diff --git a/SOURCES/0001-ldap-add-socket-timeout.patch b/SOURCES/0001-ldap-add-socket-timeout.patch
new file mode 100644
index 0000000..2ba2db6
--- /dev/null
+++ b/SOURCES/0001-ldap-add-socket-timeout.patch
@@ -0,0 +1,78 @@
+From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 24 Nov 2021 17:25:18 +0100
+Subject: [PATCH] ldap: add socket timeout
+
+During the discovery phase realmd tries to open LDAP connections to
+multiple DC addresses returned by DNS. When cleaning up we have to call
+ldap_destroy() to release the resources allocated for the LDAP context.
+ldap_destroy() tries to send a LDAP unbind request independent of the
+connection state. If the related address is block by a firewall or a not
+properly routed IPv6 address there might be no reply on the TCP level
+and the request might be stuck for quite some tome in the kernel.
+
+To avoid the unexpected long delays will block realmd this patch lowers
+the timeout considerably to 5s. As multiple other timeouts this value is
+currently hardcoded.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
+---
+ service/realm-ldap.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
+index bdfb96c..f7b6d13 100644
+--- a/service/realm-ldap.c
++++ b/service/realm-ldap.c
+@@ -22,6 +22,7 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#include <netinet/tcp.h>
+
+ #include <errno.h>
+
+@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
+
+ /* Not included in ldap.h but documented */
+ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
++#define LDAP_SOCKET_TIMEOUT 5
+
+ GSource *
+ realm_ldap_connect_anonymous (GSocketAddress *address,
+@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ int opt_rc;
+ int ldap_opt_val;
+ const char *errmsg = NULL;
++ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
++ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
+
+ g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
+
+@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
+ g_warning ("couldn't set to blocking");
+
++ /* Lower the kernel defaults which might be minutes to hours */
++ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
++ &tv, sizeof (tv));
++ if (rc != 0) {
++ g_warning ("couldn't set SO_RCVTIMEO");
++ }
++ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
++ &tv, sizeof (tv));
++ if (rc != 0) {
++ g_warning ("couldn't set SO_SNDTIMEO");
++ }
++ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
++ &milli, sizeof (milli));
++ if (rc != 0) {
++ g_warning ("couldn't set TCP_USER_TIMEOUT");
++ }
++
+ if (family == G_SOCKET_FAMILY_IPV4) {
+ url = g_strdup_printf ("%s://%s:%d",
+ use_ldaps ? "ldaps" : "ldap",
+--
+2.34.1
+
diff --git a/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch b/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch
new file mode 100644
index 0000000..176d046
--- /dev/null
+++ b/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch
@@ -0,0 +1,128 @@
+From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Dec 2021 15:32:32 +0100
+Subject: [PATCH] samba: use new Samba-4.15 command line options
+
+Samba-4.15 changed a couple of command line options of the net utility.
+This patch adds a configure option to select the new or the old style.
+If the option is not used configure tries to call the net utility to
+check for the options. If this fails the old style is used.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
+---
+ configure.ac | 34 ++++++++++++++++++++++++++++++++++
+ service/realm-samba-enroll.c | 18 +++++++++++++-----
+ 2 files changed, 47 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ea51f92..ddc25d0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
+ AC_SUBST(LDAP_LIBS)
+ AC_SUBST(LDAP_CFLAGS)
+
++# -------------------------------------------------------------------
++# Samba
++
++AC_ARG_WITH(new-samba-cli-options,
++ AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
++ [Use new command line options introduced with Samba-4.15,
++ if not provided the output of 'net help' is checked or old
++ style options are used]))
++
++if test "$with_new_samba_cli_options" = "no"; then
++ AC_MSG_RESULT([Using old Samba command line options])
++elif test "$with_new_samba_cli_options" = "yes"; then
++ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
++ [Use new command line options introduced with Samba-4.15])
++ AC_MSG_RESULT([Using new Samba command line options])
++else
++ AC_PATH_PROG([SAMBA_NET], [net])
++ if test ! -x "$SAMBA_NET"; then
++ AC_MSG_NOTICE([Could not find Samba's net utility, ]
++ [assuming old style command line options, ]
++ [please install the net utility for proper detection.])
++ else
++ AC_MSG_CHECKING([for --debug-stdout option of net])
++ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
++ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
++ [Use new command line options introduced with Samba-4.15])
++ AC_MSG_RESULT([yes])
++ else
++ AC_MSG_RESULT([no])
++ fi
++ fi
++fi
++
++
+ # -------------------------------------------------------------------
+ # Directories
+
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index 5624a08..8b2ee38 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -37,6 +37,14 @@
+ #include <sys/socket.h>
+ #include <netdb.h>
+
++#ifdef WITH_NEW_SAMBA_CLI_OPTS
++#define SMBCLI_KERBEROS "--use-kerberos=required"
++#define SMBCLI_CONF "--configfile"
++#else
++#define SMBCLI_KERBEROS "-k"
++#define SMBCLI_CONF "-s"
++#endif
++
+ typedef struct {
+ GDBusMethodInvocation *invocation;
+ gchar *join_args[8];
+@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
+ /* Use our custom smb.conf */
+ g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
+ if (join->custom_smb_conf) {
+- g_ptr_array_add (args, "-s");
++ g_ptr_array_add (args, SMBCLI_CONF);
+ g_ptr_array_add (args, join->custom_smb_conf);
+ }
+
+@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
+ } else {
+ begin_net_process (join, NULL,
+ on_keytab_do_finish, g_object_ref (task),
+- "-k", "ads", "keytab", "create", NULL);
++ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
+ }
+
+ g_object_unref (task);
+@@ -428,7 +436,7 @@ begin_join (GTask *task,
+ begin_net_process (join, join->password_input,
+ on_join_do_keytab, g_object_ref (task),
+ "-U", join->user_name,
+- "-k", "ads", "join", join->disco->domain_name,
++ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
+ join->join_args[0], join->join_args[1],
+ join->join_args[2], join->join_args[3],
+ join->join_args[4], NULL);
+@@ -437,7 +445,7 @@ begin_join (GTask *task,
+ } else {
+ begin_net_process (join, NULL,
+ on_join_do_keytab, g_object_ref (task),
+- "-k", "ads", "join", join->disco->domain_name,
++ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
+ join->join_args[0], join->join_args[1],
+ join->join_args[2], join->join_args[3],
+ join->join_args[4], NULL);
+@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
+ join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
+ begin_net_process (join, NULL,
+ on_leave_complete, g_object_ref (task),
+- "-k", "ads", "leave", NULL);
++ SMBCLI_KERBEROS, "ads", "leave", NULL);
+ break;
+ default:
+ g_return_if_reached ();
+--
+2.34.1
+
diff --git a/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch b/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch
new file mode 100644
index 0000000..001b2a2
--- /dev/null
+++ b/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch
@@ -0,0 +1,38 @@
+From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 25 Nov 2021 14:36:10 +0100
+Subject: [PATCH] syslog: avoid duplicate log messages
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
+---
+ service/realm-diagnostics.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
+index 850b2e3..6aa5288 100644
+--- a/service/realm-diagnostics.c
++++ b/service/realm-diagnostics.c
+@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
+ while ((ptr = memchr (at, '\n', length)) != NULL) {
+ *ptr = '\0';
+ if (line_buffer && line_buffer->len > 0) {
++#ifdef WITH_JOURNAL
++ /* Call realm_daemon_syslog directly to add
++ * REALMD_OPERATION to the jounrnal */
+ realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
++#else
+ g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
++#endif
+ g_string_set_size (line_buffer, 0);
+ } else {
++#ifdef WITH_JOURNAL
+ realm_daemon_syslog (operation, log_level, "%s", at);
++#else
+ g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
++#endif
+ }
+
+ *ptr = '\n';
+--
+2.34.1
+
diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec
index 68333b1..0c8f2db 100644
--- a/SPECS/realmd.spec
+++ b/SPECS/realmd.spec
@@ -1,6 +1,6 @@
Name: realmd
Version: 0.17.0
-Release: 7%{?dist}
+Release: 9%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: https://gitlab.freedesktop.org/realmd/realmd
@@ -14,6 +14,16 @@ Patch4: 0001-doc-add-computer-name-to-realm-man-page.patch
# rhbz#1978255 - regression in realmd/Sanity/realmd-service-sanity
Patch5: ipa-packages.patch
+# rhbz#2038260 - realmd operations hang if a DC is unreachable
+Patch6: 0001-ldap-add-socket-timeout.patch
+
+# rhbz#2038268 - realmd logs are duplicated
+Patch7: 0001-syslog-avoid-duplicate-log-messages.patch
+
+# rhbz#2028530 - realm join needs to updated to use the command line options of
+# Samba's net command
+Patch8: 0001-samba-use-new-Samba-4.15-command-line-options.patch
+
BuildRequires: make
BuildRequires: gcc
BuildRequires: automake
@@ -27,11 +37,15 @@ BuildRequires: krb5-devel
BuildRequires: systemd-devel
BuildRequires: libxslt
BuildRequires: xmlto
+BuildRequires: samba-common-tools
BuildRequires: python3
Requires: authselect
Requires: polkit
Conflicts: realmd-devel-docs < %{version}-%{release}
+# This build will use Samba's new command line options so it cannot be used
+# with older versions of Samba.
+Conflicts: samba-common-tools < 4.15
%description
realmd is a DBus system service which manages discovery and enrollment in realms
@@ -54,6 +68,7 @@ applications that use %{name}.
%build
autoreconf -fi
%configure --disable-silent-rules \
+ --with-new-samba-cli-options=yes \
%if 0%{?rhel}
--with-vendor-error-message='Please check\n https://red.ht/support_rhel_ad \nto get help for common issues.' \
%endif
@@ -98,6 +113,16 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
+* Tue Jan 11 2022 Sumit Bose <sbose@redhat.com> - 0.17.0-9
+- enforce new Samba command line options
+ Resolves: rhbz#2028530
+
+* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.17.0-8
+- LDAP socket timeout, fix duplicated logs and new Samba command line options
+ Resolves: rhbz#2038260
+ Resolves: rhbz#2038268
+ Resolves: rhbz#2028530
+
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688