, +- { "OU=One,OU=Two Here,DC=invalid,Dc=COM", "domain.example.com", NULL }, +- { " ", "domain.example.com", NULL }, +- { "", "domain.example.com", NULL }, +- { "OU", "domain.example.com", NULL }, +- { "OU=One,", "domain.example.com", NULL }, +- { "CN=Unsupported", "domain.example.com", NULL }, +- { "OU=One+CN=Unsupported", "domain.example.com", NULL }, +- { "DC=radi07, DC=segad, DC=lab, DC=sjc, DC=redhat, DC=com", "radi08.segad.lab.sjc.redhat.com", NULL }, +- +-}; +- +-int +-main (int argc, +- char **argv) +-{ +- gchar *escaped; +- gchar *name; +- gint i; +- +-#if !GLIB_CHECK_VERSION(2, 36, 0) +- g_type_init (); +-#endif +- +- g_test_init (&argc, &argv, NULL); +- g_set_prgname ("test-samba-ou-format"); +- +- for (i = 0; i < G_N_ELEMENTS (samba_ou_fixtures); i++) { +- if (g_str_equal (samba_ou_fixtures[i].ldap_dn, "")) +- escaped = g_strdup ("_empty_"); +- else +- escaped = g_strdup (samba_ou_fixtures[i].ldap_dn); +- g_strdelimit (escaped, ", =\\/", '_'); +- name = g_strdup_printf ("/realmd/samba-ou-format/%s", escaped); +- g_free (escaped); +- +- g_test_add_data_func (name, samba_ou_fixtures + i, test_samba_ou_format); +- g_free (name); +- } +- +- return g_test_run (); +-} +-- +2.7.4 + diff --git a/SOURCES/dns-domain-name-liberal.patch b/SOURCES/dns-domain-name-liberal.patch new file mode 100644 index 0000000..b7a2a3e --- /dev/null +++ b/SOURCES/dns-domain-name-liberal.patch @@ -0,0 +1,196 @@ +From e368c5a42656a687e6b726978752eb4abf6503d0 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Fri, 31 Jul 2015 12:53:04 +0200 +Subject: [PATCH 1/3] Be more liberal on what we accept as a domain name + +Make the checks on what we accept as a domain name more liberal +for values coming in from the network. + +DNS Domain names are pretty liberal (internet domain names +are more restrictive) See RFC 2181 section 11 + +http://www.ietf.org/rfc/rfc2181.txt + +However we cannot consume names with whitespace and problematic +punctuation, due to the various programs that parse the +configuration files we set up. +--- + service/realm-disco-mscldap.c | 9 +++------ + service/realm-disco-rootdse.c | 15 +++++++-------- + service/realm-options.c | 31 +++++++++++++++++++++++++++++++ + service/realm-options.h | 2 ++ + 4 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c +index 1ed4063..d3d3c10 100644 +--- a/service/realm-disco-mscldap.c ++++ b/service/realm-disco-mscldap.c +@@ -17,6 +17,7 @@ + #include "realm-dbus-constants.h" + #include "realm-disco-mscldap.h" + #include "realm-ldap.h" ++#include "realm-options.h" + + #include + +@@ -40,8 +41,6 @@ typedef struct { + #define HOST_NAME_MAX 255 + #endif + +-#define DOMAIN_NAME_VALID "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-." +- + static void + closure_free (gpointer data) + { +@@ -100,21 +99,19 @@ get_string (guchar *beg, + guchar **at) + { + gchar buffer[HOST_NAME_MAX]; +- gsize len; + int n; + + n = dn_expand (beg, end, *at, buffer, sizeof (buffer)); + if (n < 0) + return NULL; + +- len = strlen (buffer); +- if (strspn (buffer, DOMAIN_NAME_VALID) != len) { ++ if (!realm_options_check_domain_name (buffer)) { + g_message ("received invalid NetLogon string characters"); + return NULL; + } + + (*at) += n; +- return g_strndup (buffer, len); ++ return g_strdup (buffer); + } + + static gboolean +diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c +index 1a80d98..3100650 100644 +--- a/service/realm-disco-rootdse.c ++++ b/service/realm-disco-rootdse.c +@@ -19,13 +19,12 @@ + #include "realm-disco-mscldap.h" + #include "realm-disco-rootdse.h" + #include "realm-ldap.h" ++#include "realm-options.h" + + #include + + #include + +-#define DOMAIN_NAME_VALID "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-." +- + typedef struct _Closure Closure; + + struct _Closure { +@@ -92,7 +91,7 @@ static gchar * + entry_get_attribute (LDAP *ldap, + LDAPMessage *entry, + const gchar *field, +- const gchar *valid) ++ gboolean domain_name) + { + struct berval **bvs = NULL; + gchar *value = NULL; +@@ -102,8 +101,8 @@ entry_get_attribute (LDAP *ldap, + + if (bvs && bvs[0]) { + value = g_strndup (bvs[0]->bv_val, bvs[0]->bv_len); +- if (valid) { +- if (strspn (value, valid) != bvs[0]->bv_len) { ++ if (domain_name) { ++ if (!realm_options_check_domain_name (value)) { + g_free (value); + g_message ("Invalid value in LDAP %s field", field); + value = NULL; +@@ -155,7 +154,7 @@ result_krb_realm (GTask *task, + entry = ldap_first_entry (ldap, message); + + g_free (clo->disco->kerberos_realm); +- clo->disco->kerberos_realm = entry_get_attribute (ldap, entry, "cn", DOMAIN_NAME_VALID); ++ clo->disco->kerberos_realm = entry_get_attribute (ldap, entry, "cn", TRUE); + + g_debug ("Found realm: %s", clo->disco->kerberos_realm); + +@@ -211,7 +210,7 @@ result_domain_info (GTask *task, + + /* What is the domain name? */ + g_free (clo->disco->domain_name); +- clo->disco->domain_name = entry_get_attribute (ldap, entry, "associatedDomain", DOMAIN_NAME_VALID); ++ clo->disco->domain_name = entry_get_attribute (ldap, entry, "associatedDomain", TRUE); + + g_debug ("Got associatedDomain: %s", clo->disco->domain_name); + +@@ -310,7 +309,7 @@ result_root_dse (GTask *task, + entry = ldap_first_entry (ldap, message); + + /* Parse out the default naming context */ +- clo->default_naming_context = entry_get_attribute (ldap, entry, "defaultNamingContext", NULL); ++ clo->default_naming_context = entry_get_attribute (ldap, entry, "defaultNamingContext", FALSE); + + g_debug ("Got defaultNamingContext: %s", clo->default_naming_context); + +diff --git a/service/realm-options.c b/service/realm-options.c +index 53266f6..bba3ee4 100644 +--- a/service/realm-options.c ++++ b/service/realm-options.c +@@ -18,6 +18,8 @@ + #include "realm-options.h" + #include "realm-settings.h" + ++#include ++ + gboolean + realm_options_automatic_install (void) + { +@@ -128,3 +130,32 @@ realm_options_qualify_names (const gchar *realm_name) + + return qualify; + } ++ ++gboolean ++realm_options_check_domain_name (const gchar *name) ++{ ++ /* ++ * DNS Domain names are pretty liberal (internet domain names ++ * are more restrictive) See RFC 2181 section 11 ++ * ++ * http://www.ietf.org/rfc/rfc2181.txt ++ * ++ * However we cannot consume names with whitespace and problematic ++ * punctuation, due to the various programs that parse the ++ * configuration files we set up. ++ */ ++ ++ gsize i, len; ++ static const gchar *invalid = "=[]:"; ++ ++ g_return_val_if_fail (name != NULL, FALSE); ++ ++ for (i = 0, len = strlen (name); i < len; i++) { ++ if (name[i] <= ' ') ++ return FALSE; ++ if (strchr (invalid, name[i])) ++ return FALSE; ++ } ++ ++ return TRUE; ++} +diff --git a/service/realm-options.h b/service/realm-options.h +index 52dc6ff..4890cba 100644 +--- a/service/realm-options.h ++++ b/service/realm-options.h +@@ -39,6 +39,8 @@ gboolean realm_options_automatic_mapping (GVariant *options, + + gboolean realm_options_qualify_names (const gchar *realm_name); + ++gboolean realm_options_check_domain_name (const gchar *domain_name); ++ + G_END_DECLS + + #endif /* __REALM_OPTIONS_H__ */ +-- +2.4.3 + diff --git a/SOURCES/duplicate-test-path.patch b/SOURCES/duplicate-test-path.patch new file mode 100644 index 0000000..5d62837 --- /dev/null +++ b/SOURCES/duplicate-test-path.patch @@ -0,0 +1,26 @@ +From ab41e2830d2f7540d58370b5f35f85c2808c1871 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Fri, 11 Sep 2015 12:32:36 +0200 +Subject: [PATCH] tests: Fix duplicate test case path + +GLib is now stricter about this +--- + tests/test-safe-format.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test-safe-format.c b/tests/test-safe-format.c +index 02aa5f1..204e10d 100644 +--- a/tests/test-safe-format.c ++++ b/tests/test-safe-format.c +@@ -194,7 +194,7 @@ main (int argc, + else + escaped = g_strdup (fixtures[i].format); + g_strdelimit (escaped, " =\\/", '_'); +- name = g_strdup_printf ("/realmd/safe-format/%s", escaped); ++ name = g_strdup_printf ("/realmd/safe-format/%d-%s", i, escaped); + g_free (escaped); + + g_test_add_data_func (name, fixtures + i, test_safe_format_string_cb); +-- +2.4.3 + diff --git a/SOURCES/increase-packagekit-timeout.patch b/SOURCES/increase-packagekit-timeout.patch new file mode 100644 index 0000000..6bd1f86 --- /dev/null +++ b/SOURCES/increase-packagekit-timeout.patch @@ -0,0 +1,54 @@ +From f2ed12faa4ecb5468f6396f1695a3ca5e2e13b84 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Fri, 24 Jul 2015 17:25:32 +0200 +Subject: [PATCH] service: Increase timeout when calling PackageKit + +Use a timeout of a day ... PackageKit should return from a call +sooner than that. If it crashes we'll get a response right away. +--- + service/realm-packages.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/service/realm-packages.c b/service/realm-packages.c +index c32da44..9da852c 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -24,6 +24,8 @@ + + #include + ++#define CALL_TIMEOUT (24 * 60 * 60 * 1000) ++ + static gboolean + packages_check_paths (const gchar **paths, + GDBusMethodInvocation *invocation) +@@ -226,7 +228,7 @@ on_set_hints (GObject *source, + transaction->parameters, + G_VARIANT_TYPE ("()"), + G_DBUS_CALL_FLAGS_NO_AUTO_START, +- -1, g_task_get_cancellable (task), ++ CALL_TIMEOUT, g_task_get_cancellable (task), + on_method_done, g_object_ref (task)); + } + +@@ -276,7 +278,7 @@ on_create_transaction (GObject *source, + g_variant_new ("(^as)", hints), + G_VARIANT_TYPE ("()"), + G_DBUS_CALL_FLAGS_NO_AUTO_START, +- -1, g_task_get_cancellable (task), ++ CALL_TIMEOUT, g_task_get_cancellable (task), + on_set_hints, g_object_ref (task)); + } + +@@ -310,7 +312,7 @@ package_transaction_create (const gchar *method, + g_variant_new ("()"), + G_VARIANT_TYPE ("(o)"), + G_DBUS_CALL_FLAGS_NONE, +- -1, cancellable, ++ CALL_TIMEOUT, cancellable, + on_create_transaction, g_object_ref (task)); + } + +-- +2.4.3 + diff --git a/SOURCES/install-diagnostic.patch b/SOURCES/install-diagnostic.patch new file mode 100644 index 0000000..d75bdff --- /dev/null +++ b/SOURCES/install-diagnostic.patch @@ -0,0 +1,29 @@ +From ef0797e5ed116a98cc074a6d4e1d1d6b6e6384db Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Mon, 7 Sep 2015 12:53:02 +0200 +Subject: [PATCH 1/2] service: Fix issue where diagnostics about package + install hidden + +Due to the recent refactoring the diagnostics about package +installation were hidden (even when --verbose). + +https://bugzilla.redhat.com/show_bug.cgi?id=1258745 +--- + service/realm-packages.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/service/realm-packages.c b/service/realm-packages.c +index 9da852c..321921a 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -615,6 +615,7 @@ realm_packages_install_async (const gchar **package_sets, + task = g_task_new (NULL, NULL, callback, user_data); + install = g_new0 (InstallClosure, 1); + install->automatic = realm_options_automatic_install (); ++ install->invocation = invocation ? g_object_ref (invocation) : NULL; + install->connection = g_object_ref (connection); + g_task_set_task_data (task, install, install_closure_free); + +-- +2.7.4 + diff --git a/SOURCES/ipa-packages.patch b/SOURCES/ipa-packages.patch new file mode 100644 index 0000000..633bd95 --- /dev/null +++ b/SOURCES/ipa-packages.patch @@ -0,0 +1,13 @@ +diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf +index da2de55..856b36d 100644 +--- a/service/realmd-redhat.conf ++++ b/service/realmd-redhat.conf +@@ -20,7 +20,7 @@ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir + adcli = /usr/sbin/adcli + + [ipa-packages] +-freeipa-client = /usr/sbin/ipa-client-install ++ipa-client = /usr/sbin/ipa-client-install + + [commands] + winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" diff --git a/SOURCES/remove-spurious-print.patch b/SOURCES/remove-spurious-print.patch new file mode 100644 index 0000000..ade8a8b --- /dev/null +++ b/SOURCES/remove-spurious-print.patch @@ -0,0 +1,24 @@ +From f46ba61d7df33d63c1e904c5559017a57a7e8228 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Fri, 24 Jul 2015 17:03:25 +0200 +Subject: [PATCH] tools: Remove spurious print output + +--- + tools/realm-join.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/realm-join.c b/tools/realm-join.c +index e5760b2..feb6edc 100644 +--- a/tools/realm-join.c ++++ b/tools/realm-join.c +@@ -237,7 +237,6 @@ perform_join (RealmClient *client, + return 1; + } + +-g_printerr ("id mapping %d %d\n", args->automatic_id_mapping_set, args->automatic_id_mapping); + options = realm_build_options (REALM_DBUS_OPTION_COMPUTER_OU, args->computer_ou, + REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software, + REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal, +-- +2.4.3 + diff --git a/SOURCES/samba-by-default.patch b/SOURCES/samba-by-default.patch new file mode 100644 index 0000000..0a10de0 --- /dev/null +++ b/SOURCES/samba-by-default.patch @@ -0,0 +1,48 @@ +From 36e35c860cebc5e3f3d2199742c7f46d5ef7b778 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Fri, 16 Oct 2015 11:41:14 +0200 +Subject: [PATCH] Revert "service: Prefer adcli over samba for most credential + types" + +This reverts commit 70878dec6e23226ab25f731654ab53cc0e7b11c3. +--- + service/realm-sssd-ad.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c +index c7ffe8a..39fcf81 100644 +--- a/service/realm-sssd-ad.c ++++ b/service/realm-sssd-ad.c +@@ -343,13 +343,26 @@ parse_join_options (JoinClosure *join, + } + + /* +- * For other valid types of credentials we prefer adcli. ++ * If we are enrolling with a ccache, then prefer to use adcli over samba. ++ * There have been some strange corner case problems when using samba with ++ * a ccache. + */ +- } else if (cred->type == REALM_CREDENTIAL_CCACHE || +- (cred->type == REALM_CREDENTIAL_PASSWORD && cred->owner == REALM_CREDENTIAL_OWNER_ADMIN)) { ++ } else if (cred->type == REALM_CREDENTIAL_CCACHE) { + if (!software) + software = REALM_DBUS_IDENTIFIER_ADCLI; + ++ /* ++ * For other supported enrolling credentials, we support either adcli or ++ * samba. But since adcli is pretty immature at this point, we use samba ++ * by default. Samba falls over with hostnames that are not perfectly ++ * specified, so use adcli there. ++ */ ++ } else if (cred->type == REALM_CREDENTIAL_PASSWORD && cred->owner == REALM_CREDENTIAL_OWNER_ADMIN) { ++ if (!software && join->disco->explicit_server) ++ software = REALM_DBUS_IDENTIFIER_ADCLI; ++ else if (!software) ++ software = REALM_DBUS_IDENTIFIER_SAMBA; ++ + /* It would be odd to get here */ + } else { + g_set_error (error, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, +-- +2.5.0 + diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec new file mode 100644 index 0000000..67f9d4e --- /dev/null +++ b/SPECS/realmd.spec @@ -0,0 +1,345 @@ +Name: realmd +Version: 0.16.1 +Release: 11%{?dist} +Summary: Kerberos realm enrollment service +License: LGPLv2+ +URL: http://cgit.freedesktop.org/realmd/realmd/ +Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz + +Patch0: ipa-packages.patch +Patch2: remove-spurious-print.patch +Patch3: increase-packagekit-timeout.patch +Patch4: dns-domain-name-liberal.patch + +Patch11: install-diagnostic.patch +Patch12: computer-ou.patch +Patch13: duplicate-test-path.patch + +Patch20: samba-by-default.patch +Patch21: Fix-invalid-unrefs-on-realm_invocation_get_cancellab.patch +Patch22: 0001-Support-manually-setting-computer-name.patch +Patch23: 0002-Add-computer-name-support-to-realm-join-CLI.patch +Patch24: 0003-Add-documentation-for-computer-name-setting.patch +Patch25: 0001-Make-DBus-aware-of-systemd.patch +Patch26: 0001-Add-os-name-and-os-version-command-line-options.patch +Patch27: 0001-doc-add-computer-name-to-realm-man-page.patch +Patch28: 0001-Fix-man-page-reference-in-systemd-service-file.patch +Patch29: 0001-Use-current-idmap-options-for-smb.conf.patch +Patch30: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch +Patch31: 0001-Fix-issues-found-by-Coverity.patch + +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: intltool pkgconfig +BuildRequires: gettext-devel +BuildRequires: glib2-devel >= 2.32.0 +BuildRequires: openldap-devel +BuildRequires: polkit-devel +BuildRequires: krb5-devel +BuildRequires: systemd-devel +BuildRequires: libxslt +BuildRequires: xmlto +BuildRequires: automake + +Requires: authconfig +Requires: oddjob-mkhomedir + +%description +realmd is a DBus system service which manages discovery and enrollment in realms +and domains like Active Directory or IPA. The control center uses realmd as the +back end to 'join' a domain simply and automatically configure things correctly. + +%package devel-docs +Summary: Developer documentation files for %{name} + +%description devel-docs +The %{name}-devel package contains developer documentation for developing +applications that use %{name}. + +%define _hardened_build 1 + +%prep +%setup -q +%patch0 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 + +%build +aclocal +automake --add-missing +autoconf +%configure --disable-silent-rules +make %{?_smp_mflags} + +%check +make check + +%install +make install DESTDIR=%{buildroot} + +%find_lang realmd + +%post +%systemd_post realmd.service + +%preun +%systemd_preun realmd.service + +%postun +%systemd_postun_with_restart realmd.service + +%files -f realmd.lang +%doc AUTHORS COPYING NEWS README +%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf +%{_sbindir}/realm +%dir %{_libdir}/realmd +%{_libdir}/realmd/realmd +%{_libdir}/realmd/realmd-defaults.conf +%{_libdir}/realmd/realmd-distro.conf +%{_unitdir}/realmd.service +%{_datadir}/dbus-1/system-services/org.freedesktop.realmd.service +%{_datadir}/polkit-1/actions/org.freedesktop.realmd.policy +%{_mandir}/man8/realm.8.gz +%{_mandir}/man5/realmd.conf.5.gz +%{_localstatedir}/cache/realmd/ + +%files devel-docs +%doc %{_datadir}/doc/realmd/ +%doc ChangeLog + +%changelog +* Tue Aug 21 2018 Sumit Bose - 0.16.1-11 +Improve fix for rhbz#1370457 and fix Coverity issues +- Resolves: rhbz#1370457 + +* Thu Jun 14 2018 Sumit Bose - 0.16.1-10 +Use current Samba options and read NetBIOS name from keytab +- Resolves: rhbz#1484072 +- Resolves: rhbz#1370457 + +* Wed Sep 07 2016 Sumit Bose - 0.16.1-9 +Rebuild to fix wrong doc path +- Resolves: rhbz#1360702 + +* Wed Jul 27 2016 Sumit Bose - 0.16.1-8 +Fix man page reference in systemd service file +- Resolves: rhbz#1360702 + +* Mon Jul 25 2016 Sumit Bose - 0.16.1-7 +doc: add computer-name to realm man page +- Related: rhbz#1293390 + +* Tue Jun 28 2016 Sumit Bose - 0.16.1-6 +- Resolves: rhbz#1258745 +- Resolves: rhbz#1258488 +- Resolves: rhbz#1267563 +- Resolves: rhbz#1293390 +- Resolves: rhbz#1273924 +- Resolves: rhbz#1274368 +- Resolves: rhbz#1291924 + +* Fri Oct 16 2015 Stef Walter - 0.16.1-5 +- Revert 0.16.1-4 +- Use samba by default +- Resolves: rhbz#1271618 + +* Fri Sep 11 2015 Stef Walter - 0.16.1-4 +- Fix regressions in 0.16.x releases +- Resolves: rhbz#1258745 +- Resolves: rhbz#1258488 + +* Fri Jul 31 2015 Stef Walter - 0.16.1-3 +- Fix regression accepting DNS domain names +- Resolves: rhbz#1243771 + +* Fri Jul 24 2015 Stef Walter - 0.16.1-2 +- Fix discarded patch: ipa-packages.patch + +* Tue Jul 14 2015 Stef Walter - 0.16.1-1 +- Updated to upstream 0.16.1 +- Resolves: rhbz#1241832 +- Resolves: rhbz#1230941 + +* Tue Apr 14 2015 Stef Walter - 0.16.0-1 +- Updated to upstream 0.16.0 +- Resolves: rhbz#1174911 +- Resolves: rhbz#1142191 +- Resolves: rhbz#1142148 + +* Fri Jan 10 2014 Stef Walter - 0.14.6-5 +- Don't crash when full_name_format is not in sssd.conf [#1051033] + This is a regression from a prior update. + +* Tue Jan 07 2014 Stef Walter - 0.14.6-4 +- Fix full_name_format printf(3) related failure [#1048087] + +* Fri Dec 27 2013 Daniel Mach - 0.14.6-3 +- Mass rebuild 2013-12-27 + +* Fri Sep 20 2013 Stef Walter - 0.14.6-2 +- Start oddjob after joining a domain [#967023] + +* Mon Sep 09 2013 Stef Walter - 0.14.6-1 +- Update to upstream 0.14.6 point release +- Set 'kerberos method = system keytab' in smb.conf properly [#997580] +- Limit Netbios name to 15 chars when joining AD domain [#1001667] + +* Thu Aug 15 2013 Stef Walter - 0.14.5-1 +- Update to upstream 0.14.5 point release +- Fix regression conflicting --unattended and -U as in --user args [#996223] +- Pass discovered server address to adcli tool [#996995] + +* Wed Aug 07 2013 Stef Walter - 0.14.4-1 +- Update to upstream 0.14.4 point release +- Fix up the [sssd] section in sssd.conf if it's screwed up [#987491] +- Add an --unattended argument to realm command line client [#976593] +- Clearer 'realm permit' manual page example [#985800] + +* Mon Jul 22 2013 Stef Walter - 0.14.3-1 +- Update to upstream 0.14.3 point release +- Populate LoginFormats correctly [#967011] +- Documentation clarifications [#985773] [#967565] +- Set sssd.conf default_shell per domain [#967569] +- Notify in terminal output when installing packages [#984960] +- If joined via adcli, delete computer with adcli too [#967008] +- If input is not a tty, then read from stdin without getpass() +- Configure pam_winbind.conf appropriately [#985819] +- Refer to FreeIPA as IPA [#967019] +- Support use of kerberos ccache to join when winbind [#985817] + +* Tue Jun 11 2013 Stef Walter - 0.14.2-3 +- Run test suite when building the package +- Fix rpmlint errors + +* Thu Jun 06 2013 Stef Walter - 0.14.2-2 +- Install oddjobd and oddjob-mkhomedir when joining domains [#969441] + +* Mon May 27 2013 Stef Walter - 0.14.2-1 +- Update to upstream 0.14.2 version +- Discover FreeIPA 3.0 with AD trust correctly [#966148] +- Only allow joining one realm by default [#966650] +- Enable the oddjobd service after joining a domain [#964971] +- Remove sssd.conf allow lists when permitting all [#965760] +- Add dependency on authconfig [#964675] +- Remove glib-networking dependency now that we no longer use SSL. + +* Mon May 13 2013 Stef Walter - 0.14.1-1 +- Update to upstream 0.14.1 version +- Fix crasher/regression using passwords with joins [#961435] +- Make second Ctrl-C just quit realm tool [#961325] +- Fix critical warning when leaving IPA realm [#961320] +- Don't print out journalctl command in obvious situations [#961230] +- Document the --all option to 'realm discover' [#961279] +- No need to require sssd-tools package [#961254] +- Enable services even in install mode [#960887] +- Use the AD domain name in sssd.conf directly [#960270] +- Fix critical warning when service Release() method [#961385] + +* Mon May 06 2013 Stef Walter - 0.14.0-1 +- Work around broken krb5 with empty passwords [#960001] +- Add manual page for realmd.conf [#959357] +- Update to upstream 0.14.0 version + +* Thu May 02 2013 Stef Walter - 0.13.91-1 +- Fix regression when using one time password [#958667] +- Support for permitting logins by group [#887675] + +* Mon Apr 29 2013 Stef Walter - 0.13.90-1 +- Add option to disable package-kit installs [#953852] +- Add option to use unqualified names [#953825] +- Better discovery of domains [#953153] +- Concept of managing parts of the system [#914892] +- Fix problems with cache directory [#913457] +- Clearly explain when realm cannot be joined [#878018] +- Many other upstream enhancements and fixes + +* Wed Apr 17 2013 Stef Walter - 0.13.3-2 +- Add missing glib-networking dependency, currently used + for FreeIPA discovery [#953151] + +* Wed Apr 17 2013 Stef Walter - 0.13.3-1 +- Update for upstream 0.13.3 version +- Add dependency on systemd for installing service file + +* Tue Apr 16 2013 Stef Walter - 0.13.2-2 +- Fix problem with sssd not starting after joining + +* Mon Feb 18 2013 Stef Walter - 0.13.2-1 +- Update to upstream 0.13.2 version + +* Mon Feb 18 2013 Stef Walter - 0.13.1-1 +- Update to upstream 0.13.1 version for bug fixes + +* Thu Feb 14 2013 Fedora Release Engineering - 0.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Stef Walter - 0.12-1 +- Update to upstream 0.12 version for bug fixes + +* Tue Oct 30 2012 Stef Walter - 0.11-1 +- Update to upstream 0.11 version + +* Sat Oct 20 2012 Stef Walter - 0.10-1 +- Update to upstream 0.10 version + +* Wed Oct 17 2012 Stef Walter - 0.9-1 +- Update to upstream 0.9 version + +* Wed Sep 19 2012 Stef Walter - 0.8-2 +- Add openldap-devel build requirement + +* Wed Sep 19 2012 Stef Walter - 0.8-1 +- Update to upstream 0.8 version +- Add support for translations + +* Mon Aug 20 2012 Stef Walter - 0.7-2 +- Build requires gtk-doc + +* Mon Aug 20 2012 Stef Walter - 0.7-1 +- Update to upstream 0.7 version +- Remove files no longer present in upstream version +- Put documentation in its own realmd-devel-docs subpackage +- Update upstream URLs + +* Mon Aug 6 2012 Stef Walter - 0.6-1 +- Update to upstream 0.6 version + +* Tue Jul 17 2012 Stef Walter - 0.5-2 +- Remove missing SssdIpa.service file from the files list. + This file will return upstream in 0.6 + +* Tue Jul 17 2012 Stef Walter - 0.5-1 +- Update to upstream 0.5 version + +* Tue Jun 19 2012 Stef Walter - 0.4-1 +- Update to upstream 0.4 version +- Cleanup various rpmlint warnings + +* Tue Jun 19 2012 Stef Walter - 0.3-2 +- Add doc files +- Own directories +- Remove obsolete parts of spec file +- Remove explicit dependencies +- Updated License line to LGPLv2+ + +* Tue Jun 19 2012 Stef Walter - 0.3 +- Build fixes + +* Mon Jun 18 2012 Stef Walter - 0.2 +- Initial RPM