diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
new file mode 100644
index 0000000..894fe93
--- /dev/null
+++ b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
@@ -0,0 +1,168 @@
+From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 31 May 2018 16:16:08 +0200
+Subject: [PATCH] Find NetBIOS name in keytab while leaving
+
+If realmd is used with Samba as membership software, i.e. Samba's net
+utility, the NetBIOS name must be known when leaving a domain. The most
+reliable way to find it is by searching the keytab for NAME$@REALM type
+entries and use the NAME as the NetBIOS name.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
+---
+ service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++
+ service/realm-kerberos.h | 2 ++
+ service/realm-samba-enroll.c | 17 ++++++++--
+ 3 files changed, 80 insertions(+), 3 deletions(-)
+
+diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
+index 54d1ed7..d6d109f 100644
+--- a/service/realm-kerberos.c
++++ b/service/realm-kerberos.c
+@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
+ return ret;
+
+ }
++
++gchar *
++realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
++{
++ krb5_error_code code;
++ krb5_keytab keytab = NULL;
++ krb5_context ctx;
++ krb5_kt_cursor cursor = NULL;
++ krb5_keytab_entry entry;
++ krb5_principal realm_princ = NULL;
++ gchar *princ_name = NULL;
++ gchar *netbios_name = NULL;
++ krb5_data *name_data;
++
++ code = krb5_init_context (&ctx);
++ if (code != 0) {
++ return NULL;
++ }
++
++ princ_name = g_strdup_printf ("user@%s", realm_name);
++ code = krb5_parse_name (ctx, princ_name, &realm_princ);
++ g_free (princ_name);
++
++ if (code == 0) {
++ code = krb5_kt_default (ctx, &keytab);
++ }
++
++ if (code == 0) {
++ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
++ }
++
++ if (code == 0) {
++ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
++ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
++ name_data = krb5_princ_component (ctx, entry.principal, 0);
++ if (name_data != NULL
++ && name_data->length > 0
++ && name_data->data[name_data->length - 1] == '$') {
++ netbios_name = g_strndup (name_data->data, name_data->length - 1);
++ if (netbios_name == NULL) {
++ code = krb5_kt_free_entry (ctx, &entry);
++ warn_if_krb5_failed (ctx, code);
++ break;
++ }
++ }
++ }
++ code = krb5_kt_free_entry (ctx, &entry);
++ warn_if_krb5_failed (ctx, code);
++ }
++ }
++
++ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
++ warn_if_krb5_failed (ctx, code);
++
++ code = krb5_kt_close (ctx, keytab);
++ warn_if_krb5_failed (ctx, code);
++
++ krb5_free_principal (ctx, realm_princ);
++
++ krb5_free_context (ctx);
++
++ return netbios_name;
++
++}
+diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
+index 0447e4d..58cfe07 100644
+--- a/service/realm-kerberos.h
++++ b/service/realm-kerberos.h
+@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
+ gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
+ GError **error);
+
++gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
++
+ const gchar * realm_kerberos_get_name (RealmKerberos *self);
+
+ const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index 76e7b79..f5edca3 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -85,7 +85,8 @@ static JoinClosure *
+ join_closure_init (GTask *task,
+ RealmDisco *disco,
+ GVariant *options,
+- GDBusMethodInvocation *invocation)
++ GDBusMethodInvocation *invocation,
++ gboolean do_join)
+ {
+ JoinClosure *join;
+ gchar *workgroup;
+@@ -93,6 +94,7 @@ join_closure_init (GTask *task,
+ int temp_fd;
+ const gchar *explicit_computer_name = NULL;
+ const gchar *authid = NULL;
++ gchar *name_from_keytab = NULL;
+
+ join = g_new0 (JoinClosure, 1);
+ join->disco = realm_disco_ref (disco);
+@@ -106,6 +108,14 @@ join_closure_init (GTask *task,
+ else if (disco->explicit_netbios)
+ authid = disco->explicit_netbios;
+
++ /* try to get the NetBIOS name from the keytab while leaving the domain */
++ if (explicit_computer_name == NULL && !do_join) {
++ name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
++ if (name_from_keytab != NULL) {
++ authid = name_from_keytab;
++ }
++ }
++
+ join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
+ "security", "ads",
+@@ -151,6 +161,7 @@ join_closure_init (GTask *task,
+ g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ());
+ }
+
++ g_free (name_from_keytab);
+ return join;
+ }
+
+@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
+ g_return_if_fail (cred != NULL);
+
+ task = g_task_new (NULL, NULL, callback, user_data);
+- join = join_closure_init (task, disco, options, invocation);
++ join = join_closure_init (task, disco, options, invocation, TRUE);
+ explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
+ if (explicit_computer_name != NULL) {
+ realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
+@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
+ JoinClosure *join;
+
+ task = g_task_new (NULL, NULL, callback, user_data);
+- join = join_closure_init (task, disco, options, invocation);
++ join = join_closure_init (task, disco, options, invocation, FALSE);
+
+ switch (cred->type) {
+ case REALM_CREDENTIAL_PASSWORD:
+--
+2.17.1
+
diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch
new file mode 100644
index 0000000..ee9e081
--- /dev/null
+++ b/SOURCES/0001-Fix-issues-found-by-Coverity.patch
@@ -0,0 +1,42 @@
+From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 14:09:48 +0200
+Subject: [PATCH] Fix issues found by Coverity
+
+---
+ service/realm-kerberos.c | 5 ++++-
+ service/realm-packages.c | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
+index d6d109f..252e256 100644
+--- a/service/realm-kerberos.c
++++ b/service/realm-kerberos.c
+@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
+ if (name == NULL)
+ break;
+ value = va_arg (va, const gchar *);
+- g_return_if_fail (value != NULL);
++ if (value == NULL) {
++ va_end (va);
++ g_return_if_reached ();
++ }
+
+ values[0] = g_variant_new_string (name);
+ values[1] = g_variant_new_string (value);
+diff --git a/service/realm-packages.c b/service/realm-packages.c
+index 9a6984c..5976439 100644
+--- a/service/realm-packages.c
++++ b/service/realm-packages.c
+@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
+ g_ptr_array_add (packages, NULL);
+ *result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
+ } else {
+- g_ptr_array_free (files, TRUE);
++ g_ptr_array_free (packages, TRUE);
+ }
+
+ if (result_files) {
+--
+2.17.1
+
diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
new file mode 100644
index 0000000..ea34960
--- /dev/null
+++ b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
@@ -0,0 +1,185 @@
+From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 30 May 2018 13:10:57 +0200
+Subject: [PATCH] Use current idmap options for smb.conf
+
+Samba change some time ago the way how to configure id-mapping. With
+this patch realmd will use the current supported options when creating
+smb.conf.
+
+A new option --legacy-samba-config is added to use the old options if
+realmd is used with Samba 3.5 or earlier.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
+---
+ dbus/realm-dbus-constants.h | 1 +
+ doc/manual/realmd.conf.xml | 17 ++++++++++++
+ service/realm-samba-enroll.c | 2 +-
+ service/realm-samba-enroll.h | 3 +++
+ service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
+ 5 files changed, 72 insertions(+), 14 deletions(-)
+
+diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
+index 9cd30ef..40ffa2d 100644
+--- a/dbus/realm-dbus-constants.h
++++ b/dbus/realm-dbus-constants.h
+@@ -69,6 +69,7 @@ G_BEGIN_DECLS
+ #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
+ #define REALM_DBUS_OPTION_OS_NAME "os-name"
+ #define REALM_DBUS_OPTION_OS_VERSION "os-version"
++#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
+
+ #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
+ #define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index 7853230..a2b577c 100644
+--- a/doc/manual/realmd.conf.xml
++++ b/doc/manual/realmd.conf.xml
+@@ -192,6 +192,23 @@ automatic-install = no
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><option>legacy-samba-config</option></term>
++ <listitem>
++ <para>Set this to <parameter>yes</parameter> to create a Samba
++ configuration file with id-mapping options used by Samba-3.5
++ and earlier version.</para>
++
++ <informalexample>
++<programlisting language="js">
++[service]
++legacy-samba-config = no
++# legacy-samba-config = yes
++</programlisting>
++ </informalexample>
++ </listitem>
++ </varlistentry>
++
+ </variablelist>
+ </refsect1>
+
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index c81aed2..76e7b79 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
+ g_free (join);
+ }
+
+-static gchar *
++gchar *
+ fallback_workgroup (const gchar *realm)
+ {
+ const gchar *pos;
+diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
+index 84e8b2f..310ec65 100644
+--- a/service/realm-samba-enroll.h
++++ b/service/realm-samba-enroll.h
+@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
+ gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
+ GError **error);
+
++gchar *
++fallback_workgroup (const gchar *realm);
++
+ G_END_DECLS
+
+ #endif /* __REALM_SAMBA_ENROLL_H__ */
+diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
+index a7ddec3..9335e26 100644
+--- a/service/realm-samba-winbind.c
++++ b/service/realm-samba-winbind.c
+@@ -21,8 +21,10 @@
+ #include "realm-options.h"
+ #include "realm-samba-config.h"
+ #include "realm-samba-winbind.h"
++#include "realm-samba-enroll.h"
+ #include "realm-settings.h"
+ #include "realm-service.h"
++#include "dbus/realm-dbus-constants.h"
+
+ #include <glib/gstdio.h>
+
+@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ RealmIniConfig *pwc;
+ GTask *task;
+ GError *error = NULL;
++ gchar *workgroup = NULL;
++ gchar *idmap_config_backend = NULL;
++ gchar *idmap_config_range = NULL;
++ gchar *idmap_config_schema_mode = NULL;
+
+ g_return_if_fail (config != NULL);
+ g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
+@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ "template shell", realm_settings_string ("users", "default-shell"),
+ NULL);
+
+- if (realm_options_automatic_mapping (options, domain_name)) {
+- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+- "idmap uid", "10000-2000000",
+- "idmap gid", "10000-2000000",
+- "idmap backend", "tdb",
+- "idmap schema", NULL,
+- NULL);
++ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
++ if (realm_options_automatic_mapping (options, domain_name)) {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap uid", "10000-2000000",
++ "idmap gid", "10000-2000000",
++ "idmap backend", "tdb",
++ "idmap schema", NULL,
++ NULL);
++ } else {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap uid", "500-4294967296",
++ "idmap gid", "500-4294967296",
++ "idmap backend", "ad",
++ "idmap schema", "rfc2307",
++ NULL);
++ }
+ } else {
+- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
+- "idmap uid", "500-4294967296",
+- "idmap gid", "500-4294967296",
+- "idmap backend", "ad",
+- "idmap schema", "rfc2307",
+- NULL);
++ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
++ if (workgroup == NULL) {
++ workgroup = fallback_workgroup (domain_name);
++ }
++ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
++ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
++ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
++ g_free (workgroup);
++
++ if (realm_options_automatic_mapping (options, domain_name)) {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap config * : backend", "tdb",
++ "idmap config * : range", "10000-999999",
++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
++ NULL);
++ } else {
++ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
++ "idmap config * : backend", "tdb",
++ "idmap config * : range", "10000000-10999999",
++ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
++ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
++ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
++ NULL);
++ }
+ }
+
+ realm_ini_config_finish_change (config, &error);
++ g_free (idmap_config_backend);
++ g_free (idmap_config_range);
+ }
+
+ /* Setup pam_winbind.conf with decent defaults matching our expectations */
+--
+2.14.4
+
diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec
index 3a46971..67f9d4e 100644
--- a/SPECS/realmd.spec
+++ b/SPECS/realmd.spec
@@ -1,6 +1,6 @@
Name: realmd
Version: 0.16.1
-Release: 9%{?dist}
+Release: 11%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/realmd/
@@ -24,6 +24,9 @@ Patch25: 0001-Make-DBus-aware-of-systemd.patch
Patch26: 0001-Add-os-name-and-os-version-command-line-options.patch
Patch27: 0001-doc-add-computer-name-to-realm-man-page.patch
Patch28: 0001-Fix-man-page-reference-in-systemd-service-file.patch
+Patch29: 0001-Use-current-idmap-options-for-smb.conf.patch
+Patch30: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
+Patch31: 0001-Fix-issues-found-by-Coverity.patch
BuildRequires: automake
BuildRequires: autoconf
@@ -73,6 +76,9 @@ applications that use %{name}.
%patch26 -p1
%patch27 -p1
%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
%build
aclocal
@@ -118,6 +124,15 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
+* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.1-11
+Improve fix for rhbz#1370457 and fix Coverity issues
+- Resolves: rhbz#1370457
+
+* Thu Jun 14 2018 Sumit Bose <sbose@redhat.com> - 0.16.1-10
+Use current Samba options and read NetBIOS name from keytab
+- Resolves: rhbz#1484072
+- Resolves: rhbz#1370457
+
* Wed Sep 07 2016 Sumit Bose <sbose@redhat.com> - 0.16.1-9
Rebuild to fix wrong doc path
- Resolves: rhbz#1360702