diff --git a/.gitignore b/.gitignore index 540b6ba..e0d7a4d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/realmd-0.16.3.tar.gz +SOURCES/realmd-0.17.1.tar.gz diff --git a/.realmd.metadata b/.realmd.metadata index c1809f4..06ce7b9 100644 --- a/.realmd.metadata +++ b/.realmd.metadata @@ -1 +1 @@ -0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz +681f7f532daa62a08f2f2d6c9d4a1a04c4c793a3 SOURCES/realmd-0.17.1.tar.gz diff --git a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch deleted file mode 100644 index 6daf79b..0000000 --- a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 14 Aug 2018 16:44:39 +0200 -Subject: [PATCH] Change qualified names default for IPA - -In a FreeIPA domain it is typically expected that the IPA accounts use -sort names while accounts from trusted domains have fully qualified -names. This is automatically done by SSSD's IPA provider so there is no -need to force fully qualified names in the SSSD configuration. - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162 ---- - service/realm-options.c | 9 +++++---- - service/realm-options.h | 3 ++- - service/realm-samba-winbind.c | 2 +- - service/realm-sssd-ad.c | 2 +- - service/realm-sssd-ipa.c | 2 +- - 5 files changed, 10 insertions(+), 8 deletions(-) - -diff --git a/service/realm-options.c b/service/realm-options.c -index bd804ea..34a209f 100644 ---- a/service/realm-options.c -+++ b/service/realm-options.c -@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options, - - if (realm_name && !option) { - section = g_utf8_casefold (realm_name, -1); -- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE); -+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE); - g_free (section); - } - -@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name) - gboolean mapping; - - section = g_utf8_casefold (realm_name, -1); -- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE); -+ mapping = realm_settings_boolean (section, "automatic-join", FALSE); - g_free (section); - - return mapping; - } - - gboolean --realm_options_qualify_names (const gchar *realm_name) -+realm_options_qualify_names (const gchar *realm_name, -+ gboolean def) - { - gchar *section; - gboolean qualify; - - section = g_utf8_casefold (realm_name, -1); -- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE); -+ qualify = realm_settings_boolean (section, "fully-qualified-names", def); - g_free (section); - - return qualify; -diff --git a/service/realm-options.h b/service/realm-options.h -index 7a1355e..b71d219 100644 ---- a/service/realm-options.h -+++ b/service/realm-options.h -@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options, - gboolean realm_options_automatic_mapping (GVariant *options, - const gchar *realm_name); - --gboolean realm_options_qualify_names (const gchar *realm_name); -+gboolean realm_options_qualify_names (const gchar *realm_name, -+ gboolean def); - - gboolean realm_options_check_domain_name (const gchar *domain_name); - -diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c -index 9335e26..61988eb 100644 ---- a/service/realm-samba-winbind.c -+++ b/service/realm-samba-winbind.c -@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, - "winbind enum groups", "no", - "winbind offline logon", "yes", - "winbind refresh tickets", "yes", -- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes", -+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes", - "template shell", realm_settings_string ("users", "default-shell"), - NULL); - -diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c -index 8543ca8..de7ce30 100644 ---- a/service/realm-sssd-ad.c -+++ b/service/realm-sssd-ad.c -@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config, - gchar *home; - - home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home")); -- qualify = realm_options_qualify_names (disco->domain_name); -+ qualify = realm_options_qualify_names (disco->domain_name, TRUE); - shell = realm_settings_string ("users", "default-shell"); - explicit_computer_name = realm_options_computer_name (options, disco->domain_name); - realmd_tags = g_string_new (""); -diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c -index ff1dc8a..5029f6b 100644 ---- a/service/realm-sssd-ipa.c -+++ b/service/realm-sssd-ipa.c -@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source, - - realm_sssd_config_update_domain (config, domain, &error, - "cache_credentials", "True", -- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False", -+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False", - "krb5_store_password_if_offline", "True", - "default_shell", shell, - "fallback_homedir", home, --- -2.17.1 - diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch deleted file mode 100644 index 69f6aa3..0000000 --- a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch +++ /dev/null @@ -1,150 +0,0 @@ -From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 31 May 2018 16:16:08 +0200 -Subject: [PATCH] Find NetBIOS name in keytab while leaving - -If realmd is used with Samba as membership software, i.e. Samba's net -utility, the NetBIOS name must be known when leaving a domain. The most -reliable way to find it is by searching the keytab for NAME$@REALM type -entries and use the NAME as the NetBIOS name. - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457 ---- - service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++ - service/realm-kerberos.h | 2 ++ - service/realm-samba-enroll.c | 13 ++++++--- - 3 files changed, 76 insertions(+), 3 deletions(-) - -diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c -index 54d1ed7..d6d109f 100644 ---- a/service/realm-kerberos.c -+++ b/service/realm-kerberos.c -@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name, - return ret; - - } -+ -+gchar * -+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name) -+{ -+ krb5_error_code code; -+ krb5_keytab keytab = NULL; -+ krb5_context ctx; -+ krb5_kt_cursor cursor = NULL; -+ krb5_keytab_entry entry; -+ krb5_principal realm_princ = NULL; -+ gchar *princ_name = NULL; -+ gchar *netbios_name = NULL; -+ krb5_data *name_data; -+ -+ code = krb5_init_context (&ctx); -+ if (code != 0) { -+ return NULL; -+ } -+ -+ princ_name = g_strdup_printf ("user@%s", realm_name); -+ code = krb5_parse_name (ctx, princ_name, &realm_princ); -+ g_free (princ_name); -+ -+ if (code == 0) { -+ code = krb5_kt_default (ctx, &keytab); -+ } -+ -+ if (code == 0) { -+ code = krb5_kt_start_seq_get (ctx, keytab, &cursor); -+ } -+ -+ if (code == 0) { -+ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) { -+ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) { -+ name_data = krb5_princ_component (ctx, entry.principal, 0); -+ if (name_data != NULL -+ && name_data->length > 0 -+ && name_data->data[name_data->length - 1] == '$') { -+ netbios_name = g_strndup (name_data->data, name_data->length - 1); -+ if (netbios_name == NULL) { -+ code = krb5_kt_free_entry (ctx, &entry); -+ warn_if_krb5_failed (ctx, code); -+ break; -+ } -+ } -+ } -+ code = krb5_kt_free_entry (ctx, &entry); -+ warn_if_krb5_failed (ctx, code); -+ } -+ } -+ -+ code = krb5_kt_end_seq_get (ctx, keytab, &cursor); -+ warn_if_krb5_failed (ctx, code); -+ -+ code = krb5_kt_close (ctx, keytab); -+ warn_if_krb5_failed (ctx, code); -+ -+ krb5_free_principal (ctx, realm_princ); -+ -+ krb5_free_context (ctx); -+ -+ return netbios_name; -+ -+} -diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h -index 0447e4d..58cfe07 100644 ---- a/service/realm-kerberos.h -+++ b/service/realm-kerberos.h -@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self, - gboolean realm_kerberos_flush_keytab (const gchar *realm_name, - GError **error); - -+gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name); -+ - const gchar * realm_kerberos_get_name (RealmKerberos *self); - - const gchar * realm_kerberos_get_realm_name (RealmKerberos *self); -diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c -index 76e7b79..03f56d0 100644 ---- a/service/realm-samba-enroll.c -+++ b/service/realm-samba-enroll.c -@@ -85,7 +85,8 @@ static JoinClosure * - join_closure_init (GTask *task, - RealmDisco *disco, - GVariant *options, -- GDBusMethodInvocation *invocation) -+ GDBusMethodInvocation *invocation, -+ gboolean do_join) - { - JoinClosure *join; - gchar *workgroup; -@@ -106,6 +107,12 @@ join_closure_init (GTask *task, - else if (disco->explicit_netbios) - authid = disco->explicit_netbios; - -+ /* try to get the NetBIOS name from the keytab as last option while -+ * leaving the domain */ -+ if (authid == NULL && !do_join) { -+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm); -+ } -+ - join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE); - realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, - "security", "ads", -@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco, - g_return_if_fail (cred != NULL); - - task = g_task_new (NULL, NULL, callback, user_data); -- join = join_closure_init (task, disco, options, invocation); -+ join = join_closure_init (task, disco, options, invocation, TRUE); - explicit_computer_name = realm_options_computer_name (options, disco->domain_name); - if (explicit_computer_name != NULL) { - realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", -@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, - JoinClosure *join; - - task = g_task_new (NULL, NULL, callback, user_data); -- join = join_closure_init (task, disco, options, invocation); -+ join = join_closure_init (task, disco, options, invocation, FALSE); - - switch (cred->type) { - case REALM_CREDENTIAL_PASSWORD: --- -2.14.4 - diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch deleted file mode 100644 index ee9e081..0000000 --- a/SOURCES/0001-Fix-issues-found-by-Coverity.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 14 Aug 2018 14:09:48 +0200 -Subject: [PATCH] Fix issues found by Coverity - ---- - service/realm-kerberos.c | 5 ++++- - service/realm-packages.c | 2 +- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c -index d6d109f..252e256 100644 ---- a/service/realm-kerberos.c -+++ b/service/realm-kerberos.c -@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self, - if (name == NULL) - break; - value = va_arg (va, const gchar *); -- g_return_if_fail (value != NULL); -+ if (value == NULL) { -+ va_end (va); -+ g_return_if_reached (); -+ } - - values[0] = g_variant_new_string (name); - values[1] = g_variant_new_string (value); -diff --git a/service/realm-packages.c b/service/realm-packages.c -index 9a6984c..5976439 100644 ---- a/service/realm-packages.c -+++ b/service/realm-packages.c -@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets, - g_ptr_array_add (packages, NULL); - *result_packages = (gchar **)g_ptr_array_free (packages, FALSE); - } else { -- g_ptr_array_free (files, TRUE); -+ g_ptr_array_free (packages, TRUE); - } - - if (result_files) { --- -2.17.1 - diff --git a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch deleted file mode 100644 index fe46620..0000000 --- a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch +++ /dev/null @@ -1,24 +0,0 @@ -From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 27 Jul 2016 19:06:29 +0200 -Subject: [PATCH] Fix man page reference in systemd service file - ---- - dbus/realmd.service.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in -index b3bcf7a..64c1090 100644 ---- a/dbus/realmd.service.in -+++ b/dbus/realmd.service.in -@@ -1,6 +1,6 @@ - [Unit] - Description=Realm and Domain Configuration --Documentation=man:realmd(8) -+Documentation=man:realm(8) - - [Service] - Type=dbus --- -2.7.4 - diff --git a/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch b/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch deleted file mode 100644 index 5484209..0000000 --- a/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 27 Sep 2018 13:04:47 +0200 -Subject: [PATCH] IPA: do not call sssd-enable-logins - -It is expected that ipa-client-install will do all PAM and NSS -configuration. To avoid changing IPA default realmd will not try to -update the related configuration. ---- - service/realm-sssd-ipa.c | 24 +----------------------- - 1 file changed, 1 insertion(+), 23 deletions(-) - -diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c -index 5029f6b..70f8b0e 100644 ---- a/service/realm-sssd-ipa.c -+++ b/service/realm-sssd-ipa.c -@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data) - g_free (enroll); - } - --static void --on_enable_nss_done (GObject *source, -- GAsyncResult *result, -- gpointer user_data) --{ -- GTask *task = G_TASK (user_data); -- GError *error = NULL; -- gint status; -- -- status = realm_command_run_finish (result, NULL, &error); -- if (error == NULL && status != 0) -- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL, -- _("Enabling SSSD in nsswitch.conf and PAM failed.")); -- if (error != NULL) -- g_task_return_error (task, error); -- else -- g_task_return_boolean (task, TRUE); -- g_object_unref (task); --} -- - static void - on_restart_done (GObject *source, - GAsyncResult *result, - gpointer user_data) - { - GTask *task = G_TASK (user_data); -- EnrollClosure *enroll = g_task_get_task_data (task); - RealmSssd *sssd = g_task_get_source_object (task); - GError *error = NULL; - - realm_service_enable_and_restart_finish (result, &error); - if (error == NULL) { - realm_sssd_update_properties (sssd); -- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation, -- on_enable_nss_done, g_object_ref (task)); -+ g_task_return_boolean (task, TRUE); - } else { - g_task_return_error (task, error); - } --- -2.17.1 - diff --git a/SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch b/SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch deleted file mode 100644 index 7688f29..0000000 --- a/SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch +++ /dev/null @@ -1,392 +0,0 @@ -From 2fa90caf4ad38541615446b80dbeaccd0d0e6a6f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 28 Oct 2020 13:40:03 +0100 -Subject: [PATCH] Kerberos: add default_domain and udp_preference_limit - -When joining an Active Directory domain realmd will set the -default_domain and udp_preference_limit in the Kerberos configuration to -avoid errors and make Kerberos handling in the AD domain more easy. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791016 ---- - doc/manual/realmd.conf.xml | 69 +++++++++++++++++++ - service/Makefile.am | 2 + - service/realm-kerberos-config.c | 116 ++++++++++++++++++++++++++++++++ - service/realm-kerberos-config.h | 35 ++++++++++ - service/realm-samba.c | 12 ++++ - service/realm-sssd-ad.c | 12 ++++ - service/realmd-debian.conf | 1 + - service/realmd-defaults.conf | 1 + - service/realmd-redhat.conf | 1 + - service/realmd-suse.conf | 1 + - 10 files changed, 250 insertions(+) - create mode 100644 service/realm-kerberos-config.c - create mode 100644 service/realm-kerberos-config.h - -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index 9062252..97d2e8d 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -304,6 +304,75 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash - - - -+ -+ paths -+ -+ These options should go in an -+ section of the /etc/realmd.conf file. Only -+ specify the settings you wish to override. -+ -+ -+ -+ -+ -+ Path to the Kerberos configuration file, typically -+ /etc/krb5.conf. It can also be the path of -+ a file included by /etc/krb5.conf, e.g. -+ /etc/krb5.conf.d/realmd_settings, if the -+ file does not exist if will be created. -+ -+ -+ -+[paths] -+krb5.conf = /etc/krb5.conf.d/realmd_settings -+ -+ -+ -+ -+ When joining an Active Directory domain -+ realmd will set the -+ and -+ options in the Kerberos -+ configuration: -+ -+ -+ -+default_realm = DOMAIN.EXAMPLE.COM -+udp_preference_limit = 0 -+ -+ -+ -+ -+ The option is e.g. needed -+ when trying to resolve enterprise principals and makes it more -+ convenient to request Kerberos tickets for users of the default -+ realm. Instead of specifying the whole principal just -+ kinit username can be used. -+ -+ With always TCP -+ will be used to send Kerberos request to domain controller. This -+ is useful in Active Directory environments because Kerberos will -+ typically switch to TCP after initially starting with UDP -+ because AD Kerberos tickets are often larger than UDP can handle. -+ Using TCP by default will avoid those extra UDP round trips. -+ Additionally it helps to avoid issues with password changes when -+ the DC does not reply soon enough and the client will send a -+ second UDP request. The DC might reply with a reply error to the -+ second request although the original password change request was -+ successful and the client will no know if the request was -+ successful or not. When using TCP this cannot happen because the -+ client will never send a second request but waits on the -+ connection until the server replies. -+ -+ Please note that realmd will not remove -+ those options while leaving the domain since they are useful in -+ general. When joining a new domain realmd -+ will of course overwrite . -+ -+ -+ -+ -+ - - Realm specific settings - These options should go in an section with the same name -diff --git a/service/Makefile.am b/service/Makefile.am -index 88ee780..031cd1d 100644 ---- a/service/Makefile.am -+++ b/service/Makefile.am -@@ -57,6 +57,8 @@ realmd_SOURCES = \ - service/realm-invocation.h \ - service/realm-kerberos.c \ - service/realm-kerberos.h \ -+ service/realm-kerberos-config.c \ -+ service/realm-kerberos-config.h \ - service/realm-kerberos-membership.c \ - service/realm-kerberos-membership.h \ - service/realm-kerberos-provider.c \ -diff --git a/service/realm-kerberos-config.c b/service/realm-kerberos-config.c -new file mode 100644 -index 0000000..447a452 ---- /dev/null -+++ b/service/realm-kerberos-config.c -@@ -0,0 +1,116 @@ -+/* realmd -- Realm configuration service -+ * -+ * Copyright 2020 Red Hat Inc -+ * -+ * This program is free software: you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as published -+ * by the Free Software Foundation; either version 2 of the licence or (at -+ * your option) any later version. -+ * -+ * See the included COPYING file for more information. -+ * -+ * Author: Sumit Bose -+ */ -+ -+#include "config.h" -+ -+#include "realm-ini-config.h" -+#include "realm-kerberos-config.h" -+#include "realm-settings.h" -+ -+#include -+ -+RealmIniConfig * -+realm_kerberos_config_new_with_flags (RealmIniFlags flags, -+ GError **error) -+{ -+ RealmIniConfig *config; -+ const gchar *filename; -+ GError *err = NULL; -+ -+ config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS | flags); -+ -+ filename = realm_settings_path ("krb5.conf"); -+ -+ realm_ini_config_read_file (config, filename, &err); -+ -+ if (err != NULL) { -+ /* If the caller wants errors, then don't return an invalid samba config */ -+ if (error) { -+ g_propagate_error (error, err); -+ g_object_unref (config); -+ config = NULL; -+ -+ /* If the caller doesn't care, then warn but continue */ -+ } else { -+ g_warning ("Couldn't load config file: %s: %s", filename, -+ err->message); -+ g_error_free (err); -+ } -+ } -+ -+ return config; -+} -+ -+RealmIniConfig * -+realm_kerberos_config_new (GError **error) -+{ -+ return realm_kerberos_config_new_with_flags (REALM_INI_NONE, error); -+} -+ -+gboolean -+configure_krb5_conf_for_domain (const gchar *realm, GError **error ) -+{ -+ RealmIniConfig *config; -+ gboolean res; -+ GFile *gfile; -+ GFileInfo *file_info = NULL; -+ -+ config = realm_kerberos_config_new (error); -+ if (config == NULL) { -+ return FALSE; -+ } -+ -+ /* When writing to a file glib will replace the original file with a -+ * new one. To make sure permissions and other attributes like e.g. -+ * SELinux labels stay the same this information is saved before the -+ * change and applied to the new file afterwards. */ -+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config)); -+ file_info = g_file_query_info (gfile, "*", 0, NULL, error); -+ g_object_unref (gfile); -+ if (*error != NULL) { -+ g_warning ("Couldn't load file attributes, " -+ "will continue without: %s: %s", -+ realm_ini_config_get_filename (config), -+ (*error)->message); -+ g_clear_error (error); -+ } -+ -+ if (!realm_ini_config_begin_change (config, error)) { -+ g_object_unref (config); -+ return FALSE; -+ } -+ -+ realm_ini_config_set (config, "libdefaults", -+ "default_realm", realm, -+ "udp_preference_limit", "0", -+ NULL); -+ -+ res = realm_ini_config_finish_change (config, error); -+ -+ if (file_info != NULL) { -+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config)); -+ if (!g_file_set_attributes_from_info (gfile, file_info, -+ 0, NULL, error)) { -+ g_warning ("Couldn't set file attributes: %s: %s", -+ realm_ini_config_get_filename (config), -+ (*error)->message); -+ } -+ g_object_unref (file_info); -+ g_object_unref (gfile); -+ } -+ -+ g_object_unref (config); -+ -+ return res; -+} -diff --git a/service/realm-kerberos-config.h b/service/realm-kerberos-config.h -new file mode 100644 -index 0000000..791aa98 ---- /dev/null -+++ b/service/realm-kerberos-config.h -@@ -0,0 +1,35 @@ -+/* realmd -- Realm configuration service -+ * -+ * Copyright 2020 Red Hat Inc -+ * -+ * This program is free software: you can redistribute it and/or modify -+ * it under the terms of the GNU Lesser General Public License as published -+ * by the Free Software Foundation; either version 2 of the licence or (at -+ * your option) any later version. -+ * -+ * See the included COPYING file for more information. -+ * -+ * Author: Sumit Bose -+ */ -+ -+#include "config.h" -+ -+#ifndef __REALM_KERBEROS_CONFIG_H__ -+#define __REALM_KERBEROS_CONFIG_H__ -+ -+#include -+ -+#include "realm-ini-config.h" -+ -+ -+RealmIniConfig * realm_kerberos_config_new (GError **error); -+ -+RealmIniConfig * realm_kerberos_config_new_with_flags (RealmIniFlags flags, -+ GError **error); -+ -+gboolean configure_krb5_conf_for_domain (const gchar *realm, -+ GError **error ); -+ -+G_END_DECLS -+ -+#endif /* __REALM_KERBEROS_CONFIG_H__ */ -diff --git a/service/realm-samba.c b/service/realm-samba.c -index fe33600..e7b80a0 100644 ---- a/service/realm-samba.c -+++ b/service/realm-samba.c -@@ -21,6 +21,7 @@ - #include "realm-disco.h" - #include "realm-errors.h" - #include "realm-kerberos.h" -+#include "realm-kerberos-config.h" - #include "realm-kerberos-membership.h" - #include "realm-options.h" - #include "realm-packages.h" -@@ -210,6 +211,17 @@ on_join_do_winbind (GObject *source, - NULL); - } - -+ if (error == NULL) { -+ configure_krb5_conf_for_domain (enroll->disco->kerberos_realm, &error); -+ if (error != NULL) { -+ realm_diagnostics_error (enroll->invocation, error, -+ "Failed to update Kerberos " -+ "configuration, not fatal, " -+ "please check manually"); -+ g_clear_error (&error); -+ } -+ } -+ - if (error == NULL) { - name = realm_kerberos_get_name (REALM_KERBEROS (self)); - realm_samba_winbind_configure_async (self->config, name, enroll->options, -diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c -index de7ce30..6b2f9f8 100644 ---- a/service/realm-sssd-ad.c -+++ b/service/realm-sssd-ad.c -@@ -19,6 +19,7 @@ - #include "realm-dbus-constants.h" - #include "realm-diagnostics.h" - #include "realm-errors.h" -+#include "realm-kerberos-config.h" - #include "realm-kerberos-membership.h" - #include "realm-options.h" - #include "realm-packages.h" -@@ -256,6 +257,17 @@ on_join_do_sssd (GObject *source, - join->options, join->use_adcli, &error); - } - -+ if (error == NULL) { -+ configure_krb5_conf_for_domain (join->disco->kerberos_realm, &error); -+ if (error != NULL) { -+ realm_diagnostics_error (join->invocation, error, -+ "Failed to update Kerberos " -+ "configuration, not fatal, " -+ "please check manually"); -+ g_clear_error (&error); -+ } -+ } -+ - if (error == NULL) { - realm_service_enable_and_restart ("sssd", join->invocation, - on_sssd_enable_nss, g_object_ref (task)); -diff --git a/service/realmd-debian.conf b/service/realmd-debian.conf -index 3e93d60..6cfdcef 100644 ---- a/service/realmd-debian.conf -+++ b/service/realmd-debian.conf -@@ -1,6 +1,7 @@ - # Distro specific overrides for debian - [paths] - smb.conf = /etc/samba/smb.conf -+krb5.conf = /etc/krb5.conf - - # - # Normally in these packages sections we can specify a file -diff --git a/service/realmd-defaults.conf b/service/realmd-defaults.conf -index 6d7ccf8..ac4b436 100644 ---- a/service/realmd-defaults.conf -+++ b/service/realmd-defaults.conf -@@ -11,6 +11,7 @@ sssd.conf = /etc/sssd/sssd.conf - adcli = /usr/sbin/adcli - ipa-client-install = /usr/sbin/ipa-client-install - pam_winbind.conf = /etc/security/pam_winbind.conf -+krb5.conf = /etc/krb5.conf - - [active-directory] - default-client = sssd -diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf -index e39fad5..46e61b1 100644 ---- a/service/realmd-redhat.conf -+++ b/service/realmd-redhat.conf -@@ -1,6 +1,7 @@ - # Distro specific overrides for redhat - [paths] - smb.conf = /etc/samba/smb.conf -+krb5.conf = /etc/krb5.conf - - [samba-packages] - samba-common-tools = /usr/bin/net -diff --git a/service/realmd-suse.conf b/service/realmd-suse.conf -index 052b4dc..3165efa 100644 ---- a/service/realmd-suse.conf -+++ b/service/realmd-suse.conf -@@ -1,6 +1,7 @@ - # Distro specific overrides for SuSE - [paths] - smb.conf = /etc/samba/smb.conf -+krb5.conf = /etc/krb5.conf - - [samba-packages] - samba-client = /usr/bin/net --- -2.26.2 - diff --git a/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch b/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch deleted file mode 100644 index a61b602..0000000 --- a/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 5 Dec 2016 18:25:44 +0100 -Subject: [PATCH] Kerberos: fall back to tcp SRV lookup - ---- - service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++-------- - 1 file changed, 39 insertions(+), 9 deletions(-) - -diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c -index 2b3a0f8..1477ae8 100644 ---- a/service/realm-kerberos-provider.c -+++ b/service/realm-kerberos-provider.c -@@ -19,6 +19,7 @@ - #include "realm-kerberos-provider.h" - - #include -+#include - - struct _RealmKerberosProvider { - RealmProvider parent; -@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self) - - } - -+typedef struct { -+ gchar *name; -+ const char *prot; -+} NameProtPair; -+ -+static void -+name_prot_pair_free (gpointer data) -+{ -+ NameProtPair *name_prot_pair = data; -+ g_free (name_prot_pair->name); -+ g_free (name_prot_pair); -+} -+ - static void - on_kerberos_discover (GObject *source, - GAsyncResult *result, - gpointer user_data) - { - GTask *task = G_TASK (user_data); -- const gchar *domain = g_task_get_task_data (task); -+ NameProtPair *name_prot_pair = g_task_get_task_data (task); - GError *error = NULL; - RealmDisco *disco; - GList *targets; -+ GResolver *resolver; - - targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error); - if (targets) { - g_list_free_full (targets, (GDestroyNotify)g_srv_target_free); -- disco = realm_disco_new (domain); -- disco->kerberos_realm = g_ascii_strup (domain, -1); -+ disco = realm_disco_new (name_prot_pair->name); -+ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1); - g_task_return_pointer (task, disco, realm_disco_unref); - - } else if (error) { -- g_debug ("Resolving %s failed: %s", domain, error->message); -+ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message); - g_error_free (error); -- g_task_return_pointer (task, NULL, NULL); -+ -+ if (strcmp (name_prot_pair->prot, "tcp") == 0) { -+ g_task_return_pointer (task, NULL, NULL); -+ } else { -+ /* Try tcp */ -+ name_prot_pair->prot = "tcp"; -+ resolver = g_resolver_get_default (); -+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot, -+ name_prot_pair->name, -+ g_task_get_cancellable (task), -+ on_kerberos_discover, g_object_ref (task)); -+ g_object_unref (resolver); -+ } - } - - g_object_unref (task); -@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider, - GTask *task; - const gchar *software; - GResolver *resolver; -- gchar *name; -+ NameProtPair *name_prot_pair; - - task = g_task_new (provider, NULL, callback, user_data); - -@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider, - g_task_return_pointer (task, NULL, NULL); - - } else { -- name = g_hostname_to_ascii (string); -+ name_prot_pair = g_new0 (NameProtPair, 1); -+ name_prot_pair->name = g_hostname_to_ascii (string); -+ name_prot_pair->prot = "udp"; - resolver = g_resolver_get_default (); -- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name, -+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot, -+ name_prot_pair->name, - realm_invocation_get_cancellable (invocation), - on_kerberos_discover, g_object_ref (task)); -- g_task_set_task_data (task, name, g_free); -+ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free); - g_object_unref (resolver); - } - --- -2.9.3 - diff --git a/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch b/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch deleted file mode 100644 index 09e9ccf..0000000 --- a/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 25 Nov 2016 17:35:11 +0100 -Subject: [PATCH] LDAP: don't close LDAP socket twice - -ldap_destroy() will call close() on the LDAP socket so with an explicit -close() before the file descriptor will be closed twice. Even worse, -since the file descriptor can be reused after the explicit call of -close() by any other thread the close() called from ldap_destroy() might -close a file descriptor used by a different thread as seen e.g. in -https://bugzilla.redhat.com/show_bug.cgi?id=1398522. - -Additionally the patch makes sure that the closed connection cannot be -used again. - -https://bugzilla.redhat.com/show_bug.cgi?id=1398522 ---- - service/realm-ldap.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index 061ed61..59817fb 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source) - { - LdapSource *ls = (LdapSource *)source; - -- /* Yeah, this is pretty rough, but we don't want blocking here */ -- close (ls->sock); - ldap_destroy (ls->ldap); - -+ ls->sock = -1; -+ ls->ldap = NULL; -+ - if (ls->cancellable) { - g_cancellable_release_fd (ls->cancellable); - g_object_unref (ls->cancellable); --- -2.9.3 - diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch deleted file mode 100644 index ea34960..0000000 --- a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch +++ /dev/null @@ -1,185 +0,0 @@ -From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 30 May 2018 13:10:57 +0200 -Subject: [PATCH] Use current idmap options for smb.conf - -Samba change some time ago the way how to configure id-mapping. With -this patch realmd will use the current supported options when creating -smb.conf. - -A new option --legacy-samba-config is added to use the old options if -realmd is used with Samba 3.5 or earlier. - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072 ---- - dbus/realm-dbus-constants.h | 1 + - doc/manual/realmd.conf.xml | 17 ++++++++++++ - service/realm-samba-enroll.c | 2 +- - service/realm-samba-enroll.h | 3 +++ - service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++--------- - 5 files changed, 72 insertions(+), 14 deletions(-) - -diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h -index 9cd30ef..40ffa2d 100644 ---- a/dbus/realm-dbus-constants.h -+++ b/dbus/realm-dbus-constants.h -@@ -69,6 +69,7 @@ G_BEGIN_DECLS - #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name" - #define REALM_DBUS_OPTION_OS_NAME "os-name" - #define REALM_DBUS_OPTION_OS_VERSION "os-version" -+#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config" - - #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" - #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index 7853230..a2b577c 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -192,6 +192,23 @@ automatic-install = no - - - -+ -+ -+ -+ Set this to yes to create a Samba -+ configuration file with id-mapping options used by Samba-3.5 -+ and earlier version. -+ -+ -+ -+[service] -+legacy-samba-config = no -+# legacy-samba-config = yes -+ -+ -+ -+ -+ - - - -diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c -index c81aed2..76e7b79 100644 ---- a/service/realm-samba-enroll.c -+++ b/service/realm-samba-enroll.c -@@ -69,7 +69,7 @@ join_closure_free (gpointer data) - g_free (join); - } - --static gchar * -+gchar * - fallback_workgroup (const gchar *realm) - { - const gchar *pos; -diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h -index 84e8b2f..310ec65 100644 ---- a/service/realm-samba-enroll.h -+++ b/service/realm-samba-enroll.h -@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco, - gboolean realm_samba_enroll_leave_finish (GAsyncResult *result, - GError **error); - -+gchar * -+fallback_workgroup (const gchar *realm); -+ - G_END_DECLS - - #endif /* __REALM_SAMBA_ENROLL_H__ */ -diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c -index a7ddec3..9335e26 100644 ---- a/service/realm-samba-winbind.c -+++ b/service/realm-samba-winbind.c -@@ -21,8 +21,10 @@ - #include "realm-options.h" - #include "realm-samba-config.h" - #include "realm-samba-winbind.h" -+#include "realm-samba-enroll.h" - #include "realm-settings.h" - #include "realm-service.h" -+#include "dbus/realm-dbus-constants.h" - - #include - -@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, - RealmIniConfig *pwc; - GTask *task; - GError *error = NULL; -+ gchar *workgroup = NULL; -+ gchar *idmap_config_backend = NULL; -+ gchar *idmap_config_range = NULL; -+ gchar *idmap_config_schema_mode = NULL; - - g_return_if_fail (config != NULL); - g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation)); -@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, - "template shell", realm_settings_string ("users", "default-shell"), - NULL); - -- if (realm_options_automatic_mapping (options, domain_name)) { -- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, -- "idmap uid", "10000-2000000", -- "idmap gid", "10000-2000000", -- "idmap backend", "tdb", -- "idmap schema", NULL, -- NULL); -+ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) { -+ if (realm_options_automatic_mapping (options, domain_name)) { -+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, -+ "idmap uid", "10000-2000000", -+ "idmap gid", "10000-2000000", -+ "idmap backend", "tdb", -+ "idmap schema", NULL, -+ NULL); -+ } else { -+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, -+ "idmap uid", "500-4294967296", -+ "idmap gid", "500-4294967296", -+ "idmap backend", "ad", -+ "idmap schema", "rfc2307", -+ NULL); -+ } - } else { -- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, -- "idmap uid", "500-4294967296", -- "idmap gid", "500-4294967296", -- "idmap backend", "ad", -- "idmap schema", "rfc2307", -- NULL); -+ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup"); -+ if (workgroup == NULL) { -+ workgroup = fallback_workgroup (domain_name); -+ } -+ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); -+ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); -+ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); -+ g_free (workgroup); -+ -+ if (realm_options_automatic_mapping (options, domain_name)) { -+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, -+ "idmap config * : backend", "tdb", -+ "idmap config * : range", "10000-999999", -+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid", -+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999", -+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL, -+ NULL); -+ } else { -+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, -+ "idmap config * : backend", "tdb", -+ "idmap config * : range", "10000000-10999999", -+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad", -+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999", -+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307", -+ NULL); -+ } - } - - realm_ini_config_finish_change (config, &error); -+ g_free (idmap_config_backend); -+ g_free (idmap_config_range); - } - - /* Setup pam_winbind.conf with decent defaults matching our expectations */ --- -2.14.4 - diff --git a/SOURCES/0001-Use-startTLS-with-FreeIPA.patch b/SOURCES/0001-Use-startTLS-with-FreeIPA.patch deleted file mode 100644 index eade269..0000000 --- a/SOURCES/0001-Use-startTLS-with-FreeIPA.patch +++ /dev/null @@ -1,74 +0,0 @@ -From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 3 Jul 2020 17:18:27 +0200 -Subject: [PATCH] Use startTLS with FreeIPA - -FreeIPA is planning to required a minimal security strength factor (ssf) -in an upcoming version. This basically means that communication should -be encrypted. The most straight forward way is use TLS by doing a -StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS -since the initial release we will call StartTLS unconditionally but try -without if it fails. - -Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23 ---- - service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++ - service/realm-ldap.c | 4 +++- - 2 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c -index 3100650..7614071 100644 ---- a/service/realm-disco-rootdse.c -+++ b/service/realm-disco-rootdse.c -@@ -226,10 +226,33 @@ request_domain_info (GTask *task, - LDAP *ldap) - { - const char *attrs[] = { "info", "associatedDomain", NULL }; -+ int ret; -+ int ldap_opt_val; - - clo->request = NULL; - clo->result = result_domain_info; - -+ /* Trying to setup a TLS tunnel in the case the IPA server requires an -+ * encrypted connected. Trying without in case of an error. Since we -+ * most probably do not have the IPA CA certificate we will not check -+ * the server certificate. */ -+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER; -+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val); -+ if (ret != LDAP_OPT_SUCCESS) { -+ g_debug ("Failed to disable certificate checking, trying without"); -+ } -+ -+ ldap_opt_val = 0; -+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val); -+ if (ret != LDAP_OPT_SUCCESS) { -+ g_debug ("Failed to refresh LDAP context for TLS, trying without"); -+ } -+ -+ ret = ldap_start_tls_s (ldap, NULL, NULL); -+ if (ret != LDAP_SUCCESS) { -+ g_debug ("Failed to setup TLS tunnel, trying without"); -+ } -+ - return search_ldap (task, clo, ldap, clo->default_naming_context, - LDAP_SCOPE_BASE, NULL, attrs); - } -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index 59817fb..7831b5b 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) - g_warning ("couldn't set to blocking"); - -- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap); -+ url = g_strdup_printf ("ldap://%s:%d", addrname, port); -+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap); -+ g_free (url); - - g_free (native); - --- -2.26.2 - diff --git a/SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch b/SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch deleted file mode 100644 index ec1e7f8..0000000 --- a/SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 4ef597d15df246f4121266aaf3e291e3f06f6f4a Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 10 Mar 2021 17:57:07 +0100 -Subject: [PATCH] build: add --with-vendor-error-message configure option - -With the new configure option --with-vendor-error-message a packager or -a distribution can add a message if realmd returns with an error. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386 ---- - configure.ac | 15 +++++++++++++++ - tools/realm.c | 7 +++++++ - 2 files changed, 22 insertions(+) - -diff --git a/configure.ac b/configure.ac -index ee067d9..05ec1bf 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -51,6 +51,21 @@ fi - - AC_SUBST(DISTRO) - -+# ----------------------------------------------------------------------------- -+# Vendor error message -+ -+AC_ARG_WITH([vendor-error-message], -+ [AS_HELP_STRING([--with-vendor-error-message=ARG], -+ [Add a vendor specific error message shown if a realm command fails] -+ )], -+ [AS_IF([test "x$withval" != "x"], -+ [AC_DEFINE_UNQUOTED([VENDOR_MSG], -+ ["$withval"], -+ [Vendor specific error message])], -+ [AC_MSG_ERROR([--with-vendor-error-message requires an argument])] -+ )], -+ []) -+ - # ----------------------------------------------------------------------------- - # Basic tools - -diff --git a/tools/realm.c b/tools/realm.c -index 1530f09..8fdca16 100644 ---- a/tools/realm.c -+++ b/tools/realm.c -@@ -287,6 +287,13 @@ main (int argc, - ret = (realm_commands[i].function) (client, argc, argv); - g_object_unref (client); - -+#ifdef VENDOR_MSG -+ if (ret != 0) { -+ g_printerr (VENDOR_MSG"\n"); -+ } -+ -+#endif -+ - break; - } - } --- -2.31.1 - diff --git a/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch b/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch deleted file mode 100644 index 0fa9108..0000000 --- a/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 28 Nov 2019 18:51:30 +0100 -Subject: [PATCH] configure: do not inherit DISTRO from the environment - -The argument of the --with-distro configure option is stored in the -variable DISTRO. If DISTRO is already set in the build environment it -should not be used hence DISTRO must be cleared by the configure script -if not set by --with-distro. - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396 ---- - configure.ac | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index e335247..a424a49 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -31,7 +31,8 @@ AC_ARG_WITH([distro], - [AS_HELP_STRING([--with-distro], - [Configure for a specific distribution (eg: redhat)] - )], -- [DISTRO=$withval]) -+ [DISTRO=$withval], -+ [DISTRO=]) - - if test -z $DISTRO; then - AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"]) --- -2.21.0 - diff --git a/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch b/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch deleted file mode 100644 index 7185206..0000000 --- a/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch +++ /dev/null @@ -1,158 +0,0 @@ -From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001 -From: Stef Walter -Date: Mon, 6 Feb 2017 12:25:52 +0100 -Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual - page - -And clean up the documentation for the various arguments. ---- - doc/manual/realm.xml | 70 +++++++++++++++++++++++--------------------- - 1 file changed, 37 insertions(+), 33 deletions(-) - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index 6724d80..9d9136a 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -60,7 +60,7 @@ - - - -- -+ , - Run in install mode. This makes realmd - chroot into the specified directory and place files in - appropriate locations for use during an installer. No -@@ -73,7 +73,7 @@ - for input. - - -- -+ , - Display verbose diagnostics while doing - running commands. - -@@ -105,7 +105,7 @@ $ realm discover domain.example.com - - - -- -+ , - Show all discovered realms (in various - configurations). - -@@ -116,6 +116,10 @@ $ realm discover domain.example.com - sssd or - winbind. - -+ -+ , -+ Only show the names of the discovered realms. -+ - - - Only discover realms which run the -@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - in the domain already. - - -- -- The user name to be used to authenticate -- with when joining the machine to the realm. You will -- be prompted for a password. -+ -+ Only join realms for which we can -+ use the given client software. Possible values include -+ sssd or -+ winbind. Not all values are -+ supported for all realms. By default the client software -+ is automatically selected. - - - -@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - DSE portion of distinguished name. This is an Active - Directory specific option. - -+ -+ -+ The software to use when joining to the -+ realm. Possible values include samba or -+ adcli. Not all values are -+ supported for all realms. By default the membership software -+ is automatically selected. -+ - - - Perform the join automatically without -@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - all types of realms. - - -- -- Only join realms for which we can -- use the given client software. Possible values include -- sssd or -- winbind. Not all values are -- supported for all realms. By default the client software -- is automatically selected. -+ -+ The name of the operation system of the -+ client. When joining an AD domain the value is store in -+ the matching AD attribute. -+ -+ -+ -+ The version of the operation system of the -+ client. When joining an AD domain the value is store in -+ the matching AD attribute. - - - -@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - ipa. - - -- -- The software to use when joining to the -- realm. Possible values include samba or -- adcli. Not all values are -- supported for all realms. By default the membership software -- is automatically selected. -+ , -+ The user name to be used to authenticate -+ with when joining the machine to the realm. You will -+ be prompted for a password. - - - -@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - the value for this option, then a principal will be set - in the form of host/shortname@REALM - -- -- -- The name of the operation system of the -- client. When joining an AD domain the value is store in -- the matching AD attribute. -- -- -- -- The version of the operation system of the -- client. When joining an AD domain the value is store in -- the matching AD attribute. -- - - - -@@ -300,7 +304,7 @@ $ realm leave domain.example.com - for a pasword. - - -- -+ , - The user name to be used to authenticate - with when leaving the realm. You will be prompted for a - password. Implies . --- -2.21.0 - diff --git a/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch b/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch deleted file mode 100644 index f5345d6..0000000 --- a/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 05100771ea6bd775caae705bb53f76a0816f3b81 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 11 May 2021 11:13:06 +0200 -Subject: [PATCH] doc: add computer-name to realm man page - ---- - doc/manual/realm.xml | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index 9160a8a..b4dc27c 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - supported for all realms. By default the membership software - is automatically selected. - -+ -+ -+ -+ This option only applies to Active -+ Directory realms. Specify this option to -+ override the default name used when creating -+ the computer account. The system's FQDN will -+ still be saved in the dNSHostName attribute. -+ Specify the name as a string of 15 or -+ fewer characters that is a valid NetBIOS -+ computer name. -+ -+ - - - Perform the join automatically without --- -2.31.1 - diff --git a/SOURCES/0001-doc-extend-description-of-config-handling.patch b/SOURCES/0001-doc-extend-description-of-config-handling.patch deleted file mode 100644 index b708739..0000000 --- a/SOURCES/0001-doc-extend-description-of-config-handling.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 29 Nov 2019 21:57:02 +0100 -Subject: [PATCH] doc: extend description of config handling - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005 ---- - doc/manual/Makefile.am | 8 ++++++++ - doc/manual/realmd.conf.xml | 15 +++++++++++---- - doc/privatedir.xml.in | 1 + - 4 files changed, 21 insertions(+), 4 deletions(-) - create mode 100644 doc/privatedir.xml.in - -diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am -index 8b33fdd..9812c45 100644 ---- a/doc/manual/Makefile.am -+++ b/doc/manual/Makefile.am -@@ -1,14 +1,20 @@ -+XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc - - man8_MANS += \ - doc/manual/realm.8 - man5_MANS += \ - doc/manual/realmd.conf.5 - -+$(man5_MANS): doc/privatedir.xml -+ - MAN_IN_FILES = \ - $(man8_MANS:.8=.xml) \ - $(man5_MANS:.5=.xml) \ - $(NULL) - -+doc/privatedir.xml: doc/privatedir.xml.in -+ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@ -+ - MANUAL_DOCBOOK = doc/manual/realmd-docs.xml - - MANUAL_INCLUDES = \ -@@ -41,6 +47,7 @@ MANUAL_XSLT = \ - $(NULL) - - EXTRA_DIST += \ -+ doc/privatedir.xml.in \ - $(MANUAL_DOCBOOK) \ - $(MANUAL_INCLUDES) \ - $(MAN_IN_FILES) \ -@@ -50,6 +57,7 @@ EXTRA_DIST += \ - - CLEANFILES += \ - realmd-org.freedesktop.realmd.generated \ -+ doc/privatedir.xml \ - $(DBUS_DOC_GENERATED) \ - $(DBUS_ESCAPED) \ - $(man8_MANS) \ -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index 1592291..9062252 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -1,6 +1,9 @@ - - -+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" -+[ -+ -+]> - - - -@@ -35,7 +38,9 @@ - to act in specific ways. This is done by placing settings in a - /etc/realmd.conf. This file does not exist by - default. The syntax of this file is the same as an INI file or -- Desktop Entry file. -+ Desktop Entry file. If the file is changed and -+ realmd is running realmd must be -+ restarted to read the new values. - - In general, settings in this file only apply at the point of - joining a domain or realm. Once the realm has been setup the settings -@@ -46,8 +51,10 @@ - - Only specify the settings you wish to override in the - /etc/realmd.conf file. Settings not specified will -- be loaded from their packaged defaults. Only override the settings -- below. You may find other settings if you look through the -+ be loaded from their packaged defaults which can be found in -+ &privatedir;/realmd-defaults.conf and -+ &privatedir;/realmd-distro.conf. Only override the -+ settings below. You may find other settings if you look through the - realmd source code. However these are not guaranteed - to remain stable. - -diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in -new file mode 100644 -index 0000000..7f71afe ---- /dev/null -+++ b/doc/privatedir.xml.in -@@ -0,0 +1 @@ -+@privatedir@ -\ No newline at end of file --- -2.21.0 - diff --git a/SOURCES/0001-doc-extend-user-principal-section.patch b/SOURCES/0001-doc-extend-user-principal-section.patch deleted file mode 100644 index c6e4cdf..0000000 --- a/SOURCES/0001-doc-extend-user-principal-section.patch +++ /dev/null @@ -1,75 +0,0 @@ -From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 29 Nov 2019 18:10:03 +0100 -Subject: [PATCH] doc: extend user-principal section - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814 ---- - doc/manual/realm.xml | 21 +++++++++++++++++++-- - doc/manual/realmd.conf.xml | 15 ++++++++++----- - 2 files changed, 29 insertions(+), 7 deletions(-) - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index 7b73331..55a7640 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - - - -- Set the userPrincipalName field of the -+ Set the -+ field of the - computer account to this kerberos principal. If you omit - the value for this option, then a principal will be set -- in the form of host/shortname@REALM -+ based on the defaults of the membership software. -+ AD makes a distinction between user and service -+ principals. Only with user principals you can request a -+ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user -+ principals can be used with the kinit -+ command. By default the user principal and the canonical -+ principal name of an AD computer account is -+ shortname$@AD.DOMAIN, where shortname is -+ the NetBIOS name which is limited to 15 characters. -+ If there are applications which are not aware of -+ the AD default and are using a hard-coded default -+ principal the can be -+ used to make AD aware of this principal. Please note -+ that is a single -+ value LDAP attribute, i.e. only one alternative user -+ principal besides the AD default user principal can be -+ set. - - - -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index f0b0879..a26a60c 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -365,12 +365,17 @@ computer-name = SERVER01 - - - -- -+ - -- Set the to yes -- to create attributes for the -- computer account in the realm, in the form -- host/computer@REALM -+ Set the to yes -+ to create attribute for the -+ computer accounts in the realm. The exact value depends on the -+ defaults of the used membership software. To have full control -+ over the value please use the -+ option of the -+ realm command, see -+ realm -+ 8 for details. - - - --- -2.21.0 - diff --git a/SOURCES/0001-doc-fix-discover-name-only.patch b/SOURCES/0001-doc-fix-discover-name-only.patch deleted file mode 100644 index 861f306..0000000 --- a/SOURCES/0001-doc-fix-discover-name-only.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 29 Nov 2019 18:49:15 +0100 -Subject: [PATCH 1/2] doc: fix discover name-only - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001 ---- - doc/manual/realmd.conf.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index a26a60c..fc6a785 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash - - - --$ realm discover --name DOMAIN.example.com -+$ realm discover --name-only DOMAIN.example.com - domain.example.com - ... - --- -2.21.0 - diff --git a/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch b/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch deleted file mode 100644 index 2cd54ec..0000000 --- a/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch +++ /dev/null @@ -1,1500 +0,0 @@ -From 4f3c02dc14300c0b8e51a55d627c57f73c108f64 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 28 Sep 2018 10:36:19 +0200 -Subject: [PATCH] doc: make sure cross-reference ids are predictable - -To make sure the cross-reference ids are predictable in the -auto-generated DBus documentation as well the xsl and css files form the -gtk-doc package are updated as well. ---- - doc/manual/devhelp2.xsl | 173 ++++++++ - doc/manual/gtk-doc.xsl | 436 ++++++++----------- - doc/manual/realm.xml | 14 +- - doc/manual/realmd-guide-active-directory.xml | 4 +- - doc/manual/realmd-guide-ipa.xml | 2 +- - doc/manual/realmd-guide-kerberos.xml | 2 +- - doc/manual/realmd.conf.xml | 4 +- - doc/manual/static/gtk-doc.css | 420 +++++++++++++----- - 8 files changed, 688 insertions(+), 367 deletions(-) - create mode 100644 doc/manual/devhelp2.xsl - -diff --git a/doc/manual/devhelp2.xsl b/doc/manual/devhelp2.xsl -new file mode 100644 -index 0000000..bab6692 ---- /dev/null -+++ b/doc/manual/devhelp2.xsl -@@ -0,0 +1,173 @@ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ book -+ -+ -+ .devhelp2 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ , -+ -+ -+ -+ -+ -diff --git a/doc/manual/gtk-doc.xsl b/doc/manual/gtk-doc.xsl -index 9c0901b..3471e6c 100644 ---- a/doc/manual/gtk-doc.xsl -+++ b/doc/manual/gtk-doc.xsl -@@ -5,20 +5,19 @@ - version="1.0"> - - -- -+ - -+ - - -- -- -+ -+ - - - -+ - 2 - - book toc -@@ -28,16 +27,17 @@ - part toc - reference toc - -+ 1 - - - - - -- - - - - -+ - - - -@@ -60,6 +60,9 @@ - - - -+ -+ -+ - - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <ANCHOR id=" -- -- " href=" -- -- -- / -- -- -- "> -- -- -- -- -- -- <ONLINE href=" -- -- "> -- -+ -+ - - - -@@ -387,6 +341,15 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - - -+ -+ -+ -+ -+ -+ <xsl:copy-of select="$title"/>: <xsl:apply-templates select="$home" mode="object.title.markup"/> -+ -+ -+ - - - -@@ -399,10 +362,10 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ -
- - -- Generated by GTK-Doc V -+ Generated by GTK-Doc V - - -- Generated by GTK-Doc -+ Generated by GTK-Doc - - - -@@ -451,21 +414,119 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - - -+ summary = "Navigation header" cellpadding="2" cellspacing="5"> - -+ - -- -+ - - - -- -+ - - - -- -+ - - - -- -+ - - -- - - - - - -- -+ - - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - - - -@@ -758,32 +678,32 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - -- -@@ -803,6 +723,21 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - - -+ -+ -+ -+ -+ -+ em-dash -+ -+ -+ -+ -+ -+ - - - idx -@@ -825,12 +760,12 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - - --  |  -+   |  - - - - --  ] -+   ] - - - -@@ -861,11 +796,6 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - - -- -- - - - -@@ -878,7 +808,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - - http://foldoc.org/ -- -+ - - - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index 9d9136a..7b73331 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -49,7 +49,7 @@ - - - -- -+ - Description - realm is a command line tool that - can be used to manage enrollment in kerberos realms, like Active -@@ -81,7 +81,7 @@ - - - -- -+ - Discover - - Discover a realm and its capabilities. -@@ -138,7 +138,7 @@ $ realm discover domain.example.com - - - -- -+ - Join - - Configure the local machine for use with a realm. -@@ -263,7 +263,7 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - - - -- -+ - Leave - - Deconfigure the local machine for use with a realm. -@@ -313,7 +313,7 @@ $ realm leave domain.example.com - - - -- -+ - List - - List all the discovered and configured realms. -@@ -345,7 +345,7 @@ $ realm list - - - -- -+ - Permit - - Permit local login by users of the realm. -@@ -392,7 +392,7 @@ $ realm permit --withdraw user@example.com - - - -- -+ - Deny - - Deny local login by realm accounts. -diff --git a/doc/manual/realmd-guide-active-directory.xml b/doc/manual/realmd-guide-active-directory.xml -index 362cf94..c88e8af 100644 ---- a/doc/manual/realmd-guide-active-directory.xml -+++ b/doc/manual/realmd-guide-active-directory.xml -@@ -69,7 +69,7 @@ $ realm discover --verbose domain.example.com - Winbind. - By default SSSD is used. - --
-+
- Using SSSD with Active Directory - SSSD - provides client software for various kerberos and/or LDAP -@@ -91,7 +91,7 @@ $ realm join --client-software=sssd domain.example.com - -
- --
-+
- Using Winbind with Active Directory - Samba - Winbind -diff --git a/doc/manual/realmd-guide-ipa.xml b/doc/manual/realmd-guide-ipa.xml -index bba6504..c3ad450 100644 ---- a/doc/manual/realmd-guide-ipa.xml -+++ b/doc/manual/realmd-guide-ipa.xml -@@ -13,7 +13,7 @@ - users locally, and log into the local machine with IPA domain - credentials. - --
-+
- Discovering IPA domains - realmd discovers which domains or - realms it can use or configure. It can discover and identify -diff --git a/doc/manual/realmd-guide-kerberos.xml b/doc/manual/realmd-guide-kerberos.xml -index a57e964..5b9d4b1 100644 ---- a/doc/manual/realmd-guide-kerberos.xml -+++ b/doc/manual/realmd-guide-kerberos.xml -@@ -12,7 +12,7 @@ - Since there is no standard way to enroll a computer against a Kerberos - server, it is not possible to do this with realmd. - --
-+
- Discovering Kerberos realms - realmd discovers which domains or - realms it can use or configure. It can discover and identify -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index a2b577c..f0b0879 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -28,7 +28,7 @@ - Tweak behavior of realmd - - -- -+ - Configuration File - - realmd can be tweaked by network administrators -@@ -297,7 +297,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash - - - -- -+ - Realm specific settings - These options should go in an section with the same name - as the realm in the /etc/realmd.conf file. -diff --git a/doc/manual/static/gtk-doc.css b/doc/manual/static/gtk-doc.css -index 5618926..af6ce9c 100644 ---- a/doc/manual/static/gtk-doc.css -+++ b/doc/manual/static/gtk-doc.css -@@ -1,15 +1,23 @@ -+body -+{ -+ font-family: cantarell, sans-serif; -+} - .synopsis, .classsynopsis - { - /* tango:aluminium 1/2 */ - background: #eeeeec; -- border: solid 1px #d3d7cf; -+ background: rgba(238, 238, 236, 0.5); -+ border: solid 1px rgb(238, 238, 236); - padding: 0.5em; - } - .programlisting - { - /* tango:sky blue 0/1 */ -+ /* fallback for no rgba support */ - background: #e6f3ff; - border: solid 1px #729fcf; -+ background: rgba(114, 159, 207, 0.1); -+ border: solid 1px rgba(114, 159, 207, 0.2); - padding: 0.5em; - } - .variablelist -@@ -22,86 +30,8 @@ - vertical-align: top; - } - --@media screen { -- sup a.footnote -- { -- position: relative; -- top: 0em ! important; -- } -- /* this is needed so that the local anchors are displayed below the naviagtion */ -- div.footnote a[name], div.refnamediv a[name], div.refsect1 a[name], div.refsect2 a[name], div.index a[name], div.glossary a[name], div.sect1 a[name] -- { -- display: inline-block; -- position: relative; -- top:-5em; -- } -- /* this seems to be a bug in the xsl style sheets when generating indexes */ -- div.index div.index -- { -- top: 0em; -- } -- /* make space for the fixed navigation bar and add space at the bottom so that -- * link targets appear somewhat close to top -- */ -- body -- { -- padding-top: 3.2em; -- padding-bottom: 20em; -- } -- /* style and size the navigation bar */ -- table.navigation#top -- { -- position: fixed; -- /* tango:scarlet red 0/1 */ -- background: #ffe6e6; -- border: solid 1px #ef2929; -- margin-top: 0; -- margin-bottom: 0; -- top: 0; -- left: 0; -- height: 3em; -- z-index: 10; -- } -- .navigation a, .navigation a:visited -- { -- /* tango:scarlet red 3 */ -- color: #a40000; -- } -- .navigation a:hover -- { -- /* tango:scarlet red 1 */ -- color: #ef2929; -- } -- td.shortcuts -- { -- /* tango:scarlet red 1 */ -- color: #ef2929; -- font-size: 80%; -- white-space: nowrap; -- } --} --@media print { -- table.navigation { -- visibility: collapse; -- display: none; -- } -- div.titlepage table.navigation { -- visibility: visible; -- display: table; -- /* tango:scarlet red 0/1 */ -- background: #ffe6e6; -- border: solid 1px #ef2929; -- margin-top: 0; -- margin-bottom: 0; -- top: 0; -- left: 0; -- height: 3em; -- } --} -- --.navigation .title --{ -- font-size: 200%; -+span.nowrap { -+ white-space: nowrap; - } - - div.gallery-float -@@ -131,6 +61,72 @@ a:hover - color: #729fcf; - } - -+div.informaltable table -+{ -+ border-collapse: separate; -+ border-spacing: 1em 0.3em; -+ border: none; -+} -+ -+div.informaltable table td, div.informaltable table th -+{ -+ vertical-align: top; -+} -+ -+.function_type, -+.variable_type, -+.property_type, -+.signal_type, -+.parameter_name, -+.struct_member_name, -+.union_member_name, -+.define_keyword, -+.datatype_keyword, -+.typedef_keyword -+{ -+ text-align: right; -+} -+ -+/* dim non-primary columns */ -+.c_punctuation, -+.function_type, -+.variable_type, -+.property_type, -+.signal_type, -+.define_keyword, -+.datatype_keyword, -+.typedef_keyword, -+.property_flags, -+.signal_flags, -+.parameter_annotations, -+.enum_member_annotations, -+.struct_member_annotations, -+.union_member_annotations -+{ -+ color: #888a85; -+} -+ -+.function_type a, -+.function_type a:visited, -+.function_type a:hover, -+.property_type a, -+.property_type a:visited, -+.property_type a:hover, -+.signal_type a, -+.signal_type a:visited, -+.signal_type a:hover, -+.signal_flags a, -+.signal_flags a:visited, -+.signal_flags a:hover -+{ -+ color: #729fcf; -+} -+ -+td p -+{ -+ margin: 0.25em; -+} -+ - div.table table - { - border-collapse: collapse; -@@ -153,14 +149,44 @@ div.table table th - background-color: #d3d7cf; - } - -+h4 -+{ -+ color: #555753; -+ margin-top: 1em; -+ margin-bottom: 1em; -+} -+ - hr - { -- /* tango:aluminium 3 */ -- color: #babdb6; -- background: #babdb6; -+ /* tango:aluminium 1 */ -+ color: #d3d7cf; -+ background: #d3d7cf; - border: none 0px; - height: 1px; - clear: both; -+ margin: 2.0em 0em 2.0em 0em; -+} -+ -+dl.toc dt -+{ -+ padding-bottom: 0.25em; -+} -+ -+dl.toc > dt -+{ -+ padding-top: 0.25em; -+ padding-bottom: 0.25em; -+ font-weight: bold; -+} -+ -+dl.toc > dl -+{ -+ padding-bottom: 0.5em; -+} -+ -+.parameter -+{ -+ font-style: normal; - } - - .footer -@@ -172,31 +198,70 @@ hr - font-size: 80%; - } - -+.informalfigure, -+.figure -+{ -+ margin: 1em; -+} -+ -+.informalexample, -+.example -+{ -+ margin-top: 1em; -+ margin-bottom: 1em; -+} -+ - .warning - { - /* tango:orange 0/1 */ - background: #ffeed9; -+ background: rgba(252, 175, 62, 0.1); - border-color: #ffb04f; -+ border-color: rgba(252, 175, 62, 0.2); - } - .note - { - /* tango:chameleon 0/0.5 */ - background: #d8ffb2; -+ background: rgba(138, 226, 52, 0.1); - border-color: #abf562; -+ border-color: rgba(138, 226, 52, 0.2); - } --.note, .warning -+div.blockquote -+{ -+ border-color: #eeeeec; -+} -+.note, .warning, div.blockquote - { - padding: 0.5em; - border-width: 1px; - border-style: solid; -+ margin: 2em; - } --.note h3, .warning h3 -+.note p, .warning p - { -- margin-top: 0.0em -+ margin: 0; - } --.note p, .warning p -+ -+div.warning h3.title, -+div.note h3.title -+{ -+ display: none; -+} -+ -+p + div.section -+{ -+ margin-top: 1em; -+} -+ -+div.refnamediv, -+div.refsynopsisdiv, -+div.refsect1, -+div.refsect2, -+div.toc, -+div.section - { -- margin-bottom: 0.0em -+ margin-bottom: 1em; - } - - /* blob links */ -@@ -209,33 +274,52 @@ h2 .extralinks, h3 .extralinks - font-weight: normal; - } - -+.lineart -+{ -+ color: #d3d7cf; -+ font-weight: normal; -+} -+ - .annotation - { - /* tango:aluminium 5 */ - color: #555753; -- font-size: 80%; - font-weight: normal; - } - -+.structfield -+{ -+ font-style: normal; -+ font-weight: normal; -+} -+ -+acronym,abbr -+{ -+ border-bottom: 1px dotted gray; -+} -+ - /* code listings */ - --.listing_code .programlisting .cbracket { color: #a40000; } /* tango: scarlet red 3 */ --.listing_code .programlisting .comment { color: #a1a39d; } /* tango: aluminium 4 */ --.listing_code .programlisting .function { color: #000000; font-weight: bold; } --.listing_code .programlisting .function a { color: #11326b; font-weight: bold; } /* tango: sky blue 4 */ --.listing_code .programlisting .keyword { color: #4e9a06; } /* tango: chameleon 3 */ -+.listing_code .programlisting .normal, -+.listing_code .programlisting .normal a, -+.listing_code .programlisting .number, -+.listing_code .programlisting .cbracket, -+.listing_code .programlisting .symbol { color: #555753; } -+.listing_code .programlisting .comment, - .listing_code .programlisting .linenum { color: #babdb6; } /* tango: aluminium 3 */ --.listing_code .programlisting .normal { color: #000000; } --.listing_code .programlisting .number { color: #75507b; } /* tango: plum 2 */ -+.listing_code .programlisting .function, -+.listing_code .programlisting .function a, - .listing_code .programlisting .preproc { color: #204a87; } /* tango: sky blue 3 */ --.listing_code .programlisting .string { color: #c17d11; } /* tango: chocolate 2 */ --.listing_code .programlisting .type { color: #000000; } --.listing_code .programlisting .type a { color: #11326b; } /* tango: sky blue 4 */ --.listing_code .programlisting .symbol { color: #ce5c00; } /* tango: orange 3 */ -+.listing_code .programlisting .string { color: #ad7fa8; } /* tango: plum */ -+.listing_code .programlisting .keyword, -+.listing_code .programlisting .usertype, -+.listing_code .programlisting .type, -+.listing_code .programlisting .type a { color: #4e9a06; } /* tango: chameleon 3 */ - - .listing_frame { - /* tango:sky blue 1 */ - border: solid 1px #729fcf; -+ border: solid 1px rgba(114, 159, 207, 0.2); - padding: 0px; - } - -@@ -247,18 +331,152 @@ h2 .extralinks, h3 .extralinks - .listing_lines { - /* tango:sky blue 0.5 */ - background: #a6c5e3; -+ background: rgba(114, 159, 207, 0.2); - /* tango:aluminium 6 */ - color: #2e3436; - } - .listing_code { - /* tango:sky blue 0 */ - background: #e6f3ff; -+ background: rgba(114, 159, 207, 0.1); - } - .listing_code .programlisting { - /* override from previous */ - border: none 0px; - padding: 0px; -+ background: none; - } - .listing_lines pre, .listing_code pre { - margin: 0px; - } -+ -+@media screen { -+ /* these have a as a first child, but since there are no parent selectors -+ * we can't use that. */ -+ a.footnote -+ { -+ position: relative; -+ top: 0em ! important; -+ } -+ /* this is needed so that the local anchors are displayed below the naviagtion */ -+ div.footnote a[name], div.refnamediv a[name], div.refsect1 a[name], div.refsect2 a[name], div.index a[name], div.glossary a[name], div.sect1 a[name] -+ { -+ display: inline-block; -+ position: relative; -+ top:-5em; -+ } -+ /* this seems to be a bug in the xsl style sheets when generating indexes */ -+ div.index div.index -+ { -+ top: 0em; -+ } -+ /* make space for the fixed navigation bar and add space at the bottom so that -+ * link targets appear somewhat close to top -+ */ -+ body -+ { -+ padding-top: 2.5em; -+ padding-bottom: 500px; -+ max-width: 60em; -+ } -+ p -+ { -+ max-width: 60em; -+ } -+ /* style and size the navigation bar */ -+ table.navigation#top -+ { -+ position: fixed; -+ background: #e2e2e2; -+ border-bottom: solid 1px #babdb6; -+ border-spacing: 5px; -+ margin-top: 0; -+ margin-bottom: 0; -+ top: 0; -+ left: 0; -+ z-index: 10; -+ } -+ table.navigation#top td -+ { -+ padding-left: 6px; -+ padding-right: 6px; -+ } -+ .navigation a, .navigation a:visited -+ { -+ /* tango:sky blue 3 */ -+ color: #204a87; -+ } -+ .navigation a:hover -+ { -+ /* tango:sky blue 2 */ -+ color: #3465a4; -+ } -+ td.shortcuts -+ { -+ /* tango:sky blue 2 */ -+ color: #3465a4; -+ font-size: 80%; -+ white-space: nowrap; -+ } -+ td.shortcuts .dim -+ { -+ color: #babdb6; -+ } -+ .navigation .title -+ { -+ font-size: 80%; -+ max-width: none; -+ margin: 0px; -+ font-weight: normal; -+ } -+} -+@media screen and (min-width: 60em) { -+ /* screen larger than 60em */ -+ body { margin: auto; } -+} -+@media screen and (max-width: 60em) { -+ /* screen less than 60em */ -+ #nav_hierarchy { display: none; } -+ #nav_interfaces { display: none; } -+ #nav_prerequisites { display: none; } -+ #nav_derived_interfaces { display: none; } -+ #nav_implementations { display: none; } -+ #nav_child_properties { display: none; } -+ #nav_style_properties { display: none; } -+ #nav_index { display: none; } -+ #nav_glossary { display: none; } -+ .gallery_image { display: none; } -+ .property_flags { display: none; } -+ .signal_flags { display: none; } -+ .parameter_annotations { display: none; } -+ .enum_member_annotations { display: none; } -+ .struct_member_annotations { display: none; } -+ .union_member_annotations { display: none; } -+ /* now that a column is hidden, optimize space */ -+ col.parameters_name { width: auto; } -+ col.parameters_description { width: auto; } -+ col.struct_members_name { width: auto; } -+ col.struct_members_description { width: auto; } -+ col.enum_members_name { width: auto; } -+ col.enum_members_description { width: auto; } -+ col.union_members_name { width: auto; } -+ col.union_members_description { width: auto; } -+ .listing_lines { display: none; } -+} -+@media print { -+ table.navigation { -+ visibility: collapse; -+ display: none; -+ } -+ div.titlepage table.navigation { -+ visibility: visible; -+ display: table; -+ background: #e2e2e2; -+ border: solid 1px #babdb6; -+ margin-top: 0; -+ margin-bottom: 0; -+ top: 0; -+ left: 0; -+ height: 3em; -+ } -+} --- -2.21.0 - diff --git a/SOURCES/0001-ldap-add-socket-timeout.patch b/SOURCES/0001-ldap-add-socket-timeout.patch deleted file mode 100644 index 2ba2db6..0000000 --- a/SOURCES/0001-ldap-add-socket-timeout.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 24 Nov 2021 17:25:18 +0100 -Subject: [PATCH] ldap: add socket timeout - -During the discovery phase realmd tries to open LDAP connections to -multiple DC addresses returned by DNS. When cleaning up we have to call -ldap_destroy() to release the resources allocated for the LDAP context. -ldap_destroy() tries to send a LDAP unbind request independent of the -connection state. If the related address is block by a firewall or a not -properly routed IPv6 address there might be no reply on the TCP level -and the request might be stuck for quite some tome in the kernel. - -To avoid the unexpected long delays will block realmd this patch lowers -the timeout considerably to 5s. As multiple other timeouts this value is -currently hardcoded. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869 ---- - service/realm-ldap.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index bdfb96c..f7b6d13 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - #include - -@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = { - - /* Not included in ldap.h but documented */ - int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp); -+#define LDAP_SOCKET_TIMEOUT 5 - - GSource * - realm_ldap_connect_anonymous (GSocketAddress *address, -@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - int opt_rc; - int ldap_opt_val; - const char *errmsg = NULL; -+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0}; -+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000; - - g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL); - -@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) - g_warning ("couldn't set to blocking"); - -+ /* Lower the kernel defaults which might be minutes to hours */ -+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO, -+ &tv, sizeof (tv)); -+ if (rc != 0) { -+ g_warning ("couldn't set SO_RCVTIMEO"); -+ } -+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO, -+ &tv, sizeof (tv)); -+ if (rc != 0) { -+ g_warning ("couldn't set SO_SNDTIMEO"); -+ } -+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT, -+ &milli, sizeof (milli)); -+ if (rc != 0) { -+ g_warning ("couldn't set TCP_USER_TIMEOUT"); -+ } -+ - if (family == G_SOCKET_FAMILY_IPV4) { - url = g_strdup_printf ("%s://%s:%d", - use_ldaps ? "ldaps" : "ldap", --- -2.34.1 - diff --git a/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch b/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch deleted file mode 100644 index ebfda2b..0000000 --- a/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e41de8344a09092ae4d973f495eef54a106a11ee Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 26 Nov 2020 17:24:10 +0100 -Subject: [PATCH] ldap: setup TLS when using ldaps - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - service/realm-ldap.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index 2076d1e..e07a299 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -263,6 +263,14 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - return NULL; - } - -+ if (use_ldaps) { -+ rc = ldap_install_tls (ls->ldap); -+ if (rc != LDAP_SUCCESS) { -+ g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc)); -+ return NULL; -+ } -+ } -+ - break; - - case G_SOCKET_PROTOCOL_UDP: --- -2.28.0 - diff --git a/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch b/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch deleted file mode 100644 index 3200e8a..0000000 --- a/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 14 Dec 2021 15:32:32 +0100 -Subject: [PATCH] samba: use new Samba-4.15 command line options - -Samba-4.15 changed a couple of command line options of the net utility. -This patch adds a configure option to select the new or the old style. -If the option is not used configure tries to call the net utility to -check for the options. If this fails the old style is used. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530 ---- - configure.ac | 34 ++++++++++++++++++++++++++++++++++ - service/realm-samba-enroll.c | 18 +++++++++++++----- - 2 files changed, 47 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ea51f92..ddc25d0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -227,6 +227,40 @@ LDAP_CFLAGS="" - AC_SUBST(LDAP_LIBS) - AC_SUBST(LDAP_CFLAGS) - -+# ------------------------------------------------------------------- -+# Samba -+ -+AC_ARG_WITH(new-samba-cli-options, -+ AS_HELP_STRING([--with-new-samba-cli-options=yes/no], -+ [Use new command line options introduced with Samba-4.15, -+ if not provided the output of 'net help' is checked or old -+ style options are used])) -+ -+if test "$with_new_samba_cli_options" = "no"; then -+ AC_MSG_RESULT([Using old Samba command line options]) -+elif test "$with_new_samba_cli_options" = "yes"; then -+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1, -+ [Use new command line options introduced with Samba-4.15]) -+ AC_MSG_RESULT([Using new Samba command line options]) -+else -+ AC_PATH_PROG([SAMBA_NET], [net]) -+ if test ! -x "$SAMBA_NET"; then -+ AC_MSG_NOTICE([Could not find Samba's net utility, ] -+ [assuming old style command line options, ] -+ [please install the net utility for proper detection.]) -+ else -+ AC_MSG_CHECKING([for --debug-stdout option of net]) -+ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then -+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1, -+ [Use new command line options introduced with Samba-4.15]) -+ AC_MSG_RESULT([yes]) -+ else -+ AC_MSG_RESULT([no]) -+ fi -+ fi -+fi -+ -+ - # ------------------------------------------------------------------- - # Directories - -diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c -index 5624a08..8b2ee38 100644 ---- a/service/realm-samba-enroll.c -+++ b/service/realm-samba-enroll.c -@@ -37,6 +37,14 @@ - #include - #include - -+#ifdef WITH_NEW_SAMBA_CLI_OPTS -+#define SMBCLI_KERBEROS "--use-kerberos=required" -+#define SMBCLI_CONF "--configfile" -+#else -+#define SMBCLI_KERBEROS "-k" -+#define SMBCLI_CONF "-s" -+#endif -+ - typedef struct { - GDBusMethodInvocation *invocation; - gchar *join_args[8]; -@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join, - /* Use our custom smb.conf */ - g_ptr_array_add (args, (gpointer)realm_settings_path ("net")); - if (join->custom_smb_conf) { -- g_ptr_array_add (args, "-s"); -+ g_ptr_array_add (args, SMBCLI_CONF); - g_ptr_array_add (args, join->custom_smb_conf); - } - -@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source, - } else { - begin_net_process (join, NULL, - on_keytab_do_finish, g_object_ref (task), -- "-k", "ads", "keytab", "create", NULL); -+ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL); - } - - g_object_unref (task); -@@ -428,7 +436,7 @@ begin_join (GTask *task, - begin_net_process (join, join->password_input, - on_join_do_keytab, g_object_ref (task), - "-U", join->user_name, -- "-k", "ads", "join", join->disco->domain_name, -+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name, - join->join_args[0], join->join_args[1], - join->join_args[2], join->join_args[3], - join->join_args[4], NULL); -@@ -437,7 +445,7 @@ begin_join (GTask *task, - } else { - begin_net_process (join, NULL, - on_join_do_keytab, g_object_ref (task), -- "-k", "ads", "join", join->disco->domain_name, -+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name, - join->join_args[0], join->join_args[1], - join->join_args[2], join->join_args[3], - join->join_args[4], NULL); -@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, - join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file); - begin_net_process (join, NULL, - on_leave_complete, g_object_ref (task), -- "-k", "ads", "leave", NULL); -+ SMBCLI_KERBEROS, "ads", "leave", NULL); - break; - default: - g_return_if_reached (); --- -2.33.1 - diff --git a/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch b/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch deleted file mode 100644 index 8b8f633..0000000 --- a/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001 -From: Stef Walter -Date: Fri, 28 Oct 2016 20:27:48 +0200 -Subject: [PATCH] service: Add nss and pam sssd.conf services after joining - -After adding a domain to sssd.conf add the nss and pam services -to the [sssd] block. - -https://bugs.freedesktop.org/show_bug.cgi?id=98479 ---- - service/realm-sssd-ad.c | 3 +++ - service/realm-sssd-config.c | 2 -- - service/realm-sssd-ipa.c | 3 +++ - tests/test-sssd-config.c | 4 ++-- - 4 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c -index 5ed384d..5fa81ce 100644 ---- a/service/realm-sssd-ad.c -+++ b/service/realm-sssd-ad.c -@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config, - gboolean use_adcli, - GError **error) - { -+ const gchar *services[] = { "nss", "pam", NULL }; - GString *realmd_tags; - const gchar *access_provider; - const gchar *shell; -@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config, - "ldap_sasl_authid", authid, - NULL); - -+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); -+ - g_free (authid); - g_string_free (realmd_tags, TRUE); - -diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c -index 2096afd..d4398b9 100644 ---- a/service/realm-sssd-config.c -+++ b/service/realm-sssd-config.c -@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config, - g_strfreev (already); - - /* Setup a default sssd section */ -- if (!realm_ini_config_have (config, "section", "services")) -- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL); - if (!realm_ini_config_have (config, "sssd", "config_file_version")) - realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL); - -diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c -index b12136e..001870d 100644 ---- a/service/realm-sssd-ipa.c -+++ b/service/realm-sssd-ipa.c -@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source, - GAsyncResult *result, - gpointer user_data) - { -+ const gchar *services[] = { "nss", "pam", NULL }; - GTask *task = G_TASK (user_data); - EnrollClosure *enroll = g_task_get_task_data (task); - RealmSssd *sssd = g_task_get_source_object (task); -@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source, - "realmd_tags", realmd_tags, - NULL); - -+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); -+ - g_free (home); - } - -diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c -index 59eab75..892b9d5 100644 ---- a/tests/test-sssd-config.c -+++ b/tests/test-sssd-config.c -@@ -90,7 +90,7 @@ test_add_domain (Test *test, - gconstpointer unused) - { - const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one"; -- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; -+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; - GError *error = NULL; - gchar *output; - gboolean ret; -@@ -140,7 +140,7 @@ static void - test_add_domain_only (Test *test, - gconstpointer unused) - { -- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; -+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; - GError *error = NULL; - gchar *output; - gboolean ret; --- -2.9.3 - diff --git a/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch b/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch deleted file mode 100644 index 6c44727..0000000 --- a/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 25 Apr 2017 07:20:17 +0200 -Subject: [PATCH] service: Add "pam" and "nss" services in - realm_sssd_config_add_domain() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -realm_sssd_config_add_domain() must setup the services line in sssd.conf -otherwise SSSD won't be able to start any of its services. - -It's a regression caused by 402cbab which leaves SSSD with no services -line when joining to an ad client doing "realm join ad.example". - -https://bugs.freedesktop.org/show_bug.cgi?id=98479 - -Signed-off-by: Fabiano Fidêncio ---- - service/realm-sssd-ad.c | 3 ++- - service/realm-sssd-config.c | 2 ++ - service/realm-sssd-ipa.c | 3 ++- - tests/test-sssd-config.c | 4 ++-- - 4 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c -index 5fa81ce..8543ca8 100644 ---- a/service/realm-sssd-ad.c -+++ b/service/realm-sssd-ad.c -@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config, - "ldap_sasl_authid", authid, - NULL); - -- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); -+ if (ret) -+ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error); - - g_free (authid); - g_string_free (realmd_tags, TRUE); -diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c -index d4398b9..140d7dc 100644 ---- a/service/realm-sssd-config.c -+++ b/service/realm-sssd-config.c -@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config, - gchar **already; - gboolean ret; - gchar *section; -+ const gchar *services[] = { "nss", "pam", NULL }; - va_list va; - gint i; - -@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config, - g_strfreev (already); - - /* Setup a default sssd section */ -+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); - if (!realm_ini_config_have (config, "sssd", "config_file_version")) - realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL); - -diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c -index 001870d..ff1dc8a 100644 ---- a/service/realm-sssd-ipa.c -+++ b/service/realm-sssd-ipa.c -@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source, - "realmd_tags", realmd_tags, - NULL); - -- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); -+ if (error == NULL) -+ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error); - - g_free (home); - } -diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c -index 892b9d5..59eab75 100644 ---- a/tests/test-sssd-config.c -+++ b/tests/test-sssd-config.c -@@ -90,7 +90,7 @@ test_add_domain (Test *test, - gconstpointer unused) - { - const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one"; -- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; -+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; - GError *error = NULL; - gchar *output; - gboolean ret; -@@ -140,7 +140,7 @@ static void - test_add_domain_only (Test *test, - gconstpointer unused) - { -- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; -+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; - GError *error = NULL; - gchar *output; - gboolean ret; --- -2.9.3 - diff --git a/SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch b/SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch deleted file mode 100644 index 241ee39..0000000 --- a/SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch +++ /dev/null @@ -1,69 +0,0 @@ -From cf40987b7f847be70ef3a5a0fa359116c0259477 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 30 Oct 2020 13:19:09 +0100 -Subject: [PATCH 1/6] service: add REALM_DBUS_OPTION_USE_LDAPS and - realm_get_use_ldaps - -Add a new option to the realmd service to use ldaps where possible and -supported. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - dbus/realm-dbus-constants.h | 1 + - service/realm-options.c | 17 +++++++++++++++++ - service/realm-options.h | 2 ++ - 3 files changed, 20 insertions(+) - -diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h -index 40ffa2d..0bd7a5d 100644 ---- a/dbus/realm-dbus-constants.h -+++ b/dbus/realm-dbus-constants.h -@@ -70,6 +70,7 @@ G_BEGIN_DECLS - #define REALM_DBUS_OPTION_OS_NAME "os-name" - #define REALM_DBUS_OPTION_OS_VERSION "os-version" - #define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config" -+#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps" - - #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" - #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" -diff --git a/service/realm-options.c b/service/realm-options.c -index 34a209f..d42eb7c 100644 ---- a/service/realm-options.c -+++ b/service/realm-options.c -@@ -199,3 +199,20 @@ realm_options_ad_specific (GVariant *options, - - return g_strdup (value); - } -+ -+gboolean realm_option_use_ldaps (GVariant *options) -+{ -+ gchar *use_ldaps_str; -+ -+ use_ldaps_str = realm_options_ad_specific (options, -+ REALM_DBUS_OPTION_USE_LDAPS); -+ if (use_ldaps_str != NULL -+ && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0 -+ || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) { -+ g_free (use_ldaps_str); -+ return TRUE; -+ } -+ g_free (use_ldaps_str); -+ -+ return FALSE; -+} -diff --git a/service/realm-options.h b/service/realm-options.h -index b71d219..bc13cd7 100644 ---- a/service/realm-options.h -+++ b/service/realm-options.h -@@ -48,6 +48,8 @@ const gchar * realm_options_computer_name (GVariant *options, - const gchar * realm_options_ad_specific (GVariant *options, - const gchar *option_name); - -+gboolean realm_option_use_ldaps (GVariant *options); -+ - G_END_DECLS - - #endif /* __REALM_OPTIONS_H__ */ --- -2.26.2 - diff --git a/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch b/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch deleted file mode 100644 index fbbc2d4..0000000 --- a/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch +++ /dev/null @@ -1,61 +0,0 @@ -From ccf48aa7761065283483d667f3efaf33b5b2a728 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 1 Dec 2020 14:12:33 +0100 -Subject: [PATCH 1/3] service: make sure use_ldaps is not only set for - automatic join - -The check if ldaps is requested or not was only called if an automatic -join was enabled. With this patch it is checked in all cases. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - service/realm-sssd-ad.c | 26 +++++++++++++------------- - 1 file changed, 13 insertions(+), 13 deletions(-) - -diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c -index 00a9093..ea5f28c 100644 ---- a/service/realm-sssd-ad.c -+++ b/service/realm-sssd-ad.c -@@ -349,19 +349,6 @@ parse_join_options (JoinClosure *join, - return FALSE; - } - -- /* -- * Check if ldaps should be used and if membership software supports -- * it. -- */ -- join->use_ldaps = realm_option_use_ldaps (options); -- if (join->use_ldaps && -- g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) { -- realm_diagnostics_info (join->invocation, -- "Membership software %s does " -- "not support ldaps, trying " -- "without.", software); -- } -- - /* - * If we are enrolling with a user password, then we have to use samba, - * adcli only supports admin passwords. -@@ -393,6 +380,19 @@ parse_join_options (JoinClosure *join, - - g_assert (software != NULL); - -+ /* -+ * Check if ldaps should be used and if membership software supports -+ * it. -+ */ -+ join->use_ldaps = realm_option_use_ldaps (options); -+ if (join->use_ldaps && -+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) { -+ realm_diagnostics_info (join->invocation, -+ "Membership software %s does " -+ "not support ldaps, trying " -+ "without.", software); -+ } -+ - if (g_str_equal (software, REALM_DBUS_IDENTIFIER_ADCLI)) { - join->use_adcli = TRUE; - join->packages = ADCLI_PACKAGES; --- -2.28.0 - diff --git a/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch b/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch deleted file mode 100644 index 6f3cd34..0000000 --- a/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch +++ /dev/null @@ -1,166 +0,0 @@ -From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 12 Aug 2020 12:58:27 +0200 -Subject: [PATCH] service: use 'additional dns hostnames' with net ads join - -With newer versions of Samba the net ads join does not add services -principals with the configured host name anymore but added the new -option 'additional dns hostnames' for this. - -realmd will try to figure out a fully-qualified host name and use it -with the new option if it is from a different domain. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912 ---- - service/realm-disco.c | 1 + - service/realm-disco.h | 1 + - service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++- - service/realm-samba.c | 6 ++++ - 4 files changed, 64 insertions(+), 1 deletion(-) - -diff --git a/service/realm-disco.c b/service/realm-disco.c -index ab06939..a12be50 100644 ---- a/service/realm-disco.c -+++ b/service/realm-disco.c -@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data) - g_free (disco->explicit_netbios); - g_free (disco->kerberos_realm); - g_free (disco->workgroup); -+ g_free (disco->dns_fqdn); - if (disco->server_address) - g_object_unref (disco->server_address); - g_free (disco); -diff --git a/service/realm-disco.h b/service/realm-disco.h -index 5f3e5e9..35532d2 100644 ---- a/service/realm-disco.h -+++ b/service/realm-disco.h -@@ -30,6 +30,7 @@ typedef struct { - gchar *explicit_server; - gchar *explicit_netbios; - GSocketAddress *server_address; -+ gchar *dns_fqdn; - } RealmDisco; - - #define REALM_TYPE_DISCO (realm_disco_get_type ()) -diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c -index 3f86c51..5624a08 100644 ---- a/service/realm-samba-enroll.c -+++ b/service/realm-samba-enroll.c -@@ -33,6 +33,9 @@ - #include - #include - #include -+#include -+#include -+#include - - typedef struct { - GDBusMethodInvocation *invocation; -@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm) - return g_utf8_strup (realm, pos - realm); - } - -+static char * -+try_to_get_fqdn (void) -+{ -+ char hostname[HOST_NAME_MAX + 1]; -+ gchar *fqdn = NULL; -+ int ret; -+ struct addrinfo *res; -+ struct addrinfo hints; -+ -+ ret = gethostname (hostname, sizeof (hostname)); -+ if (ret < 0) { -+ return NULL; -+ } -+ -+ if (strchr (hostname, '.') == NULL) { -+ memset (&hints, 0, sizeof (struct addrinfo)); -+ hints.ai_socktype = SOCK_DGRAM; -+ hints.ai_flags = AI_CANONNAME; -+ -+ ret = getaddrinfo (hostname, NULL, &hints, &res); -+ if (ret != 0) { -+ return NULL; -+ } -+ -+ /* Only use a fully-qualified name */ -+ if (strchr (res->ai_canonname, '.') != NULL) { -+ fqdn = g_strdup (res->ai_canonname); -+ } -+ -+ freeaddrinfo (res); -+ -+ } else { -+ fqdn = g_strdup (hostname); -+ } -+ -+ return fqdn; -+} -+ - static JoinClosure * - join_closure_init (GTask *task, - RealmDisco *disco, -@@ -95,5 +136,7 @@ join_closure_init (GTask *task, - const gchar *explicit_computer_name = NULL; - const gchar *authid = NULL; -+ gchar *fqdn = NULL; -+ gchar *fqdn_dom = NULL; - - join = g_new0 (JoinClosure, 1); - join->disco = realm_disco_ref (disco); -@@ -124,7 +167,7 @@ join_closure_init (GTask *task, - "netbios name", authid, - NULL); - -- /* -+ /* - * Samba complains if we don't set a 'workgroup' setting for the realm we're - * going to join. If we didn't yet manage to lookup the workgroup, then go ahead - * and assume that the first domain component is the workgroup name. -@@ -144,6 +187,18 @@ join_closure_init (GTask *task, - g_free (workgroup); - } - -+ /* Add the fully-qualified DNS hostname as additional name if it is from -+ * a different domain. */ -+ fqdn = try_to_get_fqdn (); -+ if (fqdn != NULL && join->disco->domain_name != NULL -+ && (fqdn_dom = strchr (fqdn, '.')) != NULL -+ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) { -+ disco->dns_fqdn = g_strdup (fqdn); -+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, -+ "additional dns hostnames", disco->dns_fqdn, NULL); -+ } -+ g_free (fqdn); -+ - /* Write out the config file for use by various net commands */ - join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL); - temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR); -diff --git a/service/realm-samba.c b/service/realm-samba.c -index 4940b38..fe33600 100644 ---- a/service/realm-samba.c -+++ b/service/realm-samba.c -@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source, - NULL); - } - -+ if (error == NULL && enroll->disco->dns_fqdn != NULL) { -+ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error, -+ "additional dns hostnames", enroll->disco->dns_fqdn, -+ NULL); -+ } - - if (error == NULL) { - name = realm_kerberos_get_name (REALM_KERBEROS (self)); -@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self, - if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error, - "workgroup", NULL, - "realm", NULL, -+ "additional dns hostnames", NULL, - "security", "user", - NULL)) { - g_task_return_error (task, error); --- -2.26.2 - diff --git a/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch b/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch deleted file mode 100644 index 69674e4..0000000 --- a/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 21 Feb 2020 14:06:16 +0100 -Subject: [PATCH] service: use "kerberos method" "secrets and keytab" - -When using Samba with Winbind the host password stored in secrets.tdb is -still important so the "secrets and keytab" should be the preferred -"kerberos method". - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195 ---- - service/realm-samba.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/service/realm-samba.c b/service/realm-samba.c -index e2a3608..4940b38 100644 ---- a/service/realm-samba.c -+++ b/service/realm-samba.c -@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source, - "template shell", realm_settings_string ("users", "default-shell"), - "netbios name", computer_name, - "password server", enroll->disco->explicit_server, -- "kerberos method", "system keytab", -+ "kerberos method", "secrets and keytab", - NULL); - } - --- -2.24.1 - diff --git a/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch b/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch deleted file mode 100644 index 27a881c..0000000 --- a/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch +++ /dev/null @@ -1,32 +0,0 @@ -From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 11 Aug 2020 11:18:17 +0200 -Subject: [PATCH] service: use net ads join with -k for user join as well - -The NTLM authentication used by 'net ads join' does only support crypto -algorithms which e.g. are not allowed by FIPS. It would be better to -tell 'net ads join' to try Kerberos first before falling back to NTLM by -adding the '-k' option. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503 ---- - service/realm-samba-enroll.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c -index f5edca3..3f86c51 100644 ---- a/service/realm-samba-enroll.c -+++ b/service/realm-samba-enroll.c -@@ -372,7 +372,8 @@ begin_join (GTask *task, - } else if (join->user_name) { - begin_net_process (join, join->password_input, - on_join_do_keytab, g_object_ref (task), -- "-U", join->user_name, "ads", "join", join->disco->domain_name, -+ "-U", join->user_name, -+ "-k", "ads", "join", join->disco->domain_name, - join->join_args[0], join->join_args[1], - join->join_args[2], join->join_args[3], - join->join_args[4], NULL); --- -2.26.2 - diff --git a/SOURCES/0001-switch-to-authselect.patch b/SOURCES/0001-switch-to-authselect.patch deleted file mode 100644 index d750d6d..0000000 --- a/SOURCES/0001-switch-to-authselect.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 19 Feb 2018 11:51:06 +0100 -Subject: [PATCH] switch to authselect - ---- - service/realmd-redhat.conf | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf -index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644 ---- a/service/realmd-redhat.conf -+++ b/service/realmd-redhat.conf -@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli - freeipa-client = /usr/sbin/ipa-client-install - - [commands] --winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" --winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart -+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" -+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir - winbind-enable-service = /usr/bin/systemctl enable winbind.service - winbind-disable-service = /usr/bin/systemctl disable winbind.service - winbind-restart-service = /usr/bin/systemctl restart winbind.service - winbind-stop-service = /usr/bin/systemctl stop winbind.service - --sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" --sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart -+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" -+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir - sssd-enable-service = /usr/bin/systemctl enable sssd.service - sssd-disable-service = /usr/bin/systemctl disable sssd.service - sssd-restart-service = /usr/bin/systemctl restart sssd.service --- -2.9.3 - diff --git a/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch b/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch deleted file mode 100644 index 9e044bc..0000000 --- a/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 25 Nov 2021 14:36:10 +0100 -Subject: [PATCH] syslog: avoid duplicate log messages - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248 ---- - service/realm-diagnostics.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c -index 850b2e3..6aa5288 100644 ---- a/service/realm-diagnostics.c -+++ b/service/realm-diagnostics.c -@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation, - while ((ptr = memchr (at, '\n', length)) != NULL) { - *ptr = '\0'; - if (line_buffer && line_buffer->len > 0) { -+#ifdef WITH_JOURNAL -+ /* Call realm_daemon_syslog directly to add -+ * REALMD_OPERATION to the jounrnal */ - realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at); -+#else - g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at); -+#endif - g_string_set_size (line_buffer, 0); - } else { -+#ifdef WITH_JOURNAL - realm_daemon_syslog (operation, log_level, "%s", at); -+#else - g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at); -+#endif - } - - *ptr = '\n'; --- -2.33.1 - diff --git a/SOURCES/0001-tests-run-tests-with-python3.patch b/SOURCES/0001-tests-run-tests-with-python3.patch deleted file mode 100644 index 607afa4..0000000 --- a/SOURCES/0001-tests-run-tests-with-python3.patch +++ /dev/null @@ -1,374 +0,0 @@ -From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 4 Jul 2018 16:41:16 +0200 -Subject: [PATCH] tests: run tests with python3 - -To allow the test to run with python3 build/tap-driver and -build/tap-gtester are updated to the latest version provided by the -cockpit project https://github.com/cockpit-project/cockpit. - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813 ---- - build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++----------- - build/tap-gtester | 59 ++++++++++++++++++++++--------- - 2 files changed, 125 insertions(+), 38 deletions(-) - -diff --git a/build/tap-driver b/build/tap-driver -index 42f57c8..241fd50 100755 ---- a/build/tap-driver -+++ b/build/tap-driver -@@ -1,4 +1,5 @@ --#!/usr/bin/python -+#!/usr/bin/python3 -+# This can also be run with Python 2. - - # Copyright (C) 2013 Red Hat, Inc. - # -@@ -29,20 +30,58 @@ - # - - import argparse -+import fcntl - import os - import select -+import struct - import subprocess - import sys -+import termios -+import errno -+ -+_PY3 = sys.version[0] >= '3' -+_str = _PY3 and str or unicode -+ -+def out(data, stream=None, flush=False): -+ if not isinstance(data, bytes): -+ data = data.encode("UTF-8") -+ if not stream: -+ stream = _PY3 and sys.stdout.buffer or sys.stdout -+ while True: -+ try: -+ if data: -+ stream.write(data) -+ data = None -+ if flush: -+ stream.flush() -+ flush = False -+ break -+ except IOError as e: -+ if e.errno == errno.EAGAIN: -+ continue -+ raise -+ -+def terminal_width(): -+ try: -+ h, w, hp, wp = struct.unpack('HHHH', -+ fcntl.ioctl(1, termios.TIOCGWINSZ, -+ struct.pack('HHHH', 0, 0, 0, 0))) -+ return w -+ except IOError as e: -+ if e.errno != errno.ENOTTY: -+ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info())) -+ return sys.maxsize - - class Driver: - def __init__(self, args): - self.argv = args.command - self.test_name = args.test_name -- self.log = open(args.log_file, "w") -- self.log.write("# %s\n" % " ".join(sys.argv)) -+ self.log = open(args.log_file, "wb") -+ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8")) - self.trs = open(args.trs_file, "w") - self.color_tests = args.color_tests - self.expect_failure = args.expect_failure -+ self.width = terminal_width() - 9 - - def report(self, code, *args): - CODES = { -@@ -57,17 +96,18 @@ class Driver: - # Print out to console - if self.color_tests: - if code in CODES: -- sys.stdout.write(CODES[code]) -- sys.stdout.write(code) -+ out(CODES[code]) -+ out(code) - if self.color_tests: -- sys.stdout.write('\x1b[m') -- sys.stdout.write(": ") -- sys.stdout.write(self.test_name) -- sys.stdout.write(" ") -- for arg in args: -- sys.stdout.write(str(arg)) -- sys.stdout.write("\n") -- sys.stdout.flush() -+ out('\x1b[m') -+ out(": ") -+ msg = "".join([ self.test_name + " " ] + list(map(_str, args))) -+ if code == "PASS" and len(msg) > self.width: -+ out(msg[:self.width]) -+ out("...") -+ else: -+ out(msg) -+ out("\n", flush=True) - - # Book keeping - if code in CODES: -@@ -100,12 +140,14 @@ class Driver: - def execute(self): - try: - proc = subprocess.Popen(self.argv, close_fds=True, -+ stdin=subprocess.PIPE, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) -- except OSError, ex: -+ except OSError as ex: - self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex))) - return - -+ proc.stdin.close() - outf = proc.stdout.fileno() - errf = proc.stderr.fileno() - rset = [outf, errf] -@@ -113,18 +155,25 @@ class Driver: - ret = select.select(rset, [], [], 10) - if outf in ret[0]: - data = os.read(outf, 1024) -- if data == "": -+ if data == b"": - rset.remove(outf) - self.log.write(data) - self.process(data) - if errf in ret[0]: - data = os.read(errf, 1024) -- if data == "": -+ if data == b"": - rset.remove(errf) - self.log.write(data) -- sys.stderr.write(data) -+ stream = _PY3 and sys.stderr.buffer or sys.stderr -+ out(data, stream=stream, flush=True) - - proc.wait() -+ -+ # Make sure the test didn't change blocking output -+ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0 -+ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0 -+ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0 -+ - return proc.returncode - - -@@ -137,6 +186,7 @@ class TapDriver(Driver): - self.late_plan = False - self.errored = False - self.bail_out = False -+ self.skip_all_reason = None - - def report(self, code, num, *args): - if num: -@@ -170,13 +220,19 @@ class TapDriver(Driver): - else: - self.result_fail(num, description) - -- def consume_test_plan(self, first, last): -+ def consume_test_plan(self, line): - # Only one test plan is supported - if self.test_plan: - self.report_error("Get a second TAP test plan") - return - -+ if line.lower().startswith('1..0 # skip'): -+ self.skip_all_reason = line[5:].strip() -+ self.bail_out = True -+ return -+ - try: -+ (first, unused, last) = line.partition("..") - first = int(first) - last = int(last) - except ValueError: -@@ -192,7 +248,7 @@ class TapDriver(Driver): - - def process(self, output): - if output: -- self.output += output -+ self.output += output.decode("UTF-8") - elif self.output: - self.output += "\n" - (ready, unused, self.output) = self.output.rpartition("\n") -@@ -202,8 +258,7 @@ class TapDriver(Driver): - elif line.startswith("not ok "): - self.consume_test_line(False, line[7:]) - elif line and line[0].isdigit() and ".." in line: -- (first, unused, last) = line.partition("..") -- self.consume_test_plan(first, last) -+ self.consume_test_plan(line) - elif line.lower().startswith("bail out!"): - self.consume_bail_out(line) - -@@ -213,6 +268,13 @@ class TapDriver(Driver): - failed = False - skipped = True - -+ if self.skip_all_reason is not None: -+ self.result_skip("skipping:", self.skip_all_reason) -+ self.trs.write(":global-test-result: SKIP\n") -+ self.trs.write(":test-global-result: SKIP\n") -+ self.trs.write(":recheck: no\n") -+ return 0 -+ - # Basic collation of results - for (num, code) in self.reported.items(): - if code == "ERROR": -diff --git a/build/tap-gtester b/build/tap-gtester -index 7e667d4..bbda266 100755 ---- a/build/tap-gtester -+++ b/build/tap-gtester -@@ -1,4 +1,5 @@ --#!/usr/bin/python -+#!/usr/bin/python3 -+# This can also be run with Python 2. - - # Copyright (C) 2014 Red Hat, Inc. - # -@@ -30,9 +31,19 @@ - import argparse - import os - import select -+import signal - import subprocess - import sys - -+# Yes, it's dumb, but strsignal is not exposed in python -+# In addition signal numbers varify heavily from arch to arch -+def strsignal(sig): -+ for name in dir(signal): -+ if name.startswith("SIG") and sig == getattr(signal, name): -+ return name -+ return str(sig) -+ -+ - class NullCompiler: - def __init__(self, command): - self.command = command -@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler): - elif cmd == "result": - if self.test_name: - if data == "OK": -- print "ok %d %s" % (self.test_num, self.test_name) -+ print("ok %d %s" % (self.test_num, self.test_name)) - if data == "FAIL": -- print "not ok %d %s", (self.test_num, self.test_name) -+ print("not ok %d %s" % (self.test_num, self.test_name)) - self.test_name = None - elif cmd == "skipping": - if "/subprocess" not in data: -- print "ok %d # skip -- %s" % (self.test_num, data) -+ print("ok %d # skip -- %s" % (self.test_num, data)) - self.test_name = None - elif data: -- print "# %s: %s" % (cmd, data) -+ print("# %s: %s" % (cmd, data)) - else: -- print "# %s" % cmd -+ print("# %s" % cmd) - elif line.startswith("(MSG: "): -- print "# %s" % line[6:-1] -+ print("# %s" % line[6:-1]) - elif line: -- print "# %s" % line -+ print("# %s" % line) - sys.stdout.flush() - - def run(self, proc, output=""): -@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler): - if line.startswith("/"): - self.test_remaining.append(line.strip()) - if not self.test_remaining: -- print "Bail out! No tests found in GTest: %s" % self.command[0] -+ print("Bail out! No tests found in GTest: %s" % self.command[0]) - return 0 - -- print "1..%d" % len(self.test_remaining) -+ print("1..%d" % len(self.test_remaining)) - - # First try to run all the tests in a batch -- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE) -+ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, -+ stdout=subprocess.PIPE, universal_newlines=True) - result = self.process(proc) - if result == 0: - return 0 - -+ if result < 0: -+ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result))) -+ - # Now pick up any stragglers due to failures - while True: - # Assume that the last test failed - if self.test_name: -- print "not ok %d %s" % (self.test_num, self.test_name) -+ print("not ok %d %s" % (self.test_num, self.test_name)) - self.test_name = None - - # Run any tests which didn't get run -@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler): - break - - proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]], -- close_fds=True, stdout=subprocess.PIPE) -+ close_fds=True, stdout=subprocess.PIPE, -+ universal_newlines=True) - result = self.process(proc) - - # The various exit codes and signals we continue for -@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler): - return result - - def main(argv): -- parser = argparse.ArgumentParser(description='Automake TAP compiler') -+ parser = argparse.ArgumentParser(description='Automake TAP compiler', -+ usage="tap-gtester [--format FORMAT] command ...") - parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ], - default="auto", help='The input format to compile') - parser.add_argument('--verbose', action='store_true', - default=True, help='Verbose mode (ignored)') -- parser.add_argument('command', nargs='+', help="A test command to run") -+ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run") - args = parser.parse_args(argv[1:]) - - output = None - format = args.format - cmd = args.command -+ if not cmd: -+ sys.stderr.write("tap-gtester: specify a command to run\n") -+ return 2 -+ if cmd[0] == '--': -+ cmd.pop(0) -+ - proc = None - - os.environ['HARNESS_ACTIVE'] = '1' - - if format in ["auto", "gtest"]: - list_cmd = cmd + ["-l", "--verbose"] -- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE) -+ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE, -+ universal_newlines=True) - output = proc.stdout.readline() - # Smell whether we're dealing with GTest list output from first line - if "random seed" in output or "GTest" in output or output.startswith("/"): -@@ -164,7 +188,8 @@ def main(argv): - else: - format = "tap" - else: -- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE) -+ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE, -+ universal_newlines=True) - - if format == "gtest": - compiler = GTestCompiler(cmd) --- -2.14.4 - diff --git a/SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch b/SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch deleted file mode 100644 index a0d62d0..0000000 --- a/SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3bdf6f25923c3a3bd8404f4a1228053d6a7551b2 Mon Sep 17 00:00:00 2001 -From: Stef Walter -Date: Mon, 6 Feb 2017 12:32:20 +0100 -Subject: [PATCH] tools: Update the usage help text of the realm commands - -Add better synopsis, sort arguments appropriately, and include -missing arguments. ---- - tools/realm-discover.c | 4 ++-- - tools/realm-join.c | 30 +++++++++++++++--------------- - 2 files changed, 17 insertions(+), 17 deletions(-) - -diff --git a/tools/realm-discover.c b/tools/realm-discover.c -index cec3fd0..8dde4ed 100644 ---- a/tools/realm-discover.c -+++ b/tools/realm-discover.c -@@ -186,7 +186,7 @@ realm_discover (RealmClient *client, - { NULL, } - }; - -- context = g_option_context_new ("realm-or-domain"); -+ context = g_option_context_new ("discover REALM-OR-DOMAIN"); - g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); - g_option_context_add_main_entries (context, option_entries, NULL); - g_option_context_add_main_entries (context, realm_global_options, NULL); -@@ -274,7 +274,7 @@ realm_list (RealmClient *client, - { NULL, } - }; - -- context = g_option_context_new ("realm"); -+ context = g_option_context_new ("list"); - g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); - g_option_context_add_main_entries (context, option_entries, NULL); - g_option_context_add_main_entries (context, realm_global_options, NULL); -diff --git a/tools/realm-join.c b/tools/realm-join.c -index 8e46c20..249f502 100644 ---- a/tools/realm-join.c -+++ b/tools/realm-join.c -@@ -286,28 +286,28 @@ realm_join (RealmClient *client, - gint ret = 0; - - GOptionEntry option_entries[] = { -- { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user, -- N_("User name to use for enrollment"), NULL }, -- { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou, -- N_("Computer OU DN to join"), NULL }, -- { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name, -- N_("Use specific computer name instead of hostname"), NULL }, -- { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name, -- N_("Use specific operation system name"), NULL }, -- { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version, -- N_("Use specific operation system version"), NULL }, -+ { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK, -+ realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" }, - { "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software, - N_("Use specific client software"), NULL }, -- { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software, -- N_("Use specific server software"), NULL }, -+ { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name, -+ N_("Use specific computer name instead of hostname"), NULL }, -+ { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou, -+ N_("Computer OU DN to join"), NULL }, - { "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software, - N_("Use specific membership software"), NULL }, - { "no-password", 0, 0, G_OPTION_ARG_NONE, &args.no_password, - N_("Join automatically without a password"), NULL }, - { "one-time-password", 0, 0, G_OPTION_ARG_STRING, &args.one_time_password, - N_("Join using a preset one time password"), NULL }, -- { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK, -- realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" }, -+ { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name, -+ N_("Use specific operation system name"), NULL }, -+ { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version, -+ N_("Use specific operation system version"), NULL }, -+ { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software, -+ N_("Use specific server software"), NULL }, -+ { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user, -+ N_("User name to use for enrollment"), NULL }, - { "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal, - N_("Set the user principal for the computer account"), NULL }, - { NULL, } -@@ -315,7 +315,7 @@ realm_join (RealmClient *client, - - memset (&args, 0, sizeof (args)); - -- context = g_option_context_new ("realm"); -+ context = g_option_context_new ("join REALM"); - g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); - - group = g_option_group_new (NULL, NULL, NULL, &args, realm_join_args_clear); --- -2.26.2 - diff --git a/SOURCES/0002-doc-add-see-also-to-man-pages.patch b/SOURCES/0002-doc-add-see-also-to-man-pages.patch deleted file mode 100644 index 87d8b26..0000000 --- a/SOURCES/0002-doc-add-see-also-to-man-pages.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 29 Nov 2019 18:49:51 +0100 -Subject: [PATCH 2/2] doc: add see also to man pages - -Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001 ---- - doc/manual/realm.xml | 7 +++++++ - doc/manual/realmd.conf.xml | 7 +++++++ - 2 files changed, 14 insertions(+) - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index 55a7640..e5d4608 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -440,4 +440,11 @@ $ realm deny --all - - - -+ -+ SEE ALSO -+ -+ realmd.conf -+ 5 -+ -+ - -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index fc6a785..1592291 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -471,4 +471,11 @@ fully-qualified-names = no - - - -+ -+ SEE ALSO -+ -+ realm -+ 8 -+ -+ - --- -2.21.0 - diff --git a/SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch b/SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch deleted file mode 100644 index d730483..0000000 --- a/SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch +++ /dev/null @@ -1,271 +0,0 @@ -From 20adfff6c0db657d302bd96f986f2e79a8b2d791 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 30 Oct 2020 13:20:46 +0100 -Subject: [PATCH 2/6] service: allow to use ldaps for rootDSE lookup - -Let the realmd service use ldaps for the rootDSE lookup when requested. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - service/realm-disco-dns.c | 10 +++++++--- - service/realm-disco-dns.h | 1 + - service/realm-disco-domain.c | 8 +++++++- - service/realm-disco-domain.h | 1 + - service/realm-disco-mscldap.c | 2 +- - service/realm-disco-rootdse.c | 3 ++- - service/realm-disco-rootdse.h | 1 + - service/realm-ldap.c | 5 ++++- - service/realm-ldap.h | 1 + - service/realm-samba-provider.c | 5 ++++- - service/realm-sssd-provider.c | 5 ++++- - 11 files changed, 33 insertions(+), 9 deletions(-) - -diff --git a/service/realm-disco-dns.c b/service/realm-disco-dns.c -index 446010c..77d5034 100644 ---- a/service/realm-disco-dns.c -+++ b/service/realm-disco-dns.c -@@ -32,6 +32,7 @@ typedef struct { - GQueue addresses; - GQueue targets; - gint current_port; -+ gboolean use_ldaps; - gint returned; - DiscoPhase phase; - GResolver *resolver; -@@ -180,7 +181,7 @@ return_or_resolve (RealmDiscoDns *self, - - target = g_queue_pop_head (&self->targets); - if (target) { -- self->current_port = g_srv_target_get_port (target); -+ self->current_port = self->use_ldaps ? 636 : g_srv_target_get_port (target); - g_resolver_lookup_by_name_async (self->resolver, g_srv_target_get_hostname (target), - g_task_get_cancellable (task), on_name_resolved, - g_object_ref (task)); -@@ -201,7 +202,7 @@ return_or_resolve (RealmDiscoDns *self, - g_resolver_lookup_by_name_async (self->resolver, self->name, - g_task_get_cancellable (task), on_name_resolved, - g_object_ref (task)); -- self->current_port = 389; -+ self->current_port = self->use_ldaps ? 636 : 389; - self->phase = PHASE_HOST; - break; - case PHASE_HOST: -@@ -251,6 +252,7 @@ realm_disco_dns_class_init (RealmDiscoDnsClass *klass) - - GSocketAddressEnumerator * - realm_disco_dns_enumerate_servers (const gchar *domain_or_server, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation) - { - RealmDiscoDns *self; -@@ -262,12 +264,14 @@ realm_disco_dns_enumerate_servers (const gchar *domain_or_server, - - self = g_object_new (REALM_TYPE_DISCO_DNS, NULL); - self->name = g_hostname_to_ascii (input); -+ self->use_ldaps = use_ldaps; - self->invocation = g_object_ref (invocation); - - /* If is an IP, skip resolution */ - if (g_hostname_is_ip_address (input)) { - inet = g_inet_address_new_from_string (input); -- g_queue_push_head (&self->addresses, g_inet_socket_address_new (inet, 389)); -+ g_queue_push_head (&self->addresses, -+ g_inet_socket_address_new (inet, use_ldaps ? 636 : 389)); - g_object_unref (inet); - self->phase = PHASE_HOST; - } else { -diff --git a/service/realm-disco-dns.h b/service/realm-disco-dns.h -index a51777f..5b20fe9 100644 ---- a/service/realm-disco-dns.h -+++ b/service/realm-disco-dns.h -@@ -26,6 +26,7 @@ typedef enum { - G_BEGIN_DECLS - - GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation); - - RealmDiscoDnsHint realm_disco_dns_get_hint (GSocketAddressEnumerator *enumerator); -diff --git a/service/realm-disco-domain.c b/service/realm-disco-domain.c -index 3f0ccb5..fdda8f6 100644 ---- a/service/realm-disco-domain.c -+++ b/service/realm-disco-domain.c -@@ -37,6 +37,7 @@ typedef struct _Callback { - typedef struct { - GObject parent; - gchar *input; -+ gboolean use_ldaps; - GCancellable *cancellable; - GDBusMethodInvocation *invocation; - GSocketAddressEnumerator *enumerator; -@@ -206,6 +207,7 @@ on_discover_next_address (GObject *source, - - realm_diagnostics_info (self->invocation, "Performing LDAP DSE lookup on: %s", string); - realm_disco_rootdse_async (address, explicit_host, -+ self->use_ldaps, - self->invocation, self->cancellable, - on_discover_rootdse, g_object_ref (self)); - self->outstanding++; -@@ -248,6 +250,7 @@ on_cancel_propagate (GCancellable *source, - - void - realm_disco_domain_async (const gchar *string, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GAsyncReadyCallback callback, - gpointer user_data) -@@ -267,8 +270,11 @@ realm_disco_domain_async (const gchar *string, - if (self == NULL) { - self = g_object_new (REALM_TYPE_DISCO_DOMAIN, NULL); - self->input = g_strdup (string); -+ self->use_ldaps = use_ldaps; - self->invocation = g_object_ref (invocation); -- self->enumerator = realm_disco_dns_enumerate_servers (string, invocation); -+ self->enumerator = realm_disco_dns_enumerate_servers (string, -+ use_ldaps, -+ invocation); - - g_hash_table_insert (discover_cache, self->input, self); - g_assert (!self->completed); -diff --git a/service/realm-disco-domain.h b/service/realm-disco-domain.h -index 27dcc6c..02d4998 100644 ---- a/service/realm-disco-domain.h -+++ b/service/realm-disco-domain.h -@@ -24,6 +24,7 @@ - G_BEGIN_DECLS - - void realm_disco_domain_async (const gchar *string, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GAsyncReadyCallback callback, - gpointer user_data); -diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c -index d3d3c10..2504904 100644 ---- a/service/realm-disco-mscldap.c -+++ b/service/realm-disco-mscldap.c -@@ -348,7 +348,7 @@ realm_disco_mscldap_async (GSocketAddress *address, - return; - } - -- clo->source = realm_ldap_connect_anonymous (address, protocol, cancellable); -+ clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable); - g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io, - g_object_ref (task), g_object_unref); - g_source_attach (clo->source, g_task_get_context (task)); -diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c -index 7614071..4ed19e5 100644 ---- a/service/realm-disco-rootdse.c -+++ b/service/realm-disco-rootdse.c -@@ -452,6 +452,7 @@ on_ldap_io (LDAP *ldap, - void - realm_disco_rootdse_async (GSocketAddress *address, - const gchar *explicit_server, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GCancellable *cancellable, - GAsyncReadyCallback callback, -@@ -473,7 +474,7 @@ realm_disco_rootdse_async (GSocketAddress *address, - g_task_set_task_data (task, clo, closure_free); - - clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP, -- cancellable); -+ use_ldaps, cancellable); - g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io, - g_object_ref (task), g_object_unref); - g_source_attach (clo->source, g_task_get_context (task)); -diff --git a/service/realm-disco-rootdse.h b/service/realm-disco-rootdse.h -index e024c84..7b21960 100644 ---- a/service/realm-disco-rootdse.h -+++ b/service/realm-disco-rootdse.h -@@ -21,6 +21,7 @@ - - void realm_disco_rootdse_async (GSocketAddress *address, - const gchar *explicit_server, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GCancellable *cancellable, - GAsyncReadyCallback callback, -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index 7831b5b..28c5c8a 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -183,6 +183,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap - GSource * - realm_ldap_connect_anonymous (GSocketAddress *address, - GSocketProtocol protocol, -+ gboolean use_ldaps, - GCancellable *cancellable) - { - GSource *source; -@@ -238,7 +239,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) - g_warning ("couldn't set to blocking"); - -- url = g_strdup_printf ("ldap://%s:%d", addrname, port); -+ url = g_strdup_printf ("%s://%s:%d", -+ use_ldaps ? "ldaps" : "ldap", -+ addrname, port); - rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap); - g_free (url); - -diff --git a/service/realm-ldap.h b/service/realm-ldap.h -index 263f72a..0f9f40e 100644 ---- a/service/realm-ldap.h -+++ b/service/realm-ldap.h -@@ -37,6 +37,7 @@ typedef GIOCondition (* RealmLdapCallback) (LDAP *ldap, - - GSource * realm_ldap_connect_anonymous (GSocketAddress *address, - GSocketProtocol protocol, -+ gboolean use_ldaps, - GCancellable *cancellable); - - void realm_ldap_set_condition (GSource *source, -diff --git a/service/realm-samba-provider.c b/service/realm-samba-provider.c -index 9b489ce..de9f5e6 100644 ---- a/service/realm-samba-provider.c -+++ b/service/realm-samba-provider.c -@@ -27,6 +27,7 @@ - #include "realm-samba-enroll.h" - #include "realm-samba-provider.h" - #include "realm-samba-winbind.h" -+#include "realm-options.h" - - #include - -@@ -121,7 +122,9 @@ realm_samba_provider_discover_async (RealmProvider *provider, - g_task_return_pointer (task, NULL, NULL); - - } else { -- realm_disco_domain_async (string, invocation, -+ realm_disco_domain_async (string, -+ realm_option_use_ldaps (options), -+ invocation, - on_ad_discover, g_object_ref (task)); - } - -diff --git a/service/realm-sssd-provider.c b/service/realm-sssd-provider.c -index 7ac0645..db183c0 100644 ---- a/service/realm-sssd-provider.c -+++ b/service/realm-sssd-provider.c -@@ -26,6 +26,7 @@ - #include "realm-sssd-ipa.h" - #include "realm-sssd-provider.h" - #include "realm-sssd-config.h" -+#include "realm-options.h" - - #include - -@@ -140,7 +141,9 @@ realm_sssd_provider_discover_async (RealmProvider *provider, - g_task_return_pointer (task, NULL, NULL); - - } else { -- realm_disco_domain_async (string, invocation, on_kerberos_discover, -+ realm_disco_domain_async (string, -+ realm_option_use_ldaps (options), -+ invocation, on_kerberos_discover, - g_object_ref (task)); - } - --- -2.26.2 - diff --git a/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch b/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch deleted file mode 100644 index 5ab6209..0000000 --- a/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch +++ /dev/null @@ -1,68 +0,0 @@ -From d7089129b966df83f083cb56ee90f6b906971cb6 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 1 Dec 2020 16:09:10 +0100 -Subject: [PATCH 2/3] service: avoid crash if LDAP connection fails - -There was always a chance for a crash if the connection to LDAP failed. -In the ldaps case a failed connection became more likely e.g. due to -failed certificate checks. - -This patch avoids the crash and returns an error to the client cleanly. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - po/POTFILES.in | 1 + - service/realm-disco-mscldap.c | 7 +++++++ - service/realm-disco-rootdse.c | 6 ++++++ - 3 files changed, 14 insertions(+) - -diff --git a/po/POTFILES.in b/po/POTFILES.in -index 2de67c8..140ed4c 100644 ---- a/po/POTFILES.in -+++ b/po/POTFILES.in -@@ -1,6 +1,7 @@ - service/org.freedesktop.realmd.policy.in - service/realm-command.c - service/realm-disco-mscldap.c -+service/realm-disco-rootdse.c - service/realm-example.c - service/realm-ini-config.c - service/realm-invocation.c -diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c -index 2504904..003bb66 100644 ---- a/service/realm-disco-mscldap.c -+++ b/service/realm-disco-mscldap.c -@@ -349,6 +349,13 @@ realm_disco_mscldap_async (GSocketAddress *address, - } - - clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable); -+ if (clo->source == NULL) { -+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED, -+ _("Failed to setup LDAP connection")); -+ g_object_unref (task); -+ return; -+ } -+ - g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io, - g_object_ref (task), g_object_unref); - g_source_attach (clo->source, g_task_get_context (task)); -diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c -index 4ed19e5..d9b44b3 100644 ---- a/service/realm-disco-rootdse.c -+++ b/service/realm-disco-rootdse.c -@@ -475,6 +475,12 @@ realm_disco_rootdse_async (GSocketAddress *address, - - clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP, - use_ldaps, cancellable); -+ if (clo->source == NULL) { -+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED, -+ _("Failed to setup LDAP connection")); -+ g_object_unref (task); -+ return; -+ } - g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io, - g_object_ref (task), g_object_unref); - g_source_attach (clo->source, g_task_get_context (task)); --- -2.28.0 - diff --git a/SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch b/SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch deleted file mode 100644 index bff6fd0..0000000 --- a/SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch +++ /dev/null @@ -1,186 +0,0 @@ -From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 30 Oct 2020 13:28:52 +0100 -Subject: [PATCH 3/6] service: add ldaps support when using adcli - -Call adcli with the --use-ldaps option if the realmd service is -requested to do so. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - service/realm-adcli-enroll.c | 10 ++++++++++ - service/realm-adcli-enroll.h | 2 ++ - service/realm-samba.c | 11 +++++++++-- - service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++- - 4 files changed, 47 insertions(+), 3 deletions(-) - -diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c -index 05947fa..2731283 100644 ---- a/service/realm-adcli-enroll.c -+++ b/service/realm-adcli-enroll.c -@@ -68,6 +68,7 @@ void - realm_adcli_enroll_join_async (RealmDisco *disco, - RealmCredential *cred, - GVariant *options, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GAsyncReadyCallback callback, - gpointer user_data) -@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco, - g_ptr_array_add (args, "--domain-realm"); - g_ptr_array_add (args, (gpointer)disco->kerberos_realm); - -+ if (use_ldaps) { -+ g_ptr_array_add (args, "--use-ldaps"); -+ } -+ - if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) { - address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address)); - server_arg = g_inet_address_to_string (address); -@@ -218,6 +223,7 @@ void - realm_adcli_enroll_delete_async (RealmDisco *disco, - RealmCredential *cred, - GVariant *options, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GAsyncReadyCallback callback, - gpointer user_data) -@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco, - g_ptr_array_add (args, "--domain-realm"); - g_ptr_array_add (args, (gpointer)disco->kerberos_realm); - -+ if (use_ldaps) { -+ g_ptr_array_add (args, "--use-ldaps"); -+ } -+ - if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) { - address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address)); - server_arg = g_inet_address_to_string (address); -diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h -index 855b2f7..3f535d0 100644 ---- a/service/realm-adcli-enroll.h -+++ b/service/realm-adcli-enroll.h -@@ -29,6 +29,7 @@ G_BEGIN_DECLS - void realm_adcli_enroll_join_async (RealmDisco *disco, - RealmCredential *cred, - GVariant *options, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GAsyncReadyCallback callback, - gpointer user_data); -@@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result, - void realm_adcli_enroll_delete_async (RealmDisco *disco, - RealmCredential *cred, - GVariant *options, -+ gboolean use_ldaps, - GDBusMethodInvocation *invocation, - GAsyncReadyCallback callback, - gpointer user_data); -diff --git a/service/realm-samba.c b/service/realm-samba.c -index e7b80a0..7aa5416 100644 ---- a/service/realm-samba.c -+++ b/service/realm-samba.c -@@ -257,7 +257,8 @@ on_install_do_join (GObject *source, - } - - static gboolean --validate_membership_options (GVariant *options, -+validate_membership_options (EnrollClosure *enroll, -+ GVariant *options, - GError **error) - { - const gchar *software; -@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options, - } - } - -+ if (realm_option_use_ldaps (options)) { -+ realm_diagnostics_info (enroll->invocation, -+ "Membership software %s does " -+ "not support ldaps, trying without.", -+ software); -+ } - return TRUE; - } - -@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership, - g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED, - _("Already joined to a domain")); - -- } else if (!validate_membership_options (options, &error)) { -+ } else if (!validate_membership_options (enroll, options, &error)) { - g_task_return_error (task, error); - - } else { -diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c -index 6b2f9f8..00a9093 100644 ---- a/service/realm-sssd-ad.c -+++ b/service/realm-sssd-ad.c -@@ -98,6 +98,7 @@ typedef struct { - GVariant *options; - RealmDisco *disco; - gboolean use_adcli; -+ gboolean use_ldaps; - const gchar **packages; - } JoinClosure; - -@@ -294,6 +295,7 @@ on_install_do_join (GObject *source, - realm_adcli_enroll_join_async (join->disco, - join->cred, - join->options, -+ join->use_ldaps, - join->invocation, - on_join_do_sssd, - g_object_ref (task)); -@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join, - return FALSE; - } - -+ /* -+ * Check if ldaps should be used and if membership software supports -+ * it. -+ */ -+ join->use_ldaps = realm_option_use_ldaps (options); -+ if (join->use_ldaps && -+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) { -+ realm_diagnostics_info (join->invocation, -+ "Membership software %s does " -+ "not support ldaps, trying " -+ "without.", software); -+ } -+ - /* - * If we are enrolling with a user password, then we have to use samba, - * adcli only supports admin passwords. -@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership, - GTask *task; - LeaveClosure *leave; - gchar *tags; -+ gboolean use_ldaps = FALSE; - - task = g_task_new (self, NULL, callback, user_data); - -@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership, - leave->invocation = g_object_ref (invocation); - leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE; - g_task_set_task_data (task, leave, leave_closure_free); -+ -+ use_ldaps = realm_option_use_ldaps (options); - if (leave->use_adcli) { -- realm_adcli_enroll_delete_async (disco, cred, options, invocation, -+ realm_adcli_enroll_delete_async (disco, cred, options, -+ use_ldaps, invocation, - on_leave_do_deconfigure, g_object_ref (task)); - } else { -+ if (use_ldaps) { -+ realm_diagnostics_info (leave->invocation, -+ "Membership software does " -+ "not support ldaps, trying " -+ "without."); -+ } - realm_samba_enroll_leave_async (disco, cred, options, invocation, - on_leave_do_deconfigure, g_object_ref (task)); - } --- -2.26.2 - diff --git a/SOURCES/0003-service-make-TLS-check-more-releaxed.patch b/SOURCES/0003-service-make-TLS-check-more-releaxed.patch deleted file mode 100644 index 292d0db..0000000 --- a/SOURCES/0003-service-make-TLS-check-more-releaxed.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 2 Dec 2020 10:10:37 +0100 -Subject: [PATCH 3/3] service: make TLS check more releaxed - -Since realmd is most often the first application called to discover a -domain we do not require a strict certificate check when using the ldaps -port to connect to a domain controller. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - doc/manual/realm.xml | 8 +++++++- - service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++- - 2 files changed, 38 insertions(+), 2 deletions(-) - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index 01af62e..d7d8e5e 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - which offers a comparable level of security than ldaps. - This option is only needed if the standard LDAP port - (389/tcp) is blocked by a firewall and only the LDAPS -- port (636/tcp) is available. -+ port (636/tcp) is available. Given that and to lower -+ the initial effort to discover a remote domain -+ realmd does not require a strict -+ certificate check. If the validation of the LDAP server -+ certificate fails realmd will -+ continue to setup the encrypted connection to the LDAP -+ server. - - If this option is set to - yes realmd -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index e07a299..bdfb96c 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - gint port; - gchar *url; - int rc; -+ int opt_rc; -+ int ldap_opt_val; -+ const char *errmsg = NULL; - - g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL); - -@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - } - - if (use_ldaps) { -+ /* Since we currently use the IP address in the URI -+ * the certificate check might fail because in most -+ * cases the IP address won't be listed in the SANs of -+ * the LDAP server certificate. We will try to -+ * continue in this case and not fail. */ -+ ldap_opt_val = LDAP_OPT_X_TLS_ALLOW; -+ rc = ldap_set_option (ls->ldap, -+ LDAP_OPT_X_TLS_REQUIRE_CERT, -+ &ldap_opt_val); -+ if (rc != LDAP_OPT_SUCCESS) { -+ g_debug ("Failed to disable certificate checking, trying without"); -+ } -+ -+ ldap_opt_val = 0; -+ rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX, -+ &ldap_opt_val); -+ if (rc != LDAP_OPT_SUCCESS) { -+ g_debug ("Failed to refresh LDAP context for TLS, trying without"); -+ } -+ - rc = ldap_install_tls (ls->ldap); - if (rc != LDAP_SUCCESS) { -- g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc)); -+ opt_rc = ldap_get_option (ls->ldap, -+ LDAP_OPT_DIAGNOSTIC_MESSAGE, -+ (void *) &errmsg); -+ if (opt_rc != LDAP_SUCCESS) { -+ errmsg = "- no details -"; -+ } -+ g_warning ("ldap_start_tls_s() failed [%s]: %s", -+ ldap_err2string (rc), errmsg); - return NULL; - } - } --- -2.28.0 - diff --git a/SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch b/SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch deleted file mode 100644 index 9834783..0000000 --- a/SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 7daf5993995baad0f5c7f7ae3822dae37eb9f46f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 30 Oct 2020 16:44:23 +0100 -Subject: [PATCH 4/6] service: do not copy option values to avoid memory leaks - ---- - service/realm-adcli-enroll.c | 15 ++++++++------- - service/realm-options.c | 8 +++----- - 2 files changed, 11 insertions(+), 12 deletions(-) - -diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c -index 2731283..e0d752b 100644 ---- a/service/realm-adcli-enroll.c -+++ b/service/realm-adcli-enroll.c -@@ -80,7 +80,8 @@ realm_adcli_enroll_join_async (RealmDisco *disco, - GBytes *input = NULL; - const gchar *upn; - GPtrArray *args; -- const gchar *os; -+ const gchar *os_n = NULL; -+ const gchar *os_v = NULL; - gchar *ccache_arg = NULL; - gchar *upn_arg = NULL; - gchar *server_arg = NULL; -@@ -144,16 +145,16 @@ realm_adcli_enroll_join_async (RealmDisco *disco, - g_ptr_array_add (args, (gpointer)computer_ou); - } - -- os = realm_options_ad_specific (options, "os-name"); -- if (os != NULL && !g_str_equal (os, "")) { -+ os_n = realm_options_ad_specific (options, "os-name"); -+ if (os_n != NULL && !g_str_equal (os_n, "")) { - g_ptr_array_add (args, "--os-name"); -- g_ptr_array_add (args, (gpointer)os); -+ g_ptr_array_add (args, (gpointer)os_n); - } - -- os = realm_options_ad_specific (options, "os-version"); -- if (os != NULL && !g_str_equal (os, "")) { -+ os_v = realm_options_ad_specific (options, "os-version"); -+ if (os_v != NULL && !g_str_equal (os_v, "")) { - g_ptr_array_add (args, "--os-version"); -- g_ptr_array_add (args, (gpointer)os); -+ g_ptr_array_add (args, (gpointer)os_v); - } - - switch (cred->type) { -diff --git a/service/realm-options.c b/service/realm-options.c -index d42eb7c..4ebd6c0 100644 ---- a/service/realm-options.c -+++ b/service/realm-options.c -@@ -179,7 +179,7 @@ realm_options_computer_name (GVariant *options, - g_free (section); - } - -- return g_strdup (computer_name); -+ return computer_name; - } - - const gchar * -@@ -197,22 +197,20 @@ realm_options_ad_specific (GVariant *options, - value = realm_settings_value ("active-directory", option_name); - } - -- return g_strdup (value); -+ return value; - } - - gboolean realm_option_use_ldaps (GVariant *options) - { -- gchar *use_ldaps_str; -+ const gchar *use_ldaps_str; - - use_ldaps_str = realm_options_ad_specific (options, - REALM_DBUS_OPTION_USE_LDAPS); - if (use_ldaps_str != NULL - && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0 - || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) { -- g_free (use_ldaps_str); - return TRUE; - } -- g_free (use_ldaps_str); - - return FALSE; - } --- -2.26.2 - diff --git a/SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch b/SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch deleted file mode 100644 index aaa8648..0000000 --- a/SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch +++ /dev/null @@ -1,305 +0,0 @@ -From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 30 Oct 2020 17:22:13 +0100 -Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and - leave - -Add --use-ldaps option to the realm command to be able to ask the realmd -service to use ldaps where possible. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 ---- - doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++ - doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++ - tools/realm-client.c | 2 ++ - tools/realm-client.h | 1 + - tools/realm-discover.c | 7 ++++++- - tools/realm-join.c | 6 +++++- - tools/realm-leave.c | 15 +++++++++++---- - 7 files changed, 80 insertions(+), 6 deletions(-) - -diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml -index e5d4608..01af62e 100644 ---- a/doc/manual/realm.xml -+++ b/doc/manual/realm.xml -@@ -134,6 +134,11 @@ $ realm discover domain.example.com - Possible values include samba or - adcli. - -+ -+ -+ See option description in -+ . -+ - - - -@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com - principal besides the AD default user principal can be - set. - -+ -+ -+ Use the ldaps port when connecting to AD -+ where possible. In general this option is not needed -+ because realmd itself only read -+ public information from the Active Directory domain -+ controller which is available anonymously. The -+ supported membership software products will use -+ encrypted connections protected with GSS-SPNEGO/GSSAPI -+ which offers a comparable level of security than ldaps. -+ This option is only needed if the standard LDAP port -+ (389/tcp) is blocked by a firewall and only the LDAPS -+ port (636/tcp) is available. -+ -+ If this option is set to -+ yes realmd -+ will use the ldaps port when reading the rootDSE and -+ call the adcli membership software -+ with the option . The Samba -+ base membership currently offers only deprecated ways -+ to enable ldaps. Support will be added in -+ realmd when a new way is available. -+ -+ - - - -@@ -326,6 +355,11 @@ $ realm leave domain.example.com - with when leaving the realm. You will be prompted for a - password. Implies . - -+ -+ -+ See option description in -+ . -+ - - - -diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml -index 97d2e8d..72b706c 100644 ---- a/doc/manual/realmd.conf.xml -+++ b/doc/manual/realmd.conf.xml -@@ -141,6 +141,27 @@ domain.example.com - - - -+ -+ -+ Use the ldaps port when connecting to AD where possible. -+ In general this option is not needed because realmd -+ itself only read public information from the Active Directory domain -+ controller which is available anonymously. The supported membership -+ software products will use encrypted connections protected with -+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than -+ ldaps. This option is only needed if the standard LDAP port (389/tcp) -+ is blocked by a firewall and only the LDAPS port (636/tcp) is -+ available. -+ -+ If this option is set to yes -+ realmd will use the ldaps port when reading the -+ rootDSE and call the adcli membership software with -+ the option . The Samba base membership -+ currently offers only deprecated ways to enable ldaps. Support will be -+ added in realmd when a new way is available. -+ -+ -+ - - - (see below) -diff --git a/tools/realm-client.c b/tools/realm-client.c -index 2f102db..c386e64 100644 ---- a/tools/realm-client.c -+++ b/tools/realm-client.c -@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self) - GList * - realm_client_discover (RealmClient *self, - const gchar *string, -+ gboolean use_ldaps, - const gchar *client_software, - const gchar *server_software, - const gchar *membership_software, -@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self, - options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software, - REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software, - REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software, -+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False", - NULL); - - /* Start actual operation */ -diff --git a/tools/realm-client.h b/tools/realm-client.h -index 5ecf2de..e9e50cd 100644 ---- a/tools/realm-client.h -+++ b/tools/realm-client.h -@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien - - GList * realm_client_discover (RealmClient *self, - const gchar *string, -+ gboolean use_ldaps, - const gchar *client_software, - const gchar *server_software, - const gchar *membership_software, -diff --git a/tools/realm-discover.c b/tools/realm-discover.c -index 8dde4ed..c0acd79 100644 ---- a/tools/realm-discover.c -+++ b/tools/realm-discover.c -@@ -116,6 +116,7 @@ perform_discover (RealmClient *client, - const gchar *string, - gboolean all, - gboolean name_only, -+ gboolean use_ldaps, - const gchar *server_software, - const gchar *client_software, - const gchar *membership_software) -@@ -127,7 +128,7 @@ perform_discover (RealmClient *client, - GList *realms; - GList *l; - -- realms = realm_client_discover (client, string, client_software, -+ realms = realm_client_discover (client, string, use_ldaps, client_software, - server_software, membership_software, - REALM_DBUS_REALM_INTERFACE, NULL, &error); - -@@ -173,6 +174,7 @@ realm_discover (RealmClient *client, - GError *error = NULL; - gboolean arg_all = FALSE; - gboolean arg_name_only = FALSE; -+ gboolean arg_use_ldaps = FALSE; - gint result = 0; - gint ret; - gint i; -@@ -183,6 +185,7 @@ realm_discover (RealmClient *client, - { "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL }, - { "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL }, - { "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL }, -+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL }, - { NULL, } - }; - -@@ -200,6 +203,7 @@ realm_discover (RealmClient *client, - } else if (argc == 1) { - result = perform_discover (client, NULL, arg_all, - arg_name_only, -+ arg_use_ldaps, - arg_server_software, - arg_client_software, - arg_membership_software); -@@ -209,6 +213,7 @@ realm_discover (RealmClient *client, - for (i = 1; i < argc; i++) { - ret = perform_discover (client, argv[i], arg_all, - arg_name_only, -+ arg_use_ldaps, - arg_server_software, - arg_client_software, - arg_membership_software); -diff --git a/tools/realm-join.c b/tools/realm-join.c -index 249f502..dbe6197 100644 ---- a/tools/realm-join.c -+++ b/tools/realm-join.c -@@ -179,6 +179,7 @@ typedef struct { - gchar *user_principal; - gboolean automatic_id_mapping_set; - gboolean automatic_id_mapping; -+ gboolean use_ldaps; - } RealmJoinArgs; - - static void -@@ -218,7 +219,7 @@ perform_join (RealmClient *client, - GList *realms; - gint ret; - -- realms = realm_client_discover (client, string, args->client_software, -+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software, - args->server_software, args->membership_software, - REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, - &had_mismatched, &error); -@@ -247,6 +248,7 @@ perform_join (RealmClient *client, - REALM_DBUS_OPTION_OS_VERSION, args->os_version, - REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software, - REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal, -+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False", - args->automatic_id_mapping_set ? - REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL, - args->automatic_id_mapping, -@@ -310,6 +312,8 @@ realm_join (RealmClient *client, - N_("User name to use for enrollment"), NULL }, - { "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal, - N_("Set the user principal for the computer account"), NULL }, -+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps, -+ N_("Use ldaps to connect to LDAP"), NULL }, - { NULL, } - }; - -diff --git a/tools/realm-leave.c b/tools/realm-leave.c -index 45a9c46..c88a110 100644 ---- a/tools/realm-leave.c -+++ b/tools/realm-leave.c -@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client, - - static int - perform_user_leave (RealmClient *client, -+ gboolean use_ldaps, - RealmDbusKerberosMembership *membership, - const gchar *user_name) - { -@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client, - return 1; - } - -- options = realm_build_options(NULL, NULL); -+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False", -+ NULL); - ret = call_leave (membership, credentials, options, &error); - - if (error != NULL) -@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client, - static int - perform_leave (RealmClient *client, - const gchar *realm_name, -+ gboolean use_ldaps, - gboolean remove, - const gchar *user_name, - const gchar *client_software, -@@ -239,7 +242,8 @@ perform_leave (RealmClient *client, - if (!remove) - ret = perform_deconfigure (client, realm); - else -- ret = perform_user_leave (client, membership, user_name); -+ ret = perform_user_leave (client, use_ldaps, membership, -+ user_name); - - g_object_unref (membership); - g_object_unref (realm); -@@ -259,6 +263,7 @@ realm_leave (RealmClient *client, - gchar *arg_server_software = NULL; - GError *error = NULL; - const gchar *realm_name; -+ gboolean arg_use_ldaps = FALSE; - gint ret = 0; - - GOptionEntry option_entries[] = { -@@ -268,6 +273,7 @@ realm_leave (RealmClient *client, - { "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, - N_("Use specific server software"), NULL }, - { "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL }, -+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL }, - { NULL, } - }; - -@@ -283,8 +289,9 @@ realm_leave (RealmClient *client, - - } else { - realm_name = argc < 2 ? NULL : argv[1]; -- ret = perform_leave (client, realm_name, arg_remove, arg_user, -- arg_client_software, arg_server_software); -+ ret = perform_leave (client, realm_name, arg_use_ldaps, -+ arg_remove, arg_user, arg_client_software, -+ arg_server_software); - } - - g_free (arg_user); --- -2.26.2 - diff --git a/SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch b/SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch deleted file mode 100644 index f79c86e..0000000 --- a/SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 8cddf81199e96c7edc701bcb7ca782d7bcddbddd Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 30 Oct 2020 19:24:40 +0100 -Subject: [PATCH 6/6] ldap: generate proper ldap uri for IPv6 addresses - -When using IPv6 addresses the address must be put into brackets. - -Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23 ---- - service/realm-ldap.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/service/realm-ldap.c b/service/realm-ldap.c -index 28c5c8a..2076d1e 100644 ---- a/service/realm-ldap.c -+++ b/service/realm-ldap.c -@@ -190,6 +190,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - LdapSource *ls; - gchar *addrname; - GInetSocketAddress *inet; -+ GSocketFamily family; - struct berval cred; - Sockbuf *sb = NULL; - gsize native_len; -@@ -204,6 +205,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - inet = G_INET_SOCKET_ADDRESS (address); - addrname = g_inet_address_to_string (g_inet_socket_address_get_address (inet)); - port = g_inet_socket_address_get_port (inet); -+ family = g_inet_address_get_family (g_inet_socket_address_get_address (inet)); - if (port == 0) - port = 389; - -@@ -239,9 +241,17 @@ realm_ldap_connect_anonymous (GSocketAddress *address, - if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) - g_warning ("couldn't set to blocking"); - -- url = g_strdup_printf ("%s://%s:%d", -- use_ldaps ? "ldaps" : "ldap", -- addrname, port); -+ if (family == G_SOCKET_FAMILY_IPV4) { -+ url = g_strdup_printf ("%s://%s:%d", -+ use_ldaps ? "ldaps" : "ldap", -+ addrname, port); -+ } else if (family == G_SOCKET_FAMILY_IPV6) { -+ url = g_strdup_printf ("%s://[%s]:%d", -+ use_ldaps ? "ldaps" : "ldap", -+ addrname, port); -+ } else { -+ url = NULL; -+ } - rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap); - g_free (url); - --- -2.26.2 - diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec index 25a4e2b..f0710ed 100644 --- a/SPECS/realmd.spec +++ b/SPECS/realmd.spec @@ -1,102 +1,38 @@ -Name: realmd -Version: 0.16.3 -Release: 25%{?dist} -Summary: Kerberos realm enrollment service -License: LGPLv2+ -URL: http://cgit.freedesktop.org/realmd/realmd/ -Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz - -Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch -Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch -Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch -Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch -Patch5: 0001-switch-to-authselect.patch -Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch -Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch -Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch -Patch9: 0001-tests-run-tests-with-python3.patch -Patch10: ipa-packages.patch -Patch11: 0001-Fix-issues-found-by-Coverity.patch - -Patch12: 0001-Change-qualified-names-default-for-IPA.patch - -Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch - -# rhbz#1747454 - rebuild fails if DISTRO variable is exported -Patch14: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch - -# rhbz#1747452 - realmd.conf user-principal RFE and clarification (plus dependencies) -Patch15: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch -Patch16: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch -Patch17: 0001-doc-extend-user-principal-section.patch - -# rhbz#1747457 - realmd.conf documentation incorrect -Patch18: 0001-doc-fix-discover-name-only.patch -Patch19: 0002-doc-add-see-also-to-man-pages.patch - -# rhbz#1747456 - Document realmd.conf and how realmd reads the configuration -Patch20: 0001-doc-extend-description-of-config-handling.patch - -# rhbz#1801195 -Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch - -# rhbz#1859503 - Realm join fails with error 'Failed to join domain: failed to -# lookup DC info ...' -Patch22: 0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch - -# rhbz#1867912 - realm command to use option like dnshostname=fqdn -Patch23: 0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch - -# rhbz#1791016 - realmd should handle default_realm in krb5.conf -Patch24: 0001-Kerberos-add-default_domain-and-udp_preference_limit.patch - -# rhbz#1826964 - [RFE] Enable LDAPS functionality in realmd join -Patch25: 0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch -Patch26: 0001-Use-startTLS-with-FreeIPA.patch -Patch27: 0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch -Patch28: 0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch -Patch29: 0003-service-add-ldaps-support-when-using-adcli.patch -Patch30: 0004-service-do-not-copy-option-values-to-avoid-memory-le.patch -Patch31: 0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch -Patch32: 0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch -Patch33: 0001-ldap-setup-TLS-when-using-ldaps.patch -Patch34: 0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch -Patch35: 0002-service-avoid-crash-if-LDAP-connection-fails.patch -Patch36: 0003-service-make-TLS-check-more-releaxed.patch - -Patch37: 0001-doc-add-computer-name-to-realm-man-page.patch -Patch38: 0001-build-add-with-vendor-error-message-configure-option.patch - -# rhbz#2024248 - realmd logs are duplicated -Patch39: 0001-syslog-avoid-duplicate-log-messages.patch - -# rhbz#2028528 - realm join needs to updated to use the command line options of -# Samba's net command -Patch40: 0001-samba-use-new-Samba-4.15-command-line-options.patch - -# rhbz#2037864 - realmd operations hang if a DC is unreachable -Patch41: 0001-ldap-add-socket-timeout.patch - -BuildRequires: gcc -BuildRequires: automake -BuildRequires: autoconf -BuildRequires: intltool pkgconfig -BuildRequires: gettext-devel -BuildRequires: glib2-devel >= 2.32.0 -BuildRequires: openldap-devel -BuildRequires: polkit-devel -BuildRequires: krb5-devel -BuildRequires: systemd-devel -BuildRequires: libxslt -BuildRequires: xmlto -BuildRequires: samba-common-tools -BuildRequires: %{_bindir}/python3 - -Requires: authselect -Requires: polkit +Name: realmd +Version: 0.17.1 +Release: 1%{?dist} +Summary: Kerberos realm enrollment service +License: LGPLv2+ +URL: https://gitlab.freedesktop.org/realmd/realmd +Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz + +### Downstream Patches ### +# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is +# using freeipa-*, the following patch applies the needed changes. +Patch0100: ipa-packages.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: intltool pkgconfig +BuildRequires: gettext-devel +BuildRequires: glib2-devel >= 2.32.0 +BuildRequires: openldap-devel +BuildRequires: polkit-devel +BuildRequires: krb5-devel +BuildRequires: systemd-devel +BuildRequires: libxslt +BuildRequires: xmlto +BuildRequires: samba-common-tools +BuildRequires: python3 + +Requires: authselect +Requires: polkit +Conflicts: realmd-devel-docs < %{version}-%{release} # This build will use Samba's new command line options so it cannot be used # with older versions of Samba. -Conflicts: samba-common-tools < 4.15 +Conflicts: samba-common-tools < 4.15 %description realmd is a DBus system service which manages discovery and enrollment in realms @@ -104,7 +40,8 @@ and domains like Active Directory or IPA. The control center uses realmd as the back end to 'join' a domain simply and automatically configure things correctly. %package devel-docs -Summary: Developer documentation files for %{name} +Summary: Developer documentation files for %{name} +Conflicts: realmd < %{version}-%{release} %description devel-docs The %{name}-devel package contains developer documentation for developing @@ -124,7 +61,6 @@ autoreconf -fi %endif %{nil} - make %{?_smp_mflags} %check @@ -146,10 +82,10 @@ make install DESTDIR=%{buildroot} %files -f realmd.lang %doc AUTHORS COPYING NEWS README -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf %{_sbindir}/realm %dir %{_prefix}/lib/realmd -%{_prefix}/lib/realmd/realmd +%{_libexecdir}/realmd %{_prefix}/lib/realmd/realmd-defaults.conf %{_prefix}/lib/realmd/realmd-distro.conf %{_unitdir}/realmd.service @@ -164,6 +100,10 @@ make install DESTDIR=%{buildroot} %doc ChangeLog %changelog +* Fri Oct 21 2022 Sumit Bose - 0.17.1-1 +- Update to upstream release 0.17.1 + Resolves: rhbz#2133841 + * Mon Jan 10 2022 Sumit Bose - 0.16.3-25 - add LDAP socket timeout Resolves: rhbz#2037864
- -- -- --

-- -- -- --

-- -- --

-- -- -- -- -- -- -- -- --

-- -- --

-+ -+ -+

-+ -+ -+ -+

-+ -+ -+

-+ -+ -+ -+ -+ -+ -+ -+ -+

-+ -+ -+

- -

- 		-+ - - - -@@ -795,7 +715,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/ - - use it here - --> - -- -+ - - -