diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch new file mode 100644 index 0000000..894fe93 --- /dev/null +++ b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch @@ -0,0 +1,168 @@ +From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 31 May 2018 16:16:08 +0200 +Subject: [PATCH] Find NetBIOS name in keytab while leaving + +If realmd is used with Samba as membership software, i.e. Samba's net +utility, the NetBIOS name must be known when leaving a domain. The most +reliable way to find it is by searching the keytab for NAME$@REALM type +entries and use the NAME as the NetBIOS name. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457 +--- + service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++ + service/realm-kerberos.h | 2 ++ + service/realm-samba-enroll.c | 17 ++++++++-- + 3 files changed, 80 insertions(+), 3 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index 54d1ed7..d6d109f 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name, + return ret; + + } ++ ++gchar * ++realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name) ++{ ++ krb5_error_code code; ++ krb5_keytab keytab = NULL; ++ krb5_context ctx; ++ krb5_kt_cursor cursor = NULL; ++ krb5_keytab_entry entry; ++ krb5_principal realm_princ = NULL; ++ gchar *princ_name = NULL; ++ gchar *netbios_name = NULL; ++ krb5_data *name_data; ++ ++ code = krb5_init_context (&ctx); ++ if (code != 0) { ++ return NULL; ++ } ++ ++ princ_name = g_strdup_printf ("user@%s", realm_name); ++ code = krb5_parse_name (ctx, princ_name, &realm_princ); ++ g_free (princ_name); ++ ++ if (code == 0) { ++ code = krb5_kt_default (ctx, &keytab); ++ } ++ ++ if (code == 0) { ++ code = krb5_kt_start_seq_get (ctx, keytab, &cursor); ++ } ++ ++ if (code == 0) { ++ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) { ++ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) { ++ name_data = krb5_princ_component (ctx, entry.principal, 0); ++ if (name_data != NULL ++ && name_data->length > 0 ++ && name_data->data[name_data->length - 1] == '$') { ++ netbios_name = g_strndup (name_data->data, name_data->length - 1); ++ if (netbios_name == NULL) { ++ code = krb5_kt_free_entry (ctx, &entry); ++ warn_if_krb5_failed (ctx, code); ++ break; ++ } ++ } ++ } ++ code = krb5_kt_free_entry (ctx, &entry); ++ warn_if_krb5_failed (ctx, code); ++ } ++ } ++ ++ code = krb5_kt_end_seq_get (ctx, keytab, &cursor); ++ warn_if_krb5_failed (ctx, code); ++ ++ code = krb5_kt_close (ctx, keytab); ++ warn_if_krb5_failed (ctx, code); ++ ++ krb5_free_principal (ctx, realm_princ); ++ ++ krb5_free_context (ctx); ++ ++ return netbios_name; ++ ++} +diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h +index 0447e4d..58cfe07 100644 +--- a/service/realm-kerberos.h ++++ b/service/realm-kerberos.h +@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self, + gboolean realm_kerberos_flush_keytab (const gchar *realm_name, + GError **error); + ++gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name); ++ + const gchar * realm_kerberos_get_name (RealmKerberos *self); + + const gchar * realm_kerberos_get_realm_name (RealmKerberos *self); +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index 76e7b79..f5edca3 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -85,7 +85,8 @@ static JoinClosure * + join_closure_init (GTask *task, + RealmDisco *disco, + GVariant *options, +- GDBusMethodInvocation *invocation) ++ GDBusMethodInvocation *invocation, ++ gboolean do_join) + { + JoinClosure *join; + gchar *workgroup; +@@ -93,6 +94,7 @@ join_closure_init (GTask *task, + int temp_fd; + const gchar *explicit_computer_name = NULL; + const gchar *authid = NULL; ++ gchar *name_from_keytab = NULL; + + join = g_new0 (JoinClosure, 1); + join->disco = realm_disco_ref (disco); +@@ -106,6 +108,14 @@ join_closure_init (GTask *task, + else if (disco->explicit_netbios) + authid = disco->explicit_netbios; + ++ /* try to get the NetBIOS name from the keytab while leaving the domain */ ++ if (explicit_computer_name == NULL && !do_join) { ++ name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm); ++ if (name_from_keytab != NULL) { ++ authid = name_from_keytab; ++ } ++ } ++ + join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE); + realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL, + "security", "ads", +@@ -151,6 +161,7 @@ join_closure_init (GTask *task, + g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ()); + } + ++ g_free (name_from_keytab); + return join; + } + +@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco, + g_return_if_fail (cred != NULL); + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, options, invocation); ++ join = join_closure_init (task, disco, options, invocation, TRUE); + explicit_computer_name = realm_options_computer_name (options, disco->domain_name); + if (explicit_computer_name != NULL) { + realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s", +@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco, + JoinClosure *join; + + task = g_task_new (NULL, NULL, callback, user_data); +- join = join_closure_init (task, disco, options, invocation); ++ join = join_closure_init (task, disco, options, invocation, FALSE); + + switch (cred->type) { + case REALM_CREDENTIAL_PASSWORD: +-- +2.17.1 + diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch new file mode 100644 index 0000000..ee9e081 --- /dev/null +++ b/SOURCES/0001-Fix-issues-found-by-Coverity.patch @@ -0,0 +1,42 @@ +From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Aug 2018 14:09:48 +0200 +Subject: [PATCH] Fix issues found by Coverity + +--- + service/realm-kerberos.c | 5 ++++- + service/realm-packages.c | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c +index d6d109f..252e256 100644 +--- a/service/realm-kerberos.c ++++ b/service/realm-kerberos.c +@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self, + if (name == NULL) + break; + value = va_arg (va, const gchar *); +- g_return_if_fail (value != NULL); ++ if (value == NULL) { ++ va_end (va); ++ g_return_if_reached (); ++ } + + values[0] = g_variant_new_string (name); + values[1] = g_variant_new_string (value); +diff --git a/service/realm-packages.c b/service/realm-packages.c +index 9a6984c..5976439 100644 +--- a/service/realm-packages.c ++++ b/service/realm-packages.c +@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets, + g_ptr_array_add (packages, NULL); + *result_packages = (gchar **)g_ptr_array_free (packages, FALSE); + } else { +- g_ptr_array_free (files, TRUE); ++ g_ptr_array_free (packages, TRUE); + } + + if (result_files) { +-- +2.17.1 + diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch new file mode 100644 index 0000000..ea34960 --- /dev/null +++ b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch @@ -0,0 +1,185 @@ +From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 30 May 2018 13:10:57 +0200 +Subject: [PATCH] Use current idmap options for smb.conf + +Samba change some time ago the way how to configure id-mapping. With +this patch realmd will use the current supported options when creating +smb.conf. + +A new option --legacy-samba-config is added to use the old options if +realmd is used with Samba 3.5 or earlier. + +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072 +--- + dbus/realm-dbus-constants.h | 1 + + doc/manual/realmd.conf.xml | 17 ++++++++++++ + service/realm-samba-enroll.c | 2 +- + service/realm-samba-enroll.h | 3 +++ + service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++--------- + 5 files changed, 72 insertions(+), 14 deletions(-) + +diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h +index 9cd30ef..40ffa2d 100644 +--- a/dbus/realm-dbus-constants.h ++++ b/dbus/realm-dbus-constants.h +@@ -69,6 +69,7 @@ G_BEGIN_DECLS + #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name" + #define REALM_DBUS_OPTION_OS_NAME "os-name" + #define REALM_DBUS_OPTION_OS_VERSION "os-version" ++#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config" + + #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" + #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" +diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml +index 7853230..a2b577c 100644 +--- a/doc/manual/realmd.conf.xml ++++ b/doc/manual/realmd.conf.xml +@@ -192,6 +192,23 @@ automatic-install = no + + + ++ ++ ++ ++ Set this to yes to create a Samba ++ configuration file with id-mapping options used by Samba-3.5 ++ and earlier version. ++ ++ ++ ++[service] ++legacy-samba-config = no ++# legacy-samba-config = yes ++ ++ ++ ++ ++ + + + +diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c +index c81aed2..76e7b79 100644 +--- a/service/realm-samba-enroll.c ++++ b/service/realm-samba-enroll.c +@@ -69,7 +69,7 @@ join_closure_free (gpointer data) + g_free (join); + } + +-static gchar * ++gchar * + fallback_workgroup (const gchar *realm) + { + const gchar *pos; +diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h +index 84e8b2f..310ec65 100644 +--- a/service/realm-samba-enroll.h ++++ b/service/realm-samba-enroll.h +@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco, + gboolean realm_samba_enroll_leave_finish (GAsyncResult *result, + GError **error); + ++gchar * ++fallback_workgroup (const gchar *realm); ++ + G_END_DECLS + + #endif /* __REALM_SAMBA_ENROLL_H__ */ +diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c +index a7ddec3..9335e26 100644 +--- a/service/realm-samba-winbind.c ++++ b/service/realm-samba-winbind.c +@@ -21,8 +21,10 @@ + #include "realm-options.h" + #include "realm-samba-config.h" + #include "realm-samba-winbind.h" ++#include "realm-samba-enroll.h" + #include "realm-settings.h" + #include "realm-service.h" ++#include "dbus/realm-dbus-constants.h" + + #include + +@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + RealmIniConfig *pwc; + GTask *task; + GError *error = NULL; ++ gchar *workgroup = NULL; ++ gchar *idmap_config_backend = NULL; ++ gchar *idmap_config_range = NULL; ++ gchar *idmap_config_schema_mode = NULL; + + g_return_if_fail (config != NULL); + g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation)); +@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, + "template shell", realm_settings_string ("users", "default-shell"), + NULL); + +- if (realm_options_automatic_mapping (options, domain_name)) { +- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, +- "idmap uid", "10000-2000000", +- "idmap gid", "10000-2000000", +- "idmap backend", "tdb", +- "idmap schema", NULL, +- NULL); ++ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) { ++ if (realm_options_automatic_mapping (options, domain_name)) { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap uid", "10000-2000000", ++ "idmap gid", "10000-2000000", ++ "idmap backend", "tdb", ++ "idmap schema", NULL, ++ NULL); ++ } else { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap uid", "500-4294967296", ++ "idmap gid", "500-4294967296", ++ "idmap backend", "ad", ++ "idmap schema", "rfc2307", ++ NULL); ++ } + } else { +- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, +- "idmap uid", "500-4294967296", +- "idmap gid", "500-4294967296", +- "idmap backend", "ad", +- "idmap schema", "rfc2307", +- NULL); ++ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup"); ++ if (workgroup == NULL) { ++ workgroup = fallback_workgroup (domain_name); ++ } ++ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE"); ++ g_free (workgroup); ++ ++ if (realm_options_automatic_mapping (options, domain_name)) { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap config * : backend", "tdb", ++ "idmap config * : range", "10000-999999", ++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid", ++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999", ++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL, ++ NULL); ++ } else { ++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, ++ "idmap config * : backend", "tdb", ++ "idmap config * : range", "10000000-10999999", ++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad", ++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999", ++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307", ++ NULL); ++ } + } + + realm_ini_config_finish_change (config, &error); ++ g_free (idmap_config_backend); ++ g_free (idmap_config_range); + } + + /* Setup pam_winbind.conf with decent defaults matching our expectations */ +-- +2.14.4 + diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec index 3a46971..67f9d4e 100644 --- a/SPECS/realmd.spec +++ b/SPECS/realmd.spec @@ -1,6 +1,6 @@ Name: realmd Version: 0.16.1 -Release: 9%{?dist} +Release: 11%{?dist} Summary: Kerberos realm enrollment service License: LGPLv2+ URL: http://cgit.freedesktop.org/realmd/realmd/ @@ -24,6 +24,9 @@ Patch25: 0001-Make-DBus-aware-of-systemd.patch Patch26: 0001-Add-os-name-and-os-version-command-line-options.patch Patch27: 0001-doc-add-computer-name-to-realm-man-page.patch Patch28: 0001-Fix-man-page-reference-in-systemd-service-file.patch +Patch29: 0001-Use-current-idmap-options-for-smb.conf.patch +Patch30: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch +Patch31: 0001-Fix-issues-found-by-Coverity.patch BuildRequires: automake BuildRequires: autoconf @@ -73,6 +76,9 @@ applications that use %{name}. %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 %build aclocal @@ -118,6 +124,15 @@ make install DESTDIR=%{buildroot} %doc ChangeLog %changelog +* Tue Aug 21 2018 Sumit Bose - 0.16.1-11 +Improve fix for rhbz#1370457 and fix Coverity issues +- Resolves: rhbz#1370457 + +* Thu Jun 14 2018 Sumit Bose - 0.16.1-10 +Use current Samba options and read NetBIOS name from keytab +- Resolves: rhbz#1484072 +- Resolves: rhbz#1370457 + * Wed Sep 07 2016 Sumit Bose - 0.16.1-9 Rebuild to fix wrong doc path - Resolves: rhbz#1360702