diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..540b6ba
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/realmd-0.16.3.tar.gz
diff --git a/.realmd.metadata b/.realmd.metadata
new file mode 100644
index 0000000..c1809f4
--- /dev/null
+++ b/.realmd.metadata
@@ -0,0 +1 @@
+0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz
diff --git a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch
new file mode 100644
index 0000000..6daf79b
--- /dev/null
+++ b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch
@@ -0,0 +1,113 @@
+From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 16:44:39 +0200
+Subject: [PATCH] Change qualified names default for IPA
+
+In a FreeIPA domain it is typically expected that the IPA accounts use
+sort names while accounts from trusted domains have fully qualified
+names. This is automatically done by SSSD's IPA provider so there is no
+need to force fully qualified names in the SSSD configuration.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
+---
+ service/realm-options.c | 9 +++++----
+ service/realm-options.h | 3 ++-
+ service/realm-samba-winbind.c | 2 +-
+ service/realm-sssd-ad.c | 2 +-
+ service/realm-sssd-ipa.c | 2 +-
+ 5 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/service/realm-options.c b/service/realm-options.c
+index bd804ea..34a209f 100644
+--- a/service/realm-options.c
++++ b/service/realm-options.c
+@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
+
+ if (realm_name && !option) {
+ section = g_utf8_casefold (realm_name, -1);
+- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
++ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
+ g_free (section);
+ }
+
+@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
+ gboolean mapping;
+
+ section = g_utf8_casefold (realm_name, -1);
+- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
++ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
+ g_free (section);
+
+ return mapping;
+ }
+
+ gboolean
+-realm_options_qualify_names (const gchar *realm_name)
++realm_options_qualify_names (const gchar *realm_name,
++ gboolean def)
+ {
+ gchar *section;
+ gboolean qualify;
+
+ section = g_utf8_casefold (realm_name, -1);
+- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
++ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
+ g_free (section);
+
+ return qualify;
+diff --git a/service/realm-options.h b/service/realm-options.h
+index 7a1355e..b71d219 100644
+--- a/service/realm-options.h
++++ b/service/realm-options.h
+@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
+ gboolean realm_options_automatic_mapping (GVariant *options,
+ const gchar *realm_name);
+
+-gboolean realm_options_qualify_names (const gchar *realm_name);
++gboolean realm_options_qualify_names (const gchar *realm_name,
++ gboolean def);
+
+ gboolean realm_options_check_domain_name (const gchar *domain_name);
+
+diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
+index 9335e26..61988eb 100644
+--- a/service/realm-samba-winbind.c
++++ b/service/realm-samba-winbind.c
+@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ "winbind enum groups", "no",
+ "winbind offline logon", "yes",
+ "winbind refresh tickets", "yes",
+- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
++ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
+ "template shell", realm_settings_string ("users", "default-shell"),
+ NULL);
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 8543ca8..de7ce30 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
+ gchar *home;
+
+ home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
+- qualify = realm_options_qualify_names (disco->domain_name);
++ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
+ shell = realm_settings_string ("users", "default-shell");
+ explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
+ realmd_tags = g_string_new ("");
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index ff1dc8a..5029f6b 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
+
+ realm_sssd_config_update_domain (config, domain, &error,
+ "cache_credentials", "True",
+- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
++ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
+ "krb5_store_password_if_offline", "True",
+ "default_shell", shell,
+ "fallback_homedir", home,
+--
+2.17.1
+
diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
new file mode 100644
index 0000000..69f6aa3
--- /dev/null
+++ b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
@@ -0,0 +1,150 @@
+From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 31 May 2018 16:16:08 +0200
+Subject: [PATCH] Find NetBIOS name in keytab while leaving
+
+If realmd is used with Samba as membership software, i.e. Samba's net
+utility, the NetBIOS name must be known when leaving a domain. The most
+reliable way to find it is by searching the keytab for NAME$@REALM type
+entries and use the NAME as the NetBIOS name.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
+---
+ service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
+ service/realm-kerberos.h | 2 ++
+ service/realm-samba-enroll.c | 13 ++++++---
+ 3 files changed, 76 insertions(+), 3 deletions(-)
+
+diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
+index 54d1ed7..d6d109f 100644
+--- a/service/realm-kerberos.c
++++ b/service/realm-kerberos.c
+@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
+ return ret;
+
+ }
++
++gchar *
++realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
++{
++ krb5_error_code code;
++ krb5_keytab keytab = NULL;
++ krb5_context ctx;
++ krb5_kt_cursor cursor = NULL;
++ krb5_keytab_entry entry;
++ krb5_principal realm_princ = NULL;
++ gchar *princ_name = NULL;
++ gchar *netbios_name = NULL;
++ krb5_data *name_data;
++
++ code = krb5_init_context (&ctx);
++ if (code != 0) {
++ return NULL;
++ }
++
++ princ_name = g_strdup_printf ("user@%s", realm_name);
++ code = krb5_parse_name (ctx, princ_name, &realm_princ);
++ g_free (princ_name);
++
++ if (code == 0) {
++ code = krb5_kt_default (ctx, &keytab);
++ }
++
++ if (code == 0) {
++ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
++ }
++
++ if (code == 0) {
++ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
++ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
++ name_data = krb5_princ_component (ctx, entry.principal, 0);
++ if (name_data != NULL
++ && name_data->length > 0
++ && name_data->data[name_data->length - 1] == '$') {
++ netbios_name = g_strndup (name_data->data, name_data->length - 1);
++ if (netbios_name == NULL) {
++ code = krb5_kt_free_entry (ctx, &entry);
++ warn_if_krb5_failed (ctx, code);
++ break;
++ }
++ }
++ }
++ code = krb5_kt_free_entry (ctx, &entry);
++ warn_if_krb5_failed (ctx, code);
++ }
++ }
++
++ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
++ warn_if_krb5_failed (ctx, code);
++
++ code = krb5_kt_close (ctx, keytab);
++ warn_if_krb5_failed (ctx, code);
++
++ krb5_free_principal (ctx, realm_princ);
++
++ krb5_free_context (ctx);
++
++ return netbios_name;
++
++}
+diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
+index 0447e4d..58cfe07 100644
+--- a/service/realm-kerberos.h
++++ b/service/realm-kerberos.h
+@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
+ gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
+ GError **error);
+
++gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
++
+ const gchar * realm_kerberos_get_name (RealmKerberos *self);
+
+ const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index 76e7b79..03f56d0 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -85,7 +85,8 @@ static JoinClosure *
+ join_closure_init (GTask *task,
+ RealmDisco *disco,
+ GVariant *options,
+- GDBusMethodInvocation *invocation)
++ GDBusMethodInvocation *invocation,
++ gboolean do_join)
+ {
+ JoinClosure *join;
+ gchar *workgroup;
+@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
+ else if (disco->explicit_netbios)
+ authid = disco->explicit_netbios;
+
++ /* try to get the NetBIOS name from the keytab as last option while
++ * leaving the domain */
++ if (authid == NULL && !do_join) {
++ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
++ }
++
+ join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
+ "security", "ads",
+@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
+ g_return_if_fail (cred != NULL);
+
+ task = g_task_new (NULL, NULL, callback, user_data);
+- join = join_closure_init (task, disco, options, invocation);
++ join = join_closure_init (task, disco, options, invocation, TRUE);
+ explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
+ if (explicit_computer_name != NULL) {
+ realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
+@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
+ JoinClosure *join;
+
+ task = g_task_new (NULL, NULL, callback, user_data);
+- join = join_closure_init (task, disco, options, invocation);
++ join = join_closure_init (task, disco, options, invocation, FALSE);
+
+ switch (cred->type) {
+ case REALM_CREDENTIAL_PASSWORD:
+--
+2.14.4
+
diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch
new file mode 100644
index 0000000..ee9e081
--- /dev/null
+++ b/SOURCES/0001-Fix-issues-found-by-Coverity.patch
@@ -0,0 +1,42 @@
+From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 14:09:48 +0200
+Subject: [PATCH] Fix issues found by Coverity
+
+---
+ service/realm-kerberos.c | 5 ++++-
+ service/realm-packages.c | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
+index d6d109f..252e256 100644
+--- a/service/realm-kerberos.c
++++ b/service/realm-kerberos.c
+@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
+ if (name == NULL)
+ break;
+ value = va_arg (va, const gchar *);
+- g_return_if_fail (value != NULL);
++ if (value == NULL) {
++ va_end (va);
++ g_return_if_reached ();
++ }
+
+ values[0] = g_variant_new_string (name);
+ values[1] = g_variant_new_string (value);
+diff --git a/service/realm-packages.c b/service/realm-packages.c
+index 9a6984c..5976439 100644
+--- a/service/realm-packages.c
++++ b/service/realm-packages.c
+@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
+ g_ptr_array_add (packages, NULL);
+ *result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
+ } else {
+- g_ptr_array_free (files, TRUE);
++ g_ptr_array_free (packages, TRUE);
+ }
+
+ if (result_files) {
+--
+2.17.1
+
diff --git a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch
new file mode 100644
index 0000000..fe46620
--- /dev/null
+++ b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch
@@ -0,0 +1,24 @@
+From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Jul 2016 19:06:29 +0200
+Subject: [PATCH] Fix man page reference in systemd service file
+
+---
+ dbus/realmd.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
+index b3bcf7a..64c1090 100644
+--- a/dbus/realmd.service.in
++++ b/dbus/realmd.service.in
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=Realm and Domain Configuration
+-Documentation=man:realmd(8)
++Documentation=man:realm(8)
+
+ [Service]
+ Type=dbus
+--
+2.7.4
+
diff --git a/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch b/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch
new file mode 100644
index 0000000..5484209
--- /dev/null
+++ b/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch
@@ -0,0 +1,62 @@
+From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 27 Sep 2018 13:04:47 +0200
+Subject: [PATCH] IPA: do not call sssd-enable-logins
+
+It is expected that ipa-client-install will do all PAM and NSS
+configuration. To avoid changing IPA default realmd will not try to
+update the related configuration.
+---
+ service/realm-sssd-ipa.c | 24 +-----------------------
+ 1 file changed, 1 insertion(+), 23 deletions(-)
+
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index 5029f6b..70f8b0e 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
+ g_free (enroll);
+ }
+
+-static void
+-on_enable_nss_done (GObject *source,
+- GAsyncResult *result,
+- gpointer user_data)
+-{
+- GTask *task = G_TASK (user_data);
+- GError *error = NULL;
+- gint status;
+-
+- status = realm_command_run_finish (result, NULL, &error);
+- if (error == NULL && status != 0)
+- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
+- _("Enabling SSSD in nsswitch.conf and PAM failed."));
+- if (error != NULL)
+- g_task_return_error (task, error);
+- else
+- g_task_return_boolean (task, TRUE);
+- g_object_unref (task);
+-}
+-
+ static void
+ on_restart_done (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+ {
+ GTask *task = G_TASK (user_data);
+- EnrollClosure *enroll = g_task_get_task_data (task);
+ RealmSssd *sssd = g_task_get_source_object (task);
+ GError *error = NULL;
+
+ realm_service_enable_and_restart_finish (result, &error);
+ if (error == NULL) {
+ realm_sssd_update_properties (sssd);
+- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
+- on_enable_nss_done, g_object_ref (task));
++ g_task_return_boolean (task, TRUE);
+ } else {
+ g_task_return_error (task, error);
+ }
+--
+2.17.1
+
diff --git a/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch b/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
new file mode 100644
index 0000000..a61b602
--- /dev/null
+++ b/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
@@ -0,0 +1,112 @@
+From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 5 Dec 2016 18:25:44 +0100
+Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
+
+---
+ service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 39 insertions(+), 9 deletions(-)
+
+diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
+index 2b3a0f8..1477ae8 100644
+--- a/service/realm-kerberos-provider.c
++++ b/service/realm-kerberos-provider.c
+@@ -19,6 +19,7 @@
+ #include "realm-kerberos-provider.h"
+
+ #include <errno.h>
++#include <string.h>
+
+ struct _RealmKerberosProvider {
+ RealmProvider parent;
+@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
+
+ }
+
++typedef struct {
++ gchar *name;
++ const char *prot;
++} NameProtPair;
++
++static void
++name_prot_pair_free (gpointer data)
++{
++ NameProtPair *name_prot_pair = data;
++ g_free (name_prot_pair->name);
++ g_free (name_prot_pair);
++}
++
+ static void
+ on_kerberos_discover (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+ {
+ GTask *task = G_TASK (user_data);
+- const gchar *domain = g_task_get_task_data (task);
++ NameProtPair *name_prot_pair = g_task_get_task_data (task);
+ GError *error = NULL;
+ RealmDisco *disco;
+ GList *targets;
++ GResolver *resolver;
+
+ targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
+ if (targets) {
+ g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
+- disco = realm_disco_new (domain);
+- disco->kerberos_realm = g_ascii_strup (domain, -1);
++ disco = realm_disco_new (name_prot_pair->name);
++ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
+ g_task_return_pointer (task, disco, realm_disco_unref);
+
+ } else if (error) {
+- g_debug ("Resolving %s failed: %s", domain, error->message);
++ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
+ g_error_free (error);
+- g_task_return_pointer (task, NULL, NULL);
++
++ if (strcmp (name_prot_pair->prot, "tcp") == 0) {
++ g_task_return_pointer (task, NULL, NULL);
++ } else {
++ /* Try tcp */
++ name_prot_pair->prot = "tcp";
++ resolver = g_resolver_get_default ();
++ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
++ name_prot_pair->name,
++ g_task_get_cancellable (task),
++ on_kerberos_discover, g_object_ref (task));
++ g_object_unref (resolver);
++ }
+ }
+
+ g_object_unref (task);
+@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
+ GTask *task;
+ const gchar *software;
+ GResolver *resolver;
+- gchar *name;
++ NameProtPair *name_prot_pair;
+
+ task = g_task_new (provider, NULL, callback, user_data);
+
+@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
+ g_task_return_pointer (task, NULL, NULL);
+
+ } else {
+- name = g_hostname_to_ascii (string);
++ name_prot_pair = g_new0 (NameProtPair, 1);
++ name_prot_pair->name = g_hostname_to_ascii (string);
++ name_prot_pair->prot = "udp";
+ resolver = g_resolver_get_default ();
+- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
++ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
++ name_prot_pair->name,
+ realm_invocation_get_cancellable (invocation),
+ on_kerberos_discover, g_object_ref (task));
+- g_task_set_task_data (task, name, g_free);
++ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
+ g_object_unref (resolver);
+ }
+
+--
+2.9.3
+
diff --git a/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch b/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch
new file mode 100644
index 0000000..09e9ccf
--- /dev/null
+++ b/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch
@@ -0,0 +1,41 @@
+From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 25 Nov 2016 17:35:11 +0100
+Subject: [PATCH] LDAP: don't close LDAP socket twice
+
+ldap_destroy() will call close() on the LDAP socket so with an explicit
+close() before the file descriptor will be closed twice. Even worse,
+since the file descriptor can be reused after the explicit call of
+close() by any other thread the close() called from ldap_destroy() might
+close a file descriptor used by a different thread as seen e.g. in
+https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
+
+Additionally the patch makes sure that the closed connection cannot be
+used again.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1398522
+---
+ service/realm-ldap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
+index 061ed61..59817fb 100644
+--- a/service/realm-ldap.c
++++ b/service/realm-ldap.c
+@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
+ {
+ LdapSource *ls = (LdapSource *)source;
+
+- /* Yeah, this is pretty rough, but we don't want blocking here */
+- close (ls->sock);
+ ldap_destroy (ls->ldap);
+
++ ls->sock = -1;
++ ls->ldap = NULL;
++
+ if (ls->cancellable) {
+ g_cancellable_release_fd (ls->cancellable);
+ g_object_unref (ls->cancellable);
+--
+2.9.3
+
diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
new file mode 100644
index 0000000..ea34960
--- /dev/null
+++ b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
@@ -0,0 +1,185 @@
+From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 30 May 2018 13:10:57 +0200
+Subject: [PATCH] Use current idmap options for smb.conf
+
+Samba change some time ago the way how to configure id-mapping. With
+this patch realmd will use the current supported options when creating
+smb.conf.
+
+A new option --legacy-samba-config is added to use the old options if
+realmd is used with Samba 3.5 or earlier.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
+---
+ dbus/realm-dbus-constants.h | 1 +
+ doc/manual/realmd.conf.xml | 17 ++++++++++++
+ service/realm-samba-enroll.c | 2 +-
+ service/realm-samba-enroll.h | 3 +++
+ service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
+ 5 files changed, 72 insertions(+), 14 deletions(-)
+
+diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
+index 9cd30ef..40ffa2d 100644
+--- a/dbus/realm-dbus-constants.h
++++ b/dbus/realm-dbus-constants.h
+@@ -69,6 +69,7 @@ G_BEGIN_DECLS
+ #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
+ #define REALM_DBUS_OPTION_OS_NAME "os-name"
+ #define REALM_DBUS_OPTION_OS_VERSION "os-version"
++#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
+
+ #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
+ #define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index 7853230..a2b577c 100644
+--- a/doc/manual/realmd.conf.xml
++++ b/doc/manual/realmd.conf.xml
+@@ -192,6 +192,23 @@ automatic-install = no
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><option>legacy-samba-config</option></term>
++ <listitem>
++ <para>Set this to <parameter>yes</parameter> to create a Samba
++ configuration file with id-mapping options used by Samba-3.5
++ and earlier version.</para>
++
++ <informalexample>
++<programlisting language="js">
++[service]
++legacy-samba-config = no
++# legacy-samba-config = yes
++</programlisting>
++ </informalexample>
++ </listitem>
++ </varlistentry>
++
+ </variablelist>
+ </refsect1>
+
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index c81aed2..76e7b79 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
+ g_free (join);
+ }
+
+-static gchar *
++gchar *
+ fallback_workgroup (const gchar *realm)
+ {
+ const gchar *pos;
+diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
+index 84e8b2f..310ec65 100644
+--- a/service/realm-samba-enroll.h
++++ b/service/realm-samba-enroll.h
+@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
+ gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
+ GError **error);
+
++gchar *
++fallback_workgroup (const gchar *realm);
++
+ G_END_DECLS
+
+ #endif /* __REALM_SAMBA_ENROLL_H__ */
+diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
+index a7ddec3..9335e26 100644
+--- a/service/realm-samba-winbind.c
++++ b/service/realm-samba-winbind.c
+@@ -21,8 +21,10 @@
+ #include "realm-options.h"
+ #include "realm-samba-config.h"
+ #include "realm-samba-winbind.h"
++#include "realm-samba-enroll.h"
+ #include "realm-settings.h"
+ #include "realm-service.h"
++#include "dbus/realm-dbus-constants.h"
+
+ #include <glib/gstdio.h>
+
+@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ RealmIniConfig *pwc;
+ GTask *task;
+ GError *error = NULL;
++ gchar *workgroup = NULL;
++ gchar *idmap_config_backend = NULL;
++ gchar *idmap_config_range = NULL;
++ gchar *idmap_config_schema_mode = NULL;
+
+ g_return_if_fail (config != NULL);
+ g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
+@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ "template shell", realm_settings_string ("users", "default-shell"),
+ NULL);
+
+- if (realm_options_automatic_mapping (options, domain_name)) {
+- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+- "idmap uid", "10000-2000000",
+- "idmap gid", "10000-2000000",
+- "idmap backend", "tdb",
+- "idmap schema", NULL,
+- NULL);
++ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
++ if (realm_options_automatic_mapping (options, domain_name)) {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap uid", "10000-2000000",
++ "idmap gid", "10000-2000000",
++ "idmap backend", "tdb",
++ "idmap schema", NULL,
++ NULL);
++ } else {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap uid", "500-4294967296",
++ "idmap gid", "500-4294967296",
++ "idmap backend", "ad",
++ "idmap schema", "rfc2307",
++ NULL);
++ }
+ } else {
+- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+- "idmap uid", "500-4294967296",
+- "idmap gid", "500-4294967296",
+- "idmap backend", "ad",
+- "idmap schema", "rfc2307",
+- NULL);
++ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
++ if (workgroup == NULL) {
++ workgroup = fallback_workgroup (domain_name);
++ }
++ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
++ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
++ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
++ g_free (workgroup);
++
++ if (realm_options_automatic_mapping (options, domain_name)) {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap config * : backend", "tdb",
++ "idmap config * : range", "10000-999999",
++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
++ NULL);
++ } else {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap config * : backend", "tdb",
++ "idmap config * : range", "10000000-10999999",
++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
++ NULL);
++ }
+ }
+
+ realm_ini_config_finish_change (config, &error);
++ g_free (idmap_config_backend);
++ g_free (idmap_config_range);
+ }
+
+ /* Setup pam_winbind.conf with decent defaults matching our expectations */
+--
+2.14.4
+
diff --git a/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch b/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
new file mode 100644
index 0000000..8b8f633
--- /dev/null
+++ b/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
@@ -0,0 +1,96 @@
+From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@redhat.com>
+Date: Fri, 28 Oct 2016 20:27:48 +0200
+Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
+
+After adding a domain to sssd.conf add the nss and pam services
+to the [sssd] block.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98479
+---
+ service/realm-sssd-ad.c | 3 +++
+ service/realm-sssd-config.c | 2 --
+ service/realm-sssd-ipa.c | 3 +++
+ tests/test-sssd-config.c | 4 ++--
+ 4 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 5ed384d..5fa81ce 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
+ gboolean use_adcli,
+ GError **error)
+ {
++ const gchar *services[] = { "nss", "pam", NULL };
+ GString *realmd_tags;
+ const gchar *access_provider;
+ const gchar *shell;
+@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
+ "ldap_sasl_authid", authid,
+ NULL);
+
++ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
++
+ g_free (authid);
+ g_string_free (realmd_tags, TRUE);
+
+diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
+index 2096afd..d4398b9 100644
+--- a/service/realm-sssd-config.c
++++ b/service/realm-sssd-config.c
+@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
+ g_strfreev (already);
+
+ /* Setup a default sssd section */
+- if (!realm_ini_config_have (config, "section", "services"))
+- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
+ if (!realm_ini_config_have (config, "sssd", "config_file_version"))
+ realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
+
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index b12136e..001870d 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+ {
++ const gchar *services[] = { "nss", "pam", NULL };
+ GTask *task = G_TASK (user_data);
+ EnrollClosure *enroll = g_task_get_task_data (task);
+ RealmSssd *sssd = g_task_get_source_object (task);
+@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
+ "realmd_tags", realmd_tags,
+ NULL);
+
++ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
++
+ g_free (home);
+ }
+
+diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
+index 59eab75..892b9d5 100644
+--- a/tests/test-sssd-config.c
++++ b/tests/test-sssd-config.c
+@@ -90,7 +90,7 @@ test_add_domain (Test *test,
+ gconstpointer unused)
+ {
+ const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
+- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
++ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ GError *error = NULL;
+ gchar *output;
+ gboolean ret;
+@@ -140,7 +140,7 @@ static void
+ test_add_domain_only (Test *test,
+ gconstpointer unused)
+ {
+- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
++ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
+ GError *error = NULL;
+ gchar *output;
+ gboolean ret;
+--
+2.9.3
+
diff --git a/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch b/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
new file mode 100644
index 0000000..6c44727
--- /dev/null
+++ b/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
@@ -0,0 +1,98 @@
+From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Tue, 25 Apr 2017 07:20:17 +0200
+Subject: [PATCH] service: Add "pam" and "nss" services in
+ realm_sssd_config_add_domain()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+realm_sssd_config_add_domain() must setup the services line in sssd.conf
+otherwise SSSD won't be able to start any of its services.
+
+It's a regression caused by 402cbab which leaves SSSD with no services
+line when joining to an ad client doing "realm join ad.example".
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98479
+
+Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
+---
+ service/realm-sssd-ad.c | 3 ++-
+ service/realm-sssd-config.c | 2 ++
+ service/realm-sssd-ipa.c | 3 ++-
+ tests/test-sssd-config.c | 4 ++--
+ 4 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 5fa81ce..8543ca8 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
+ "ldap_sasl_authid", authid,
+ NULL);
+
+- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
++ if (ret)
++ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
+
+ g_free (authid);
+ g_string_free (realmd_tags, TRUE);
+diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
+index d4398b9..140d7dc 100644
+--- a/service/realm-sssd-config.c
++++ b/service/realm-sssd-config.c
+@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
+ gchar **already;
+ gboolean ret;
+ gchar *section;
++ const gchar *services[] = { "nss", "pam", NULL };
+ va_list va;
+ gint i;
+
+@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
+ g_strfreev (already);
+
+ /* Setup a default sssd section */
++ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
+ if (!realm_ini_config_have (config, "sssd", "config_file_version"))
+ realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
+
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index 001870d..ff1dc8a 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
+ "realmd_tags", realmd_tags,
+ NULL);
+
+- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
++ if (error == NULL)
++ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
+
+ g_free (home);
+ }
+diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
+index 892b9d5..59eab75 100644
+--- a/tests/test-sssd-config.c
++++ b/tests/test-sssd-config.c
+@@ -90,7 +90,7 @@ test_add_domain (Test *test,
+ gconstpointer unused)
+ {
+ const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
+- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
++ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ GError *error = NULL;
+ gchar *output;
+ gboolean ret;
+@@ -140,7 +140,7 @@ static void
+ test_add_domain_only (Test *test,
+ gconstpointer unused)
+ {
+- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
++ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
+ GError *error = NULL;
+ gchar *output;
+ gboolean ret;
+--
+2.9.3
+
diff --git a/SOURCES/0001-switch-to-authselect.patch b/SOURCES/0001-switch-to-authselect.patch
new file mode 100644
index 0000000..d750d6d
--- /dev/null
+++ b/SOURCES/0001-switch-to-authselect.patch
@@ -0,0 +1,36 @@
+From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 19 Feb 2018 11:51:06 +0100
+Subject: [PATCH] switch to authselect
+
+---
+ service/realmd-redhat.conf | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
+index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
+--- a/service/realmd-redhat.conf
++++ b/service/realmd-redhat.conf
+@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
+ freeipa-client = /usr/sbin/ipa-client-install
+
+ [commands]
+-winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+-winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
++winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
++winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
+ winbind-enable-service = /usr/bin/systemctl enable winbind.service
+ winbind-disable-service = /usr/bin/systemctl disable winbind.service
+ winbind-restart-service = /usr/bin/systemctl restart winbind.service
+ winbind-stop-service = /usr/bin/systemctl stop winbind.service
+
+-sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
+-sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
++sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
++sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
+ sssd-enable-service = /usr/bin/systemctl enable sssd.service
+ sssd-disable-service = /usr/bin/systemctl disable sssd.service
+ sssd-restart-service = /usr/bin/systemctl restart sssd.service
+--
+2.9.3
+
diff --git a/SOURCES/0001-tests-run-tests-with-python3.patch b/SOURCES/0001-tests-run-tests-with-python3.patch
new file mode 100644
index 0000000..607afa4
--- /dev/null
+++ b/SOURCES/0001-tests-run-tests-with-python3.patch
@@ -0,0 +1,374 @@
+From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 4 Jul 2018 16:41:16 +0200
+Subject: [PATCH] tests: run tests with python3
+
+To allow the test to run with python3 build/tap-driver and
+build/tap-gtester are updated to the latest version provided by the
+cockpit project https://github.com/cockpit-project/cockpit.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
+---
+ build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
+ build/tap-gtester | 59 ++++++++++++++++++++++---------
+ 2 files changed, 125 insertions(+), 38 deletions(-)
+
+diff --git a/build/tap-driver b/build/tap-driver
+index 42f57c8..241fd50 100755
+--- a/build/tap-driver
++++ b/build/tap-driver
+@@ -1,4 +1,5 @@
+-#!/usr/bin/python
++#!/usr/bin/python3
++# This can also be run with Python 2.
+
+ # Copyright (C) 2013 Red Hat, Inc.
+ #
+@@ -29,20 +30,58 @@
+ #
+
+ import argparse
++import fcntl
+ import os
+ import select
++import struct
+ import subprocess
+ import sys
++import termios
++import errno
++
++_PY3 = sys.version[0] >= '3'
++_str = _PY3 and str or unicode
++
++def out(data, stream=None, flush=False):
++ if not isinstance(data, bytes):
++ data = data.encode("UTF-8")
++ if not stream:
++ stream = _PY3 and sys.stdout.buffer or sys.stdout
++ while True:
++ try:
++ if data:
++ stream.write(data)
++ data = None
++ if flush:
++ stream.flush()
++ flush = False
++ break
++ except IOError as e:
++ if e.errno == errno.EAGAIN:
++ continue
++ raise
++
++def terminal_width():
++ try:
++ h, w, hp, wp = struct.unpack('HHHH',
++ fcntl.ioctl(1, termios.TIOCGWINSZ,
++ struct.pack('HHHH', 0, 0, 0, 0)))
++ return w
++ except IOError as e:
++ if e.errno != errno.ENOTTY:
++ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
++ return sys.maxsize
+
+ class Driver:
+ def __init__(self, args):
+ self.argv = args.command
+ self.test_name = args.test_name
+- self.log = open(args.log_file, "w")
+- self.log.write("# %s\n" % " ".join(sys.argv))
++ self.log = open(args.log_file, "wb")
++ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
+ self.trs = open(args.trs_file, "w")
+ self.color_tests = args.color_tests
+ self.expect_failure = args.expect_failure
++ self.width = terminal_width() - 9
+
+ def report(self, code, *args):
+ CODES = {
+@@ -57,17 +96,18 @@ class Driver:
+ # Print out to console
+ if self.color_tests:
+ if code in CODES:
+- sys.stdout.write(CODES[code])
+- sys.stdout.write(code)
++ out(CODES[code])
++ out(code)
+ if self.color_tests:
+- sys.stdout.write('\x1b[m')
+- sys.stdout.write(": ")
+- sys.stdout.write(self.test_name)
+- sys.stdout.write(" ")
+- for arg in args:
+- sys.stdout.write(str(arg))
+- sys.stdout.write("\n")
+- sys.stdout.flush()
++ out('\x1b[m')
++ out(": ")
++ msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
++ if code == "PASS" and len(msg) > self.width:
++ out(msg[:self.width])
++ out("...")
++ else:
++ out(msg)
++ out("\n", flush=True)
+
+ # Book keeping
+ if code in CODES:
+@@ -100,12 +140,14 @@ class Driver:
+ def execute(self):
+ try:
+ proc = subprocess.Popen(self.argv, close_fds=True,
++ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+- except OSError, ex:
++ except OSError as ex:
+ self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
+ return
+
++ proc.stdin.close()
+ outf = proc.stdout.fileno()
+ errf = proc.stderr.fileno()
+ rset = [outf, errf]
+@@ -113,18 +155,25 @@ class Driver:
+ ret = select.select(rset, [], [], 10)
+ if outf in ret[0]:
+ data = os.read(outf, 1024)
+- if data == "":
++ if data == b"":
+ rset.remove(outf)
+ self.log.write(data)
+ self.process(data)
+ if errf in ret[0]:
+ data = os.read(errf, 1024)
+- if data == "":
++ if data == b"":
+ rset.remove(errf)
+ self.log.write(data)
+- sys.stderr.write(data)
++ stream = _PY3 and sys.stderr.buffer or sys.stderr
++ out(data, stream=stream, flush=True)
+
+ proc.wait()
++
++ # Make sure the test didn't change blocking output
++ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
++ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
++ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
++
+ return proc.returncode
+
+
+@@ -137,6 +186,7 @@ class TapDriver(Driver):
+ self.late_plan = False
+ self.errored = False
+ self.bail_out = False
++ self.skip_all_reason = None
+
+ def report(self, code, num, *args):
+ if num:
+@@ -170,13 +220,19 @@ class TapDriver(Driver):
+ else:
+ self.result_fail(num, description)
+
+- def consume_test_plan(self, first, last):
++ def consume_test_plan(self, line):
+ # Only one test plan is supported
+ if self.test_plan:
+ self.report_error("Get a second TAP test plan")
+ return
+
++ if line.lower().startswith('1..0 # skip'):
++ self.skip_all_reason = line[5:].strip()
++ self.bail_out = True
++ return
++
+ try:
++ (first, unused, last) = line.partition("..")
+ first = int(first)
+ last = int(last)
+ except ValueError:
+@@ -192,7 +248,7 @@ class TapDriver(Driver):
+
+ def process(self, output):
+ if output:
+- self.output += output
++ self.output += output.decode("UTF-8")
+ elif self.output:
+ self.output += "\n"
+ (ready, unused, self.output) = self.output.rpartition("\n")
+@@ -202,8 +258,7 @@ class TapDriver(Driver):
+ elif line.startswith("not ok "):
+ self.consume_test_line(False, line[7:])
+ elif line and line[0].isdigit() and ".." in line:
+- (first, unused, last) = line.partition("..")
+- self.consume_test_plan(first, last)
++ self.consume_test_plan(line)
+ elif line.lower().startswith("bail out!"):
+ self.consume_bail_out(line)
+
+@@ -213,6 +268,13 @@ class TapDriver(Driver):
+ failed = False
+ skipped = True
+
++ if self.skip_all_reason is not None:
++ self.result_skip("skipping:", self.skip_all_reason)
++ self.trs.write(":global-test-result: SKIP\n")
++ self.trs.write(":test-global-result: SKIP\n")
++ self.trs.write(":recheck: no\n")
++ return 0
++
+ # Basic collation of results
+ for (num, code) in self.reported.items():
+ if code == "ERROR":
+diff --git a/build/tap-gtester b/build/tap-gtester
+index 7e667d4..bbda266 100755
+--- a/build/tap-gtester
++++ b/build/tap-gtester
+@@ -1,4 +1,5 @@
+-#!/usr/bin/python
++#!/usr/bin/python3
++# This can also be run with Python 2.
+
+ # Copyright (C) 2014 Red Hat, Inc.
+ #
+@@ -30,9 +31,19 @@
+ import argparse
+ import os
+ import select
++import signal
+ import subprocess
+ import sys
+
++# Yes, it's dumb, but strsignal is not exposed in python
++# In addition signal numbers varify heavily from arch to arch
++def strsignal(sig):
++ for name in dir(signal):
++ if name.startswith("SIG") and sig == getattr(signal, name):
++ return name
++ return str(sig)
++
++
+ class NullCompiler:
+ def __init__(self, command):
+ self.command = command
+@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
+ elif cmd == "result":
+ if self.test_name:
+ if data == "OK":
+- print "ok %d %s" % (self.test_num, self.test_name)
++ print("ok %d %s" % (self.test_num, self.test_name))
+ if data == "FAIL":
+- print "not ok %d %s", (self.test_num, self.test_name)
++ print("not ok %d %s" % (self.test_num, self.test_name))
+ self.test_name = None
+ elif cmd == "skipping":
+ if "/subprocess" not in data:
+- print "ok %d # skip -- %s" % (self.test_num, data)
++ print("ok %d # skip -- %s" % (self.test_num, data))
+ self.test_name = None
+ elif data:
+- print "# %s: %s" % (cmd, data)
++ print("# %s: %s" % (cmd, data))
+ else:
+- print "# %s" % cmd
++ print("# %s" % cmd)
+ elif line.startswith("(MSG: "):
+- print "# %s" % line[6:-1]
++ print("# %s" % line[6:-1])
+ elif line:
+- print "# %s" % line
++ print("# %s" % line)
+ sys.stdout.flush()
+
+ def run(self, proc, output=""):
+@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
+ if line.startswith("/"):
+ self.test_remaining.append(line.strip())
+ if not self.test_remaining:
+- print "Bail out! No tests found in GTest: %s" % self.command[0]
++ print("Bail out! No tests found in GTest: %s" % self.command[0])
+ return 0
+
+- print "1..%d" % len(self.test_remaining)
++ print("1..%d" % len(self.test_remaining))
+
+ # First try to run all the tests in a batch
+- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
++ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
++ stdout=subprocess.PIPE, universal_newlines=True)
+ result = self.process(proc)
+ if result == 0:
+ return 0
+
++ if result < 0:
++ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
++
+ # Now pick up any stragglers due to failures
+ while True:
+ # Assume that the last test failed
+ if self.test_name:
+- print "not ok %d %s" % (self.test_num, self.test_name)
++ print("not ok %d %s" % (self.test_num, self.test_name))
+ self.test_name = None
+
+ # Run any tests which didn't get run
+@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
+ break
+
+ proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
+- close_fds=True, stdout=subprocess.PIPE)
++ close_fds=True, stdout=subprocess.PIPE,
++ universal_newlines=True)
+ result = self.process(proc)
+
+ # The various exit codes and signals we continue for
+@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
+ return result
+
+ def main(argv):
+- parser = argparse.ArgumentParser(description='Automake TAP compiler')
++ parser = argparse.ArgumentParser(description='Automake TAP compiler',
++ usage="tap-gtester [--format FORMAT] command ...")
+ parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
+ default="auto", help='The input format to compile')
+ parser.add_argument('--verbose', action='store_true',
+ default=True, help='Verbose mode (ignored)')
+- parser.add_argument('command', nargs='+', help="A test command to run")
++ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
+ args = parser.parse_args(argv[1:])
+
+ output = None
+ format = args.format
+ cmd = args.command
++ if not cmd:
++ sys.stderr.write("tap-gtester: specify a command to run\n")
++ return 2
++ if cmd[0] == '--':
++ cmd.pop(0)
++
+ proc = None
+
+ os.environ['HARNESS_ACTIVE'] = '1'
+
+ if format in ["auto", "gtest"]:
+ list_cmd = cmd + ["-l", "--verbose"]
+- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
++ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
++ universal_newlines=True)
+ output = proc.stdout.readline()
+ # Smell whether we're dealing with GTest list output from first line
+ if "random seed" in output or "GTest" in output or output.startswith("/"):
+@@ -164,7 +188,8 @@ def main(argv):
+ else:
+ format = "tap"
+ else:
+- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
++ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
++ universal_newlines=True)
+
+ if format == "gtest":
+ compiler = GTestCompiler(cmd)
+--
+2.14.4
+
diff --git a/SOURCES/ipa-packages.patch b/SOURCES/ipa-packages.patch
new file mode 100644
index 0000000..67df543
--- /dev/null
+++ b/SOURCES/ipa-packages.patch
@@ -0,0 +1,13 @@
+diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
+index da2de55..856b36d 100644
+--- a/service/realmd-redhat.conf
++++ b/service/realmd-redhat.conf
+@@ -20,7 +20,7 @@ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
+ adcli = /usr/sbin/adcli
+
+ [ipa-packages]
+-freeipa-client = /usr/sbin/ipa-client-install
++ipa-client = /usr/sbin/ipa-client-install
+
+ [commands]
+ winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec
new file mode 100644
index 0000000..3a22ddf
--- /dev/null
+++ b/SPECS/realmd.spec
@@ -0,0 +1,380 @@
+Name: realmd
+Version: 0.16.3
+Release: 16%{?dist}
+Summary: Kerberos realm enrollment service
+License: LGPLv2+
+URL: http://cgit.freedesktop.org/realmd/realmd/
+Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
+
+Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch
+Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
+Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
+Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
+Patch5: 0001-switch-to-authselect.patch
+Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch
+Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
+Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
+Patch9: 0001-tests-run-tests-with-python3.patch
+Patch10: ipa-packages.patch
+Patch11: 0001-Fix-issues-found-by-Coverity.patch
+
+Patch12: 0001-Change-qualified-names-default-for-IPA.patch
+
+Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch
+
+BuildRequires: gcc
+BuildRequires: automake
+BuildRequires: autoconf
+BuildRequires: intltool pkgconfig
+BuildRequires: gettext-devel
+BuildRequires: glib2-devel >= 2.32.0
+BuildRequires: openldap-devel
+BuildRequires: polkit-devel
+BuildRequires: krb5-devel
+BuildRequires: systemd-devel
+BuildRequires: libxslt
+BuildRequires: xmlto
+BuildRequires: %{_bindir}/python3
+
+Requires: authselect
+Requires: polkit
+
+%description
+realmd is a DBus system service which manages discovery and enrollment in realms
+and domains like Active Directory or IPA. The control center uses realmd as the
+back end to 'join' a domain simply and automatically configure things correctly.
+
+%package devel-docs
+Summary: Developer documentation files for %{name}
+
+%description devel-docs
+The %{name}-devel package contains developer documentation for developing
+applications that use %{name}.
+
+%define _hardened_build 1
+
+%prep
+%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+
+%build
+autoreconf -fi
+%configure --disable-silent-rules
+make %{?_smp_mflags}
+
+%check
+make check
+
+%install
+make install DESTDIR=%{buildroot}
+
+%find_lang realmd
+
+%files -f realmd.lang
+%doc AUTHORS COPYING NEWS README
+%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
+%{_sbindir}/realm
+%dir %{_prefix}/lib/realmd
+%{_prefix}/lib/realmd/realmd
+%{_prefix}/lib/realmd/realmd-defaults.conf
+%{_prefix}/lib/realmd/realmd-distro.conf
+%{_unitdir}/realmd.service
+%{_datadir}/dbus-1/system-services/org.freedesktop.realmd.service
+%{_datadir}/polkit-1/actions/org.freedesktop.realmd.policy
+%{_mandir}/man8/realm.8.gz
+%{_mandir}/man5/realmd.conf.5.gz
+%{_localstatedir}/cache/realmd/
+
+%files devel-docs
+%doc %{_datadir}/doc/realmd/
+%doc ChangeLog
+
+%changelog
+* Thu Sep 27 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-16
+- Do not call authselect for IPA domains
+ Resolves: rhbz#1633572
+
+* Wed Aug 22 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
+- Change IPA defaults
+ Resolves: rhbz#1619162
+
+* Tue Aug 14 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-14
+- Fix python BuildRequires
+ Resolves: rhbz#1615564
+- Add RHEL specific patch for IPA
+ Resolves: rhbz#1615320
+- Fix issues found by Coverity
+ Resolves: rhbz#1602677
+
+* Wed Jul 04 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-13
+- Add latests patches from RHEL7
+- Add polkit runtime dependency
+ Resolves: rhbz#1577179
+- Drop python2 build dependency
+ Resolves: rhbz#1595813
+- Fix documentation reference in systemd unit file
+ Resolves: rhbz#1596325
+* Sun Mar 18 2018 René Genz <liebundartig@freenet.de> - 0.16.3-12
+- use correct authselect syntax for *-disable-logins to fix rhbz#1558245
+- Iryna Shcherbina <ishcherb@redhat.com>
+ Update Python 2 dependency declarations to new packaging standards
+ (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Thu Mar 01 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-11
+- Require authselect instead of authconfig, related: rhbz#1537246
+
+* Tue Feb 20 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-10
+- added BuildRequires gcc
+- Use authselect instead of authconfig, related: rhbz#1537246
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Sep 05 2017 Petr Pisar <ppisar@redhat.com> - 0.16.3-8
+- Update all m4 macros to prevent from mismatching between Automake versions
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Apr 25 2017 Sumit Bose <sbose@redhat.com> - 0.16.3-5
+- Resolves: rhbz#1445017
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 19 2017 Merlin Mathesius <mmathesi@redhat.com> - 0.16.3-3
+- Add BuildRequires: python to fix FTBFS (BZ#1415000).
+
+* Tue Dec 13 2016 Sumit Bose <sbose@redhat.com> - 0.16.3-2
+- Resolves: rhbz#1401605
+
+* Wed Nov 30 2016 Sumit Bose <sbose@redhat.com> - 0.16.3-1
+- Updated to upstream 0.16.3 plus patches from git master
+
+* Fri Jun 03 2016 Sumit Bose <sbose@redhat.com> - 0.16.2-5
+- properly apply patch for rhbz#1330766
+- Resolves: rhbz#1330766
+
+* Wed May 18 2016 Sumit Bose <sbose@redhat.com> - 0.16.2-4
+- Resolves: rhbz#1330766
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Sep 11 2015 Stef Walter <stefw@redhat.com> - 0.16.2-2
+- Fixed --computer-ou regression
+- Show message when installing packages
+
+* Fri Jul 31 2015 Stef Walter <stefw@redhat.com> - 0.16.2-1
+- Updated to upstream 0.16.2
+- Install to $prefix/lib instead of $libdir
+- Resolves: rhbz#1246741
+
+* Tue Jul 14 2015 Stef Walter <stefw@redhat.com> - 0.16.1-1
+- Updated to upstream 0.16.1
+- Resolves: rhbz#1231128
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.16.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Apr 14 2015 Stef Walter <stefw@redhat.com> - 0.16.0-1
+- Updated to upstream 0.16.0
+- Resolves: rhbz#1205753
+- Resolves: rhbz#1142190
+- Resolves: rhbz#1061091
+- Resolves: rhbz#1205752
+
+* Thu Apr 09 2015 Stephen Gallagher <sgallagh@redhat.com> - 0.15.2-2
+- Resolves: rhbz#1210483
+
+* Mon Oct 06 2014 Stef Walter <stefw@redhat.com> - 0.15.2-1
+- Update to upstream 0.15.2
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.15.1-2
+- Move ChangeLog to devel-docs. NEWS is probably riveting enough for users
+
+* Fri May 23 2014 Stef Walter <stefw@redhat.com> - 0.15.1-1
+- Update to upstream 0.15.1
+- Remove the packagekit patch that's now integrated upstream
+
+* Thu Jan 30 2014 Richard Hughes <rhughes@redhat.com> - 0.15.0-2
+- Rebuild for libpackagekit-glib soname bump
+
+* Tue Jan 07 2014 Stef Walter <stefw@redhat.com> - 0.15.0-1
+- Update to upstream 0.15.0 release, fixing various bugs
+
+* Mon Sep 09 2013 Stef Walter <stefw@redhat.com> - 0.14.6-1
+- Update to upstream 0.14.6 point release
+- Set 'kerberos method = system keytab' in smb.conf properly
+- Limit Netbios name to 15 chars when joining AD domain
+
+* Thu Aug 15 2013 Stef Walter <stefw@redhat.com> - 0.14.5-1
+- Update to upstream 0.14.5 point release
+- Fix regression conflicting --unattended and -U as in --user args
+- Pass discovered server address to adcli tool
+
+* Wed Aug 07 2013 Stef Walter <stefw@redhot.com> - 0.14.4-1
+- Update to upstream 0.14.4 point release
+- Fix up the [sssd] section in sssd.conf if it's screwed up
+- Add an --unattended argument to realm command line client
+- Clearer 'realm permit' manual page example
+
+* Wed Aug 07 2013 Stef Walter <stefw@redhot.com> - 0.14.3-1
+- Update to upstream 0.14.3 point release
+- Populate LoginFormats correctly [#961442]
+- Documentation clarifications
+- Set sssd.conf default_shell per domain
+- Notify in terminal output when installing packages
+- If joined via adcli, delete computer with adcli too [#961244]
+- If input is not a tty, read from stdin without getpass() [#983153]
+- Configure pam_winbind.conf appropriately [#983153]
+- Refer to FreeIPA as IPA
+- Support use of kerberos ccache to join when winbind
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 15 2013 Stef Walter <stefw@redhat.com> - 0.14.2-4
+- Build with verbose automake output
+
+* Tue Jun 11 2013 Stef Walter <stefw@redhat.com> - 0.14.2-3
+- Run test suite when building the package
+- Fix rpmlint errors
+
+* Thu Jun 06 2013 Stef Walter <stefw@redhat.com> - 0.14.2-2
+- Install oddjobd and oddjob-mkhomedir when joining domains [#969441]
+
+* Mon May 27 2013 Stef Walter <stefw@redhat.com> - 0.14.2-1
+- Update to upstream 0.14.2 version
+- Discover FreeIPA 3.0 with AD trust correctly [#966148]
+- Only allow joining one realm by default [#966650]
+- Enable the oddjobd service after joining a domain [#964971]
+- Remove sssd.conf allow lists when permitting all [#965760]
+- Add dependency on authconfig [#964675]
+- Remove glib-networking dependency now that we no longer use SSL.
+
+* Mon May 13 2013 Stef Walter <stefw@redhat.com> - 0.14.1-1
+- Update to upstream 0.14.1 version
+- Fix crasher/regression using passwords with joins [#961435]
+- Make second Ctrl-C just quit realm tool [#961325]
+- Fix critical warning when leaving IPA realm [#961320]
+- Don't print out journalctl command in obvious situations [#961230]
+- Document the --all option to 'realm discover' [#961279]
+- No need to require sssd-tools package [#961254]
+- Enable services even in install mode [#960887]
+- Use the AD domain name in sssd.conf directly [#960270]
+- Fix critical warning when service Release() method [#961385]
+
+* Mon May 06 2013 Stef Walter <stefw@redhat.com> - 0.14.0-1
+- Work around broken krb5 with empty passwords [#960001]
+- Add manual page for realmd.conf [#959357]
+- Update to upstream 0.14.0 version
+
+* Thu May 02 2013 Stef Walter <stefw@redhat.com> - 0.13.91-1
+- Fix regression when using one time password [#958667]
+- Support for permitting logins by group [#887675]
+
+* Mon Apr 29 2013 Stef Walter <stefw@redhat.com> - 0.13.90-1
+- Add option to disable package-kit installs [#953852]
+- Add option to use unqualified names [#953825]
+- Better discovery of domains [#953153]
+- Concept of managing parts of the system [#914892]
+- Fix problems with cache directory [#913457]
+- Clearly explain when realm cannot be joined [#878018]
+- Many other upstream enhancements and fixes
+
+* Wed Apr 17 2013 Stef Walter <stefw@redhat.com> - 0.13.3-2
+- Add missing glib-networking dependency, currently used
+ for FreeIPA discovery [#953151]
+
+* Wed Apr 17 2013 Stef Walter <stefw@redhat.com> - 0.13.3-1
+- Update for upstream 0.13.3 version
+- Add dependency on systemd for installing service file
+
+* Tue Apr 16 2013 Stef Walter <stefw@redhat.com> - 0.13.2-2
+- Fix problem with sssd not starting after joining
+
+* Mon Feb 18 2013 Stef Walter <stefw@redhat.com> - 0.13.2-1
+- Update to upstream 0.13.2 version
+
+* Mon Feb 18 2013 Stef Walter <stefw@redhat.com> - 0.13.1-1
+- Update to upstream 0.13.1 version for bug fixes
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Nov 12 2012 Stef Walter <stefw@redhat.com> - 0.12-1
+- Update to upstream 0.12 version for bug fixes
+
+* Tue Oct 30 2012 Stef Walter <stefw@redhat.com> - 0.11-1
+- Update to upstream 0.11 version
+
+* Sat Oct 20 2012 Stef Walter <stefw@redhat.com> - 0.10-1
+- Update to upstream 0.10 version
+
+* Wed Oct 17 2012 Stef Walter <stefw@redhat.com> - 0.9-1
+- Update to upstream 0.9 version
+
+* Wed Sep 19 2012 Stef Walter <stefw@redhat.com> - 0.8-2
+- Add openldap-devel build requirement
+
+* Wed Sep 19 2012 Stef Walter <stefw@redhat.com> - 0.8-1
+- Update to upstream 0.8 version
+- Add support for translations
+
+* Mon Aug 20 2012 Stef Walter <stefw@redhat.com> - 0.7-2
+- Build requires gtk-doc
+
+* Mon Aug 20 2012 Stef Walter <stefw@redhat.com> - 0.7-1
+- Update to upstream 0.7 version
+- Remove files no longer present in upstream version
+- Put documentation in its own realmd-devel-docs subpackage
+- Update upstream URLs
+
+* Mon Aug 6 2012 Stef Walter <stefw@redhat.com> - 0.6-1
+- Update to upstream 0.6 version
+
+* Tue Jul 17 2012 Stef Walter <stefw@redhat.com> - 0.5-2
+- Remove missing SssdIpa.service file from the files list.
+ This file will return upstream in 0.6
+
+* Tue Jul 17 2012 Stef Walter <stefw@redhat.com> - 0.5-1
+- Update to upstream 0.5 version
+
+* Tue Jun 19 2012 Stef Walter <stefw@redhat.com> - 0.4-1
+- Update to upstream 0.4 version
+- Cleanup various rpmlint warnings
+
+* Tue Jun 19 2012 Stef Walter <stefw@redhat.com> - 0.3-2
+- Add doc files
+- Own directories
+- Remove obsolete parts of spec file
+- Remove explicit dependencies
+- Updated License line to LGPLv2+
+
+* Tue Jun 19 2012 Stef Walter <stefw@redhat.com> - 0.3
+- Build fixes
+
+* Mon Jun 18 2012 Stef Walter <stefw@redhat.com> - 0.2
+- Initial RPM