diff --git a/.gitignore b/.gitignore
index 540b6ba..e0d7a4d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/realmd-0.16.3.tar.gz
+SOURCES/realmd-0.17.1.tar.gz
diff --git a/.realmd.metadata b/.realmd.metadata
index c1809f4..06ce7b9 100644
--- a/.realmd.metadata
+++ b/.realmd.metadata
@@ -1 +1 @@
-0768e0aff0f303745875ee8d0c37bf8134791770 SOURCES/realmd-0.16.3.tar.gz
+681f7f532daa62a08f2f2d6c9d4a1a04c4c793a3 SOURCES/realmd-0.17.1.tar.gz
diff --git a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch
deleted file mode 100644
index 6daf79b..0000000
--- a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 14 Aug 2018 16:44:39 +0200
-Subject: [PATCH] Change qualified names default for IPA
-
-In a FreeIPA domain it is typically expected that the IPA accounts use
-sort names while accounts from trusted domains have fully qualified
-names. This is automatically done by SSSD's IPA provider so there is no
-need to force fully qualified names in the SSSD configuration.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
----
- service/realm-options.c | 9 +++++----
- service/realm-options.h | 3 ++-
- service/realm-samba-winbind.c | 2 +-
- service/realm-sssd-ad.c | 2 +-
- service/realm-sssd-ipa.c | 2 +-
- 5 files changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/service/realm-options.c b/service/realm-options.c
-index bd804ea..34a209f 100644
---- a/service/realm-options.c
-+++ b/service/realm-options.c
-@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
-
- if (realm_name && !option) {
- section = g_utf8_casefold (realm_name, -1);
-- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
-+ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
- g_free (section);
- }
-
-@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
- gboolean mapping;
-
- section = g_utf8_casefold (realm_name, -1);
-- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
-+ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
- g_free (section);
-
- return mapping;
- }
-
- gboolean
--realm_options_qualify_names (const gchar *realm_name)
-+realm_options_qualify_names (const gchar *realm_name,
-+ gboolean def)
- {
- gchar *section;
- gboolean qualify;
-
- section = g_utf8_casefold (realm_name, -1);
-- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
-+ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
- g_free (section);
-
- return qualify;
-diff --git a/service/realm-options.h b/service/realm-options.h
-index 7a1355e..b71d219 100644
---- a/service/realm-options.h
-+++ b/service/realm-options.h
-@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
- gboolean realm_options_automatic_mapping (GVariant *options,
- const gchar *realm_name);
-
--gboolean realm_options_qualify_names (const gchar *realm_name);
-+gboolean realm_options_qualify_names (const gchar *realm_name,
-+ gboolean def);
-
- gboolean realm_options_check_domain_name (const gchar *domain_name);
-
-diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
-index 9335e26..61988eb 100644
---- a/service/realm-samba-winbind.c
-+++ b/service/realm-samba-winbind.c
-@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
- "winbind enum groups", "no",
- "winbind offline logon", "yes",
- "winbind refresh tickets", "yes",
-- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
-+ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
- "template shell", realm_settings_string ("users", "default-shell"),
- NULL);
-
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 8543ca8..de7ce30 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
- gchar *home;
-
- home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
-- qualify = realm_options_qualify_names (disco->domain_name);
-+ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
- shell = realm_settings_string ("users", "default-shell");
- explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
- realmd_tags = g_string_new ("");
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index ff1dc8a..5029f6b 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
-
- realm_sssd_config_update_domain (config, domain, &error,
- "cache_credentials", "True",
-- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
-+ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
- "krb5_store_password_if_offline", "True",
- "default_shell", shell,
- "fallback_homedir", home,
---
-2.17.1
-
diff --git a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
deleted file mode 100644
index 69f6aa3..0000000
--- a/SOURCES/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From d0d36965cce7a9bdff77c20ce9c9c1252b8c827c Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 31 May 2018 16:16:08 +0200
-Subject: [PATCH] Find NetBIOS name in keytab while leaving
-
-If realmd is used with Samba as membership software, i.e. Samba's net
-utility, the NetBIOS name must be known when leaving a domain. The most
-reliable way to find it is by searching the keytab for NAME$@REALM type
-entries and use the NAME as the NetBIOS name.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
----
- service/realm-kerberos.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
- service/realm-kerberos.h | 2 ++
- service/realm-samba-enroll.c | 13 ++++++---
- 3 files changed, 76 insertions(+), 3 deletions(-)
-
-diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
-index 54d1ed7..d6d109f 100644
---- a/service/realm-kerberos.c
-+++ b/service/realm-kerberos.c
-@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
- return ret;
-
- }
-+
-+gchar *
-+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
-+{
-+ krb5_error_code code;
-+ krb5_keytab keytab = NULL;
-+ krb5_context ctx;
-+ krb5_kt_cursor cursor = NULL;
-+ krb5_keytab_entry entry;
-+ krb5_principal realm_princ = NULL;
-+ gchar *princ_name = NULL;
-+ gchar *netbios_name = NULL;
-+ krb5_data *name_data;
-+
-+ code = krb5_init_context (&ctx);
-+ if (code != 0) {
-+ return NULL;
-+ }
-+
-+ princ_name = g_strdup_printf ("user@%s", realm_name);
-+ code = krb5_parse_name (ctx, princ_name, &realm_princ);
-+ g_free (princ_name);
-+
-+ if (code == 0) {
-+ code = krb5_kt_default (ctx, &keytab);
-+ }
-+
-+ if (code == 0) {
-+ code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
-+ }
-+
-+ if (code == 0) {
-+ while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
-+ if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
-+ name_data = krb5_princ_component (ctx, entry.principal, 0);
-+ if (name_data != NULL
-+ && name_data->length > 0
-+ && name_data->data[name_data->length - 1] == '$') {
-+ netbios_name = g_strndup (name_data->data, name_data->length - 1);
-+ if (netbios_name == NULL) {
-+ code = krb5_kt_free_entry (ctx, &entry);
-+ warn_if_krb5_failed (ctx, code);
-+ break;
-+ }
-+ }
-+ }
-+ code = krb5_kt_free_entry (ctx, &entry);
-+ warn_if_krb5_failed (ctx, code);
-+ }
-+ }
-+
-+ code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
-+ warn_if_krb5_failed (ctx, code);
-+
-+ code = krb5_kt_close (ctx, keytab);
-+ warn_if_krb5_failed (ctx, code);
-+
-+ krb5_free_principal (ctx, realm_princ);
-+
-+ krb5_free_context (ctx);
-+
-+ return netbios_name;
-+
-+}
-diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
-index 0447e4d..58cfe07 100644
---- a/service/realm-kerberos.h
-+++ b/service/realm-kerberos.h
-@@ -88,6 +88,8 @@ gchar * realm_kerberos_format_login (RealmKerberos *self,
- gboolean realm_kerberos_flush_keytab (const gchar *realm_name,
- GError **error);
-
-+gchar * realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
-+
- const gchar * realm_kerberos_get_name (RealmKerberos *self);
-
- const gchar * realm_kerberos_get_realm_name (RealmKerberos *self);
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index 76e7b79..03f56d0 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -85,7 +85,8 @@ static JoinClosure *
- join_closure_init (GTask *task,
- RealmDisco *disco,
- GVariant *options,
-- GDBusMethodInvocation *invocation)
-+ GDBusMethodInvocation *invocation,
-+ gboolean do_join)
- {
- JoinClosure *join;
- gchar *workgroup;
-@@ -106,6 +107,12 @@ join_closure_init (GTask *task,
- else if (disco->explicit_netbios)
- authid = disco->explicit_netbios;
-
-+ /* try to get the NetBIOS name from the keytab as last option while
-+ * leaving the domain */
-+ if (authid == NULL && !do_join) {
-+ authid = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
-+ }
-+
- join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
- realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
- "security", "ads",
-@@ -393,7 +400,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
- g_return_if_fail (cred != NULL);
-
- task = g_task_new (NULL, NULL, callback, user_data);
-- join = join_closure_init (task, disco, options, invocation);
-+ join = join_closure_init (task, disco, options, invocation, TRUE);
- explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
- if (explicit_computer_name != NULL) {
- realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
-@@ -462,7 +469,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
- JoinClosure *join;
-
- task = g_task_new (NULL, NULL, callback, user_data);
-- join = join_closure_init (task, disco, options, invocation);
-+ join = join_closure_init (task, disco, options, invocation, FALSE);
-
- switch (cred->type) {
- case REALM_CREDENTIAL_PASSWORD:
---
-2.14.4
-
diff --git a/SOURCES/0001-Fix-issues-found-by-Coverity.patch b/SOURCES/0001-Fix-issues-found-by-Coverity.patch
deleted file mode 100644
index ee9e081..0000000
--- a/SOURCES/0001-Fix-issues-found-by-Coverity.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From f413ee60dcd538603f0db608899799113fba053f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 14 Aug 2018 14:09:48 +0200
-Subject: [PATCH] Fix issues found by Coverity
-
----
- service/realm-kerberos.c | 5 ++++-
- service/realm-packages.c | 2 +-
- 2 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
-index d6d109f..252e256 100644
---- a/service/realm-kerberos.c
-+++ b/service/realm-kerberos.c
-@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
- if (name == NULL)
- break;
- value = va_arg (va, const gchar *);
-- g_return_if_fail (value != NULL);
-+ if (value == NULL) {
-+ va_end (va);
-+ g_return_if_reached ();
-+ }
-
- values[0] = g_variant_new_string (name);
- values[1] = g_variant_new_string (value);
-diff --git a/service/realm-packages.c b/service/realm-packages.c
-index 9a6984c..5976439 100644
---- a/service/realm-packages.c
-+++ b/service/realm-packages.c
-@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
- g_ptr_array_add (packages, NULL);
- *result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
- } else {
-- g_ptr_array_free (files, TRUE);
-+ g_ptr_array_free (packages, TRUE);
- }
-
- if (result_files) {
---
-2.17.1
-
diff --git a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch b/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch
deleted file mode 100644
index fe46620..0000000
--- a/SOURCES/0001-Fix-man-page-reference-in-systemd-service-file.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 27 Jul 2016 19:06:29 +0200
-Subject: [PATCH] Fix man page reference in systemd service file
-
----
- dbus/realmd.service.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
-index b3bcf7a..64c1090 100644
---- a/dbus/realmd.service.in
-+++ b/dbus/realmd.service.in
-@@ -1,6 +1,6 @@
- [Unit]
- Description=Realm and Domain Configuration
--Documentation=man:realmd(8)
-+Documentation=man:realm(8)
-
- [Service]
- Type=dbus
---
-2.7.4
-
diff --git a/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch b/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch
deleted file mode 100644
index 5484209..0000000
--- a/SOURCES/0001-IPA-do-not-call-sssd-enable-logins.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 27 Sep 2018 13:04:47 +0200
-Subject: [PATCH] IPA: do not call sssd-enable-logins
-
-It is expected that ipa-client-install will do all PAM and NSS
-configuration. To avoid changing IPA default realmd will not try to
-update the related configuration.
----
- service/realm-sssd-ipa.c | 24 +-----------------------
- 1 file changed, 1 insertion(+), 23 deletions(-)
-
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index 5029f6b..70f8b0e 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
- g_free (enroll);
- }
-
--static void
--on_enable_nss_done (GObject *source,
-- GAsyncResult *result,
-- gpointer user_data)
--{
-- GTask *task = G_TASK (user_data);
-- GError *error = NULL;
-- gint status;
--
-- status = realm_command_run_finish (result, NULL, &error);
-- if (error == NULL && status != 0)
-- g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
-- _("Enabling SSSD in nsswitch.conf and PAM failed."));
-- if (error != NULL)
-- g_task_return_error (task, error);
-- else
-- g_task_return_boolean (task, TRUE);
-- g_object_unref (task);
--}
--
- static void
- on_restart_done (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
- {
- GTask *task = G_TASK (user_data);
-- EnrollClosure *enroll = g_task_get_task_data (task);
- RealmSssd *sssd = g_task_get_source_object (task);
- GError *error = NULL;
-
- realm_service_enable_and_restart_finish (result, &error);
- if (error == NULL) {
- realm_sssd_update_properties (sssd);
-- realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
-- on_enable_nss_done, g_object_ref (task));
-+ g_task_return_boolean (task, TRUE);
- } else {
- g_task_return_error (task, error);
- }
---
-2.17.1
-
diff --git a/SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch b/SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
deleted file mode 100644
index 7688f29..0000000
--- a/SOURCES/0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
+++ /dev/null
@@ -1,392 +0,0 @@
-From 2fa90caf4ad38541615446b80dbeaccd0d0e6a6f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 28 Oct 2020 13:40:03 +0100
-Subject: [PATCH] Kerberos: add default_domain and udp_preference_limit
-
-When joining an Active Directory domain realmd will set the
-default_domain and udp_preference_limit in the Kerberos configuration to
-avoid errors and make Kerberos handling in the AD domain more easy.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791016
----
- doc/manual/realmd.conf.xml | 69 +++++++++++++++++++
- service/Makefile.am | 2 +
- service/realm-kerberos-config.c | 116 ++++++++++++++++++++++++++++++++
- service/realm-kerberos-config.h | 35 ++++++++++
- service/realm-samba.c | 12 ++++
- service/realm-sssd-ad.c | 12 ++++
- service/realmd-debian.conf | 1 +
- service/realmd-defaults.conf | 1 +
- service/realmd-redhat.conf | 1 +
- service/realmd-suse.conf | 1 +
- 10 files changed, 250 insertions(+)
- create mode 100644 service/realm-kerberos-config.c
- create mode 100644 service/realm-kerberos-config.h
-
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index 9062252..97d2e8d 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -304,6 +304,75 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
-
- </refsect1>
-
-+<refsect1 id="realmd-conf-paths">
-+ <title>paths</title>
-+
-+ <para>These options should go in an <option>[paths]</option>
-+ section of the <filename>/etc/realmd.conf</filename> file. Only
-+ specify the settings you wish to override.</para>
-+
-+ <variablelist>
-+ <varlistentry>
-+ <term><option>krb5.conf</option></term>
-+ <listitem>
-+ <para>Path to the Kerberos configuration file, typically
-+ <filename>/etc/krb5.conf</filename>. It can also be the path of
-+ a file included by <filename>/etc/krb5.conf</filename>, e.g.
-+ <filename>/etc/krb5.conf.d/realmd_settings</filename>, if the
-+ file does not exist if will be created.</para>
-+
-+ <informalexample>
-+<programlisting language="js">
-+[paths]
-+krb5.conf = /etc/krb5.conf.d/realmd_settings
-+
-+</programlisting>
-+ </informalexample>
-+
-+ <para>When joining an Active Directory domain
-+ <command>realmd</command> will set the
-+ <option>default_realm</option> and
-+ <option>udp_preference_limit</option> options in the Kerberos
-+ configuration:</para>
-+
-+ <informalexample>
-+<programlisting language="js">
-+default_realm = DOMAIN.EXAMPLE.COM
-+udp_preference_limit = 0
-+
-+</programlisting>
-+ </informalexample>
-+
-+ <para>The <option>default_realm</option> option is e.g. needed
-+ when trying to resolve enterprise principals and makes it more
-+ convenient to request Kerberos tickets for users of the default
-+ realm. Instead of specifying the whole principal just
-+ <command>kinit username</command> can be used.</para>
-+
-+ <para>With <option>udp_preference_limit = 0</option> always TCP
-+ will be used to send Kerberos request to domain controller. This
-+ is useful in Active Directory environments because Kerberos will
-+ typically switch to TCP after initially starting with UDP
-+ because AD Kerberos tickets are often larger than UDP can handle.
-+ Using TCP by default will avoid those extra UDP round trips.
-+ Additionally it helps to avoid issues with password changes when
-+ the DC does not reply soon enough and the client will send a
-+ second UDP request. The DC might reply with a reply error to the
-+ second request although the original password change request was
-+ successful and the client will no know if the request was
-+ successful or not. When using TCP this cannot happen because the
-+ client will never send a second request but waits on the
-+ connection until the server replies.</para>
-+
-+ <para>Please note that <command>realmd</command> will not remove
-+ those options while leaving the domain since they are useful in
-+ general. When joining a new domain <command>realmd</command>
-+ will of course overwrite <option>default_realm</option>.</para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
-+</refsect1>
-+
- <refsect1 id="realmd-conf-specific-settings">
- <title>Realm specific settings</title>
- <para>These options should go in an section with the same name
-diff --git a/service/Makefile.am b/service/Makefile.am
-index 88ee780..031cd1d 100644
---- a/service/Makefile.am
-+++ b/service/Makefile.am
-@@ -57,6 +57,8 @@ realmd_SOURCES = \
- service/realm-invocation.h \
- service/realm-kerberos.c \
- service/realm-kerberos.h \
-+ service/realm-kerberos-config.c \
-+ service/realm-kerberos-config.h \
- service/realm-kerberos-membership.c \
- service/realm-kerberos-membership.h \
- service/realm-kerberos-provider.c \
-diff --git a/service/realm-kerberos-config.c b/service/realm-kerberos-config.c
-new file mode 100644
-index 0000000..447a452
---- /dev/null
-+++ b/service/realm-kerberos-config.c
-@@ -0,0 +1,116 @@
-+/* realmd -- Realm configuration service
-+ *
-+ * Copyright 2020 Red Hat Inc
-+ *
-+ * This program is free software: you can redistribute it and/or modify
-+ * it under the terms of the GNU Lesser General Public License as published
-+ * by the Free Software Foundation; either version 2 of the licence or (at
-+ * your option) any later version.
-+ *
-+ * See the included COPYING file for more information.
-+ *
-+ * Author: Sumit Bose <sbose@redhat.com>
-+ */
-+
-+#include "config.h"
-+
-+#include "realm-ini-config.h"
-+#include "realm-kerberos-config.h"
-+#include "realm-settings.h"
-+
-+#include <string.h>
-+
-+RealmIniConfig *
-+realm_kerberos_config_new_with_flags (RealmIniFlags flags,
-+ GError **error)
-+{
-+ RealmIniConfig *config;
-+ const gchar *filename;
-+ GError *err = NULL;
-+
-+ config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS | flags);
-+
-+ filename = realm_settings_path ("krb5.conf");
-+
-+ realm_ini_config_read_file (config, filename, &err);
-+
-+ if (err != NULL) {
-+ /* If the caller wants errors, then don't return an invalid samba config */
-+ if (error) {
-+ g_propagate_error (error, err);
-+ g_object_unref (config);
-+ config = NULL;
-+
-+ /* If the caller doesn't care, then warn but continue */
-+ } else {
-+ g_warning ("Couldn't load config file: %s: %s", filename,
-+ err->message);
-+ g_error_free (err);
-+ }
-+ }
-+
-+ return config;
-+}
-+
-+RealmIniConfig *
-+realm_kerberos_config_new (GError **error)
-+{
-+ return realm_kerberos_config_new_with_flags (REALM_INI_NONE, error);
-+}
-+
-+gboolean
-+configure_krb5_conf_for_domain (const gchar *realm, GError **error )
-+{
-+ RealmIniConfig *config;
-+ gboolean res;
-+ GFile *gfile;
-+ GFileInfo *file_info = NULL;
-+
-+ config = realm_kerberos_config_new (error);
-+ if (config == NULL) {
-+ return FALSE;
-+ }
-+
-+ /* When writing to a file glib will replace the original file with a
-+ * new one. To make sure permissions and other attributes like e.g.
-+ * SELinux labels stay the same this information is saved before the
-+ * change and applied to the new file afterwards. */
-+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
-+ file_info = g_file_query_info (gfile, "*", 0, NULL, error);
-+ g_object_unref (gfile);
-+ if (*error != NULL) {
-+ g_warning ("Couldn't load file attributes, "
-+ "will continue without: %s: %s",
-+ realm_ini_config_get_filename (config),
-+ (*error)->message);
-+ g_clear_error (error);
-+ }
-+
-+ if (!realm_ini_config_begin_change (config, error)) {
-+ g_object_unref (config);
-+ return FALSE;
-+ }
-+
-+ realm_ini_config_set (config, "libdefaults",
-+ "default_realm", realm,
-+ "udp_preference_limit", "0",
-+ NULL);
-+
-+ res = realm_ini_config_finish_change (config, error);
-+
-+ if (file_info != NULL) {
-+ gfile = g_file_new_for_path (realm_ini_config_get_filename (config));
-+ if (!g_file_set_attributes_from_info (gfile, file_info,
-+ 0, NULL, error)) {
-+ g_warning ("Couldn't set file attributes: %s: %s",
-+ realm_ini_config_get_filename (config),
-+ (*error)->message);
-+ }
-+ g_object_unref (file_info);
-+ g_object_unref (gfile);
-+ }
-+
-+ g_object_unref (config);
-+
-+ return res;
-+}
-diff --git a/service/realm-kerberos-config.h b/service/realm-kerberos-config.h
-new file mode 100644
-index 0000000..791aa98
---- /dev/null
-+++ b/service/realm-kerberos-config.h
-@@ -0,0 +1,35 @@
-+/* realmd -- Realm configuration service
-+ *
-+ * Copyright 2020 Red Hat Inc
-+ *
-+ * This program is free software: you can redistribute it and/or modify
-+ * it under the terms of the GNU Lesser General Public License as published
-+ * by the Free Software Foundation; either version 2 of the licence or (at
-+ * your option) any later version.
-+ *
-+ * See the included COPYING file for more information.
-+ *
-+ * Author: Sumit Bose <sbose@redhat.com>
-+ */
-+
-+#include "config.h"
-+
-+#ifndef __REALM_KERBEROS_CONFIG_H__
-+#define __REALM_KERBEROS_CONFIG_H__
-+
-+#include <gio/gio.h>
-+
-+#include "realm-ini-config.h"
-+
-+
-+RealmIniConfig * realm_kerberos_config_new (GError **error);
-+
-+RealmIniConfig * realm_kerberos_config_new_with_flags (RealmIniFlags flags,
-+ GError **error);
-+
-+gboolean configure_krb5_conf_for_domain (const gchar *realm,
-+ GError **error );
-+
-+G_END_DECLS
-+
-+#endif /* __REALM_KERBEROS_CONFIG_H__ */
-diff --git a/service/realm-samba.c b/service/realm-samba.c
-index fe33600..e7b80a0 100644
---- a/service/realm-samba.c
-+++ b/service/realm-samba.c
-@@ -21,6 +21,7 @@
- #include "realm-disco.h"
- #include "realm-errors.h"
- #include "realm-kerberos.h"
-+#include "realm-kerberos-config.h"
- #include "realm-kerberos-membership.h"
- #include "realm-options.h"
- #include "realm-packages.h"
-@@ -210,6 +211,17 @@ on_join_do_winbind (GObject *source,
- NULL);
- }
-
-+ if (error == NULL) {
-+ configure_krb5_conf_for_domain (enroll->disco->kerberos_realm, &error);
-+ if (error != NULL) {
-+ realm_diagnostics_error (enroll->invocation, error,
-+ "Failed to update Kerberos "
-+ "configuration, not fatal, "
-+ "please check manually");
-+ g_clear_error (&error);
-+ }
-+ }
-+
- if (error == NULL) {
- name = realm_kerberos_get_name (REALM_KERBEROS (self));
- realm_samba_winbind_configure_async (self->config, name, enroll->options,
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index de7ce30..6b2f9f8 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -19,6 +19,7 @@
- #include "realm-dbus-constants.h"
- #include "realm-diagnostics.h"
- #include "realm-errors.h"
-+#include "realm-kerberos-config.h"
- #include "realm-kerberos-membership.h"
- #include "realm-options.h"
- #include "realm-packages.h"
-@@ -256,6 +257,17 @@ on_join_do_sssd (GObject *source,
- join->options, join->use_adcli, &error);
- }
-
-+ if (error == NULL) {
-+ configure_krb5_conf_for_domain (join->disco->kerberos_realm, &error);
-+ if (error != NULL) {
-+ realm_diagnostics_error (join->invocation, error,
-+ "Failed to update Kerberos "
-+ "configuration, not fatal, "
-+ "please check manually");
-+ g_clear_error (&error);
-+ }
-+ }
-+
- if (error == NULL) {
- realm_service_enable_and_restart ("sssd", join->invocation,
- on_sssd_enable_nss, g_object_ref (task));
-diff --git a/service/realmd-debian.conf b/service/realmd-debian.conf
-index 3e93d60..6cfdcef 100644
---- a/service/realmd-debian.conf
-+++ b/service/realmd-debian.conf
-@@ -1,6 +1,7 @@
- # Distro specific overrides for debian
- [paths]
- smb.conf = /etc/samba/smb.conf
-+krb5.conf = /etc/krb5.conf
-
- #
- # Normally in these packages sections we can specify a file
-diff --git a/service/realmd-defaults.conf b/service/realmd-defaults.conf
-index 6d7ccf8..ac4b436 100644
---- a/service/realmd-defaults.conf
-+++ b/service/realmd-defaults.conf
-@@ -11,6 +11,7 @@ sssd.conf = /etc/sssd/sssd.conf
- adcli = /usr/sbin/adcli
- ipa-client-install = /usr/sbin/ipa-client-install
- pam_winbind.conf = /etc/security/pam_winbind.conf
-+krb5.conf = /etc/krb5.conf
-
- [active-directory]
- default-client = sssd
-diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
-index e39fad5..46e61b1 100644
---- a/service/realmd-redhat.conf
-+++ b/service/realmd-redhat.conf
-@@ -1,6 +1,7 @@
- # Distro specific overrides for redhat
- [paths]
- smb.conf = /etc/samba/smb.conf
-+krb5.conf = /etc/krb5.conf
-
- [samba-packages]
- samba-common-tools = /usr/bin/net
-diff --git a/service/realmd-suse.conf b/service/realmd-suse.conf
-index 052b4dc..3165efa 100644
---- a/service/realmd-suse.conf
-+++ b/service/realmd-suse.conf
-@@ -1,6 +1,7 @@
- # Distro specific overrides for SuSE
- [paths]
- smb.conf = /etc/samba/smb.conf
-+krb5.conf = /etc/krb5.conf
-
- [samba-packages]
- samba-client = /usr/bin/net
---
-2.26.2
-
diff --git a/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch b/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
deleted file mode 100644
index a61b602..0000000
--- a/SOURCES/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 5 Dec 2016 18:25:44 +0100
-Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
-
----
- service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
- 1 file changed, 39 insertions(+), 9 deletions(-)
-
-diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
-index 2b3a0f8..1477ae8 100644
---- a/service/realm-kerberos-provider.c
-+++ b/service/realm-kerberos-provider.c
-@@ -19,6 +19,7 @@
- #include "realm-kerberos-provider.h"
-
- #include <errno.h>
-+#include <string.h>
-
- struct _RealmKerberosProvider {
- RealmProvider parent;
-@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
-
- }
-
-+typedef struct {
-+ gchar *name;
-+ const char *prot;
-+} NameProtPair;
-+
-+static void
-+name_prot_pair_free (gpointer data)
-+{
-+ NameProtPair *name_prot_pair = data;
-+ g_free (name_prot_pair->name);
-+ g_free (name_prot_pair);
-+}
-+
- static void
- on_kerberos_discover (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
- {
- GTask *task = G_TASK (user_data);
-- const gchar *domain = g_task_get_task_data (task);
-+ NameProtPair *name_prot_pair = g_task_get_task_data (task);
- GError *error = NULL;
- RealmDisco *disco;
- GList *targets;
-+ GResolver *resolver;
-
- targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
- if (targets) {
- g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
-- disco = realm_disco_new (domain);
-- disco->kerberos_realm = g_ascii_strup (domain, -1);
-+ disco = realm_disco_new (name_prot_pair->name);
-+ disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
- g_task_return_pointer (task, disco, realm_disco_unref);
-
- } else if (error) {
-- g_debug ("Resolving %s failed: %s", domain, error->message);
-+ g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
- g_error_free (error);
-- g_task_return_pointer (task, NULL, NULL);
-+
-+ if (strcmp (name_prot_pair->prot, "tcp") == 0) {
-+ g_task_return_pointer (task, NULL, NULL);
-+ } else {
-+ /* Try tcp */
-+ name_prot_pair->prot = "tcp";
-+ resolver = g_resolver_get_default ();
-+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
-+ name_prot_pair->name,
-+ g_task_get_cancellable (task),
-+ on_kerberos_discover, g_object_ref (task));
-+ g_object_unref (resolver);
-+ }
- }
-
- g_object_unref (task);
-@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
- GTask *task;
- const gchar *software;
- GResolver *resolver;
-- gchar *name;
-+ NameProtPair *name_prot_pair;
-
- task = g_task_new (provider, NULL, callback, user_data);
-
-@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
- g_task_return_pointer (task, NULL, NULL);
-
- } else {
-- name = g_hostname_to_ascii (string);
-+ name_prot_pair = g_new0 (NameProtPair, 1);
-+ name_prot_pair->name = g_hostname_to_ascii (string);
-+ name_prot_pair->prot = "udp";
- resolver = g_resolver_get_default ();
-- g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
-+ g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
-+ name_prot_pair->name,
- realm_invocation_get_cancellable (invocation),
- on_kerberos_discover, g_object_ref (task));
-- g_task_set_task_data (task, name, g_free);
-+ g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
- g_object_unref (resolver);
- }
-
---
-2.9.3
-
diff --git a/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch b/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch
deleted file mode 100644
index 09e9ccf..0000000
--- a/SOURCES/0001-LDAP-don-t-close-LDAP-socket-twice.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 25 Nov 2016 17:35:11 +0100
-Subject: [PATCH] LDAP: don't close LDAP socket twice
-
-ldap_destroy() will call close() on the LDAP socket so with an explicit
-close() before the file descriptor will be closed twice. Even worse,
-since the file descriptor can be reused after the explicit call of
-close() by any other thread the close() called from ldap_destroy() might
-close a file descriptor used by a different thread as seen e.g. in
-https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
-
-Additionally the patch makes sure that the closed connection cannot be
-used again.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1398522
----
- service/realm-ldap.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index 061ed61..59817fb 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
- {
- LdapSource *ls = (LdapSource *)source;
-
-- /* Yeah, this is pretty rough, but we don't want blocking here */
-- close (ls->sock);
- ldap_destroy (ls->ldap);
-
-+ ls->sock = -1;
-+ ls->ldap = NULL;
-+
- if (ls->cancellable) {
- g_cancellable_release_fd (ls->cancellable);
- g_object_unref (ls->cancellable);
---
-2.9.3
-
diff --git a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch b/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
deleted file mode 100644
index ea34960..0000000
--- a/SOURCES/0001-Use-current-idmap-options-for-smb.conf.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 30 May 2018 13:10:57 +0200
-Subject: [PATCH] Use current idmap options for smb.conf
-
-Samba change some time ago the way how to configure id-mapping. With
-this patch realmd will use the current supported options when creating
-smb.conf.
-
-A new option --legacy-samba-config is added to use the old options if
-realmd is used with Samba 3.5 or earlier.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
----
- dbus/realm-dbus-constants.h | 1 +
- doc/manual/realmd.conf.xml | 17 ++++++++++++
- service/realm-samba-enroll.c | 2 +-
- service/realm-samba-enroll.h | 3 +++
- service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
- 5 files changed, 72 insertions(+), 14 deletions(-)
-
-diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
-index 9cd30ef..40ffa2d 100644
---- a/dbus/realm-dbus-constants.h
-+++ b/dbus/realm-dbus-constants.h
-@@ -69,6 +69,7 @@ G_BEGIN_DECLS
- #define REALM_DBUS_OPTION_COMPUTER_NAME "computer-name"
- #define REALM_DBUS_OPTION_OS_NAME "os-name"
- #define REALM_DBUS_OPTION_OS_VERSION "os-version"
-+#define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
-
- #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
- #define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index 7853230..a2b577c 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -192,6 +192,23 @@ automatic-install = no
- </listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term><option>legacy-samba-config</option></term>
-+ <listitem>
-+ <para>Set this to <parameter>yes</parameter> to create a Samba
-+ configuration file with id-mapping options used by Samba-3.5
-+ and earlier version.</para>
-+
-+ <informalexample>
-+<programlisting language="js">
-+[service]
-+legacy-samba-config = no
-+# legacy-samba-config = yes
-+</programlisting>
-+ </informalexample>
-+ </listitem>
-+ </varlistentry>
-+
- </variablelist>
- </refsect1>
-
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index c81aed2..76e7b79 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
- g_free (join);
- }
-
--static gchar *
-+gchar *
- fallback_workgroup (const gchar *realm)
- {
- const gchar *pos;
-diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
-index 84e8b2f..310ec65 100644
---- a/service/realm-samba-enroll.h
-+++ b/service/realm-samba-enroll.h
-@@ -46,6 +46,9 @@ void realm_samba_enroll_leave_async (RealmDisco *disco,
- gboolean realm_samba_enroll_leave_finish (GAsyncResult *result,
- GError **error);
-
-+gchar *
-+fallback_workgroup (const gchar *realm);
-+
- G_END_DECLS
-
- #endif /* __REALM_SAMBA_ENROLL_H__ */
-diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
-index a7ddec3..9335e26 100644
---- a/service/realm-samba-winbind.c
-+++ b/service/realm-samba-winbind.c
-@@ -21,8 +21,10 @@
- #include "realm-options.h"
- #include "realm-samba-config.h"
- #include "realm-samba-winbind.h"
-+#include "realm-samba-enroll.h"
- #include "realm-settings.h"
- #include "realm-service.h"
-+#include "dbus/realm-dbus-constants.h"
-
- #include <glib/gstdio.h>
-
-@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
- RealmIniConfig *pwc;
- GTask *task;
- GError *error = NULL;
-+ gchar *workgroup = NULL;
-+ gchar *idmap_config_backend = NULL;
-+ gchar *idmap_config_range = NULL;
-+ gchar *idmap_config_schema_mode = NULL;
-
- g_return_if_fail (config != NULL);
- g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
-@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
- "template shell", realm_settings_string ("users", "default-shell"),
- NULL);
-
-- if (realm_options_automatic_mapping (options, domain_name)) {
-- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-- "idmap uid", "10000-2000000",
-- "idmap gid", "10000-2000000",
-- "idmap backend", "tdb",
-- "idmap schema", NULL,
-- NULL);
-+ if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
-+ if (realm_options_automatic_mapping (options, domain_name)) {
-+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+ "idmap uid", "10000-2000000",
-+ "idmap gid", "10000-2000000",
-+ "idmap backend", "tdb",
-+ "idmap schema", NULL,
-+ NULL);
-+ } else {
-+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+ "idmap uid", "500-4294967296",
-+ "idmap gid", "500-4294967296",
-+ "idmap backend", "ad",
-+ "idmap schema", "rfc2307",
-+ NULL);
-+ }
- } else {
-- realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-- "idmap uid", "500-4294967296",
-- "idmap gid", "500-4294967296",
-- "idmap backend", "ad",
-- "idmap schema", "rfc2307",
-- NULL);
-+ workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
-+ if (workgroup == NULL) {
-+ workgroup = fallback_workgroup (domain_name);
-+ }
-+ idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
-+ idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
-+ idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
-+ g_free (workgroup);
-+
-+ if (realm_options_automatic_mapping (options, domain_name)) {
-+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+ "idmap config * : backend", "tdb",
-+ "idmap config * : range", "10000-999999",
-+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
-+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
-+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
-+ NULL);
-+ } else {
-+ realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+ "idmap config * : backend", "tdb",
-+ "idmap config * : range", "10000000-10999999",
-+ idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
-+ idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
-+ idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
-+ NULL);
-+ }
- }
-
- realm_ini_config_finish_change (config, &error);
-+ g_free (idmap_config_backend);
-+ g_free (idmap_config_range);
- }
-
- /* Setup pam_winbind.conf with decent defaults matching our expectations */
---
-2.14.4
-
diff --git a/SOURCES/0001-Use-startTLS-with-FreeIPA.patch b/SOURCES/0001-Use-startTLS-with-FreeIPA.patch
deleted file mode 100644
index eade269..0000000
--- a/SOURCES/0001-Use-startTLS-with-FreeIPA.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 3 Jul 2020 17:18:27 +0200
-Subject: [PATCH] Use startTLS with FreeIPA
-
-FreeIPA is planning to required a minimal security strength factor (ssf)
-in an upcoming version. This basically means that communication should
-be encrypted. The most straight forward way is use TLS by doing a
-StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
-since the initial release we will call StartTLS unconditionally but try
-without if it fails.
-
-Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
----
- service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
- service/realm-ldap.c | 4 +++-
- 2 files changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
-index 3100650..7614071 100644
---- a/service/realm-disco-rootdse.c
-+++ b/service/realm-disco-rootdse.c
-@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
- LDAP *ldap)
- {
- const char *attrs[] = { "info", "associatedDomain", NULL };
-+ int ret;
-+ int ldap_opt_val;
-
- clo->request = NULL;
- clo->result = result_domain_info;
-
-+ /* Trying to setup a TLS tunnel in the case the IPA server requires an
-+ * encrypted connected. Trying without in case of an error. Since we
-+ * most probably do not have the IPA CA certificate we will not check
-+ * the server certificate. */
-+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
-+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
-+ if (ret != LDAP_OPT_SUCCESS) {
-+ g_debug ("Failed to disable certificate checking, trying without");
-+ }
-+
-+ ldap_opt_val = 0;
-+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
-+ if (ret != LDAP_OPT_SUCCESS) {
-+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
-+ }
-+
-+ ret = ldap_start_tls_s (ldap, NULL, NULL);
-+ if (ret != LDAP_SUCCESS) {
-+ g_debug ("Failed to setup TLS tunnel, trying without");
-+ }
-+
- return search_ldap (task, clo, ldap, clo->default_naming_context,
- LDAP_SCOPE_BASE, NULL, attrs);
- }
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index 59817fb..7831b5b 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
- g_warning ("couldn't set to blocking");
-
-- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
-+ url = g_strdup_printf ("ldap://%s:%d", addrname, port);
-+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
-+ g_free (url);
-
- g_free (native);
-
---
-2.26.2
-
diff --git a/SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch b/SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch
deleted file mode 100644
index ec1e7f8..0000000
--- a/SOURCES/0001-build-add-with-vendor-error-message-configure-option.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 4ef597d15df246f4121266aaf3e291e3f06f6f4a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 10 Mar 2021 17:57:07 +0100
-Subject: [PATCH] build: add --with-vendor-error-message configure option
-
-With the new configure option --with-vendor-error-message a packager or
-a distribution can add a message if realmd returns with an error.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386
----
- configure.ac | 15 +++++++++++++++
- tools/realm.c | 7 +++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index ee067d9..05ec1bf 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -51,6 +51,21 @@ fi
-
- AC_SUBST(DISTRO)
-
-+# -----------------------------------------------------------------------------
-+# Vendor error message
-+
-+AC_ARG_WITH([vendor-error-message],
-+ [AS_HELP_STRING([--with-vendor-error-message=ARG],
-+ [Add a vendor specific error message shown if a realm command fails]
-+ )],
-+ [AS_IF([test "x$withval" != "x"],
-+ [AC_DEFINE_UNQUOTED([VENDOR_MSG],
-+ ["$withval"],
-+ [Vendor specific error message])],
-+ [AC_MSG_ERROR([--with-vendor-error-message requires an argument])]
-+ )],
-+ [])
-+
- # -----------------------------------------------------------------------------
- # Basic tools
-
-diff --git a/tools/realm.c b/tools/realm.c
-index 1530f09..8fdca16 100644
---- a/tools/realm.c
-+++ b/tools/realm.c
-@@ -287,6 +287,13 @@ main (int argc,
- ret = (realm_commands[i].function) (client, argc, argv);
- g_object_unref (client);
-
-+#ifdef VENDOR_MSG
-+ if (ret != 0) {
-+ g_printerr (VENDOR_MSG"\n");
-+ }
-+
-+#endif
-+
- break;
- }
- }
---
-2.31.1
-
diff --git a/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch b/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
deleted file mode 100644
index 0fa9108..0000000
--- a/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 28 Nov 2019 18:51:30 +0100
-Subject: [PATCH] configure: do not inherit DISTRO from the environment
-
-The argument of the --with-distro configure option is stored in the
-variable DISTRO. If DISTRO is already set in the build environment it
-should not be used hence DISTRO must be cleared by the configure script
-if not set by --with-distro.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396
----
- configure.ac | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index e335247..a424a49 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -31,7 +31,8 @@ AC_ARG_WITH([distro],
- [AS_HELP_STRING([--with-distro],
- [Configure for a specific distribution (eg: redhat)]
- )],
-- [DISTRO=$withval])
-+ [DISTRO=$withval],
-+ [DISTRO=])
-
- if test -z $DISTRO; then
- AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"])
---
-2.21.0
-
diff --git a/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch b/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
deleted file mode 100644
index 7185206..0000000
--- a/SOURCES/0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From fee9bde11b42ab39af6397a0c0ce4775443b28ea Mon Sep 17 00:00:00 2001
-From: Stef Walter <stefw@redhat.com>
-Date: Mon, 6 Feb 2017 12:25:52 +0100
-Subject: [PATCH] doc: Add short arguments like -U arguments to realm manual
- page
-
-And clean up the documentation for the various arguments.
----
- doc/manual/realm.xml | 70 +++++++++++++++++++++++---------------------
- 1 file changed, 37 insertions(+), 33 deletions(-)
-
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index 6724d80..9d9136a 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -60,7 +60,7 @@
-
- <variablelist>
- <varlistentry>
-- <term><option>--install=/path</option></term>
-+ <term><option>-i</option>, <option>--install=/path</option></term>
- <listitem><para>Run in install mode. This makes realmd
- chroot into the specified directory and place files in
- appropriate locations for use during an installer. No
-@@ -73,7 +73,7 @@
- for input.</para></listitem>
- </varlistentry>
- <varlistentry>
-- <term><option>--verbose, -v</option></term>
-+ <term><option>-v</option>, <option>--verbose</option></term>
- <listitem><para>Display verbose diagnostics while doing
- running commands.</para></listitem>
- </varlistentry>
-@@ -105,7 +105,7 @@ $ realm discover domain.example.com
-
- <variablelist>
- <varlistentry>
-- <term><option>--all</option></term>
-+ <term><option>-a</option>, <option>--all</option></term>
- <listitem><para>Show all discovered realms (in various
- configurations).</para></listitem>
- </varlistentry>
-@@ -116,6 +116,10 @@ $ realm discover domain.example.com
- <replaceable>sssd</replaceable> or
- <replaceable>winbind</replaceable>.</para></listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term><option>-n</option>, <option>--name</option></term>
-+ <listitem><para>Only show the names of the discovered realms.</para></listitem>
-+ </varlistentry>
- <varlistentry>
- <term><option>--server-software=xxx</option></term>
- <listitem><para>Only discover realms which run the
-@@ -187,10 +191,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- in the domain already.</para></listitem>
- </varlistentry>
- <varlistentry>
-- <term><option>--user=xxx</option></term>
-- <listitem><para>The user name to be used to authenticate
-- with when joining the machine to the realm. You will
-- be prompted for a password.</para></listitem>
-+ <term><option>--client-software=xxx</option></term>
-+ <listitem><para>Only join realms for which we can
-+ use the given client software. Possible values include
-+ <replaceable>sssd</replaceable> or
-+ <replaceable>winbind</replaceable>. Not all values are
-+ supported for all realms. By default the client software
-+ is automatically selected.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--computer-ou=OU=xxx</option></term>
-@@ -201,6 +208,14 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- DSE portion of distinguished name. This is an Active
- Directory specific option.</para></listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term><option>--membership-software=xxx</option></term>
-+ <listitem><para>The software to use when joining to the
-+ realm. Possible values include <replaceable>samba</replaceable> or
-+ <replaceable>adcli</replaceable>. Not all values are
-+ supported for all realms. By default the membership software
-+ is automatically selected.</para></listitem>
-+ </varlistentry>
- <varlistentry>
- <term><option>--no-password</option></term>
- <listitem><para>Perform the join automatically without
-@@ -213,13 +228,16 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- all types of realms.</para></listitem>
- </varlistentry>
- <varlistentry>
-- <term><option>--client-software=xxx</option></term>
-- <listitem><para>Only join realms for which we can
-- use the given client software. Possible values include
-- <replaceable>sssd</replaceable> or
-- <replaceable>winbind</replaceable>. Not all values are
-- supported for all realms. By default the client software
-- is automatically selected.</para></listitem>
-+ <term><option>--os-name=xxx</option></term>
-+ <listitem><para>The name of the operation system of the
-+ client. When joining an AD domain the value is store in
-+ the matching AD attribute.</para></listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term><option>--os-version=xxx</option></term>
-+ <listitem><para>The version of the operation system of the
-+ client. When joining an AD domain the value is store in
-+ the matching AD attribute.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--server-software=xxx</option></term>
-@@ -229,12 +247,10 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- <replaceable>ipa</replaceable>.</para></listitem>
- </varlistentry>
- <varlistentry>
-- <term><option>--membership-software=xxx</option></term>
-- <listitem><para>The software to use when joining to the
-- realm. Possible values include <replaceable>samba</replaceable> or
-- <replaceable>adcli</replaceable>. Not all values are
-- supported for all realms. By default the membership software
-- is automatically selected.</para></listitem>
-+ <term><option>-U</option>, <option>--user=xxx</option></term>
-+ <listitem><para>The user name to be used to authenticate
-+ with when joining the machine to the realm. You will
-+ be prompted for a password.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
-@@ -243,18 +259,6 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- the value for this option, then a principal will be set
- in the form of <literal>host/shortname@REALM</literal></para></listitem>
- </varlistentry>
-- <varlistentry>
-- <term><option>--os-name=xxx</option></term>
-- <listitem><para>The name of the operation system of the
-- client. When joining an AD domain the value is store in
-- the matching AD attribute.</para></listitem>
-- </varlistentry>
-- <varlistentry>
-- <term><option>--os-version=xxx</option></term>
-- <listitem><para>The version of the operation system of the
-- client. When joining an AD domain the value is store in
-- the matching AD attribute.</para></listitem>
-- </varlistentry>
- </variablelist>
-
- </refsect1>
-@@ -300,7 +304,7 @@ $ realm leave domain.example.com
- for a pasword.</para></listitem>
- </varlistentry>
- <varlistentry>
-- <term><option>--user</option></term>
-+ <term><option>-U</option>, <option>--user</option></term>
- <listitem><para>The user name to be used to authenticate
- with when leaving the realm. You will be prompted for a
- password. Implies <option>--remove</option>.</para></listitem>
---
-2.21.0
-
diff --git a/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch b/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch
deleted file mode 100644
index f5345d6..0000000
--- a/SOURCES/0001-doc-add-computer-name-to-realm-man-page.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 05100771ea6bd775caae705bb53f76a0816f3b81 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 11 May 2021 11:13:06 +0200
-Subject: [PATCH] doc: add computer-name to realm man page
-
----
- doc/manual/realm.xml | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index 9160a8a..b4dc27c 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- supported for all realms. By default the membership software
- is automatically selected.</para></listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term><option>--computer-name=xxx</option></term>
-+ <listitem>
-+ <para>This option only applies to Active
-+ Directory realms. Specify this option to
-+ override the default name used when creating
-+ the computer account. The system's FQDN will
-+ still be saved in the dNSHostName attribute.</para>
-+ <para>Specify the name as a string of 15 or
-+ fewer characters that is a valid NetBIOS
-+ computer name.</para>
-+ </listitem>
-+ </varlistentry>
- <varlistentry>
- <term><option>--no-password</option></term>
- <listitem><para>Perform the join automatically without
---
-2.31.1
-
diff --git a/SOURCES/0001-doc-extend-description-of-config-handling.patch b/SOURCES/0001-doc-extend-description-of-config-handling.patch
deleted file mode 100644
index b708739..0000000
--- a/SOURCES/0001-doc-extend-description-of-config-handling.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 29 Nov 2019 21:57:02 +0100
-Subject: [PATCH] doc: extend description of config handling
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005
----
- doc/manual/Makefile.am | 8 ++++++++
- doc/manual/realmd.conf.xml | 15 +++++++++++----
- doc/privatedir.xml.in | 1 +
- 4 files changed, 21 insertions(+), 4 deletions(-)
- create mode 100644 doc/privatedir.xml.in
-
-diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
-index 8b33fdd..9812c45 100644
---- a/doc/manual/Makefile.am
-+++ b/doc/manual/Makefile.am
-@@ -1,14 +1,20 @@
-+XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc
-
- man8_MANS += \
- doc/manual/realm.8
- man5_MANS += \
- doc/manual/realmd.conf.5
-
-+$(man5_MANS): doc/privatedir.xml
-+
- MAN_IN_FILES = \
- $(man8_MANS:.8=.xml) \
- $(man5_MANS:.5=.xml) \
- $(NULL)
-
-+doc/privatedir.xml: doc/privatedir.xml.in
-+ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@
-+
- MANUAL_DOCBOOK = doc/manual/realmd-docs.xml
-
- MANUAL_INCLUDES = \
-@@ -41,6 +47,7 @@ MANUAL_XSLT = \
- $(NULL)
-
- EXTRA_DIST += \
-+ doc/privatedir.xml.in \
- $(MANUAL_DOCBOOK) \
- $(MANUAL_INCLUDES) \
- $(MAN_IN_FILES) \
-@@ -50,6 +57,7 @@ EXTRA_DIST += \
-
- CLEANFILES += \
- realmd-org.freedesktop.realmd.generated \
-+ doc/privatedir.xml \
- $(DBUS_DOC_GENERATED) \
- $(DBUS_ESCAPED) \
- $(man8_MANS) \
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index 1592291..9062252 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -1,6 +1,9 @@
- <?xml version='1.0'?>
- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-+[
-+<!ENTITY privatedir SYSTEM "privatedir.xml">
-+]>
-
- <refentry id="realmd-conf">
-
-@@ -35,7 +38,9 @@
- to act in specific ways. This is done by placing settings in a
- <filename>/etc/realmd.conf</filename>. This file does not exist by
- default. The syntax of this file is the same as an INI file or
-- Desktop Entry file.</para>
-+ Desktop Entry file. If the file is changed and
-+ <command>realmd</command> is running <command>realmd</command> must be
-+ restarted to read the new values.</para>
-
- <para>In general, settings in this file only apply at the point of
- joining a domain or realm. Once the realm has been setup the settings
-@@ -46,8 +51,10 @@
-
- <para>Only specify the settings you wish to override in the
- <filename>/etc/realmd.conf</filename> file. Settings not specified will
-- be loaded from their packaged defaults. Only override the settings
-- below. You may find other settings if you look through the
-+ be loaded from their packaged defaults which can be found in
-+ <filename>&privatedir;/realmd-defaults.conf</filename> and
-+ <filename>&privatedir;/realmd-distro.conf</filename>. Only override the
-+ settings below. You may find other settings if you look through the
- <command>realmd</command> source code. However these are not guaranteed
- to remain stable.</para>
-
-diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in
-new file mode 100644
-index 0000000..7f71afe
---- /dev/null
-+++ b/doc/privatedir.xml.in
-@@ -0,0 +1 @@
-+@privatedir@
-\ No newline at end of file
---
-2.21.0
-
diff --git a/SOURCES/0001-doc-extend-user-principal-section.patch b/SOURCES/0001-doc-extend-user-principal-section.patch
deleted file mode 100644
index c6e4cdf..0000000
--- a/SOURCES/0001-doc-extend-user-principal-section.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 29 Nov 2019 18:10:03 +0100
-Subject: [PATCH] doc: extend user-principal section
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814
----
- doc/manual/realm.xml | 21 +++++++++++++++++++--
- doc/manual/realmd.conf.xml | 15 ++++++++++-----
- 2 files changed, 29 insertions(+), 7 deletions(-)
-
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index 7b73331..55a7640 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- </varlistentry>
- <varlistentry>
- <term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
-- <listitem><para>Set the userPrincipalName field of the
-+ <listitem><para>Set the
-+ <option>userPrincipalName</option> field of the
- computer account to this kerberos principal. If you omit
- the value for this option, then a principal will be set
-- in the form of <literal>host/shortname@REALM</literal></para></listitem>
-+ based on the defaults of the membership software.</para>
-+ <para>AD makes a distinction between user and service
-+ principals. Only with user principals you can request a
-+ Kerberos Ticket-Granting-Ticket (TGT), i.e. only user
-+ principals can be used with the <command>kinit</command>
-+ command. By default the user principal and the canonical
-+ principal name of an AD computer account is
-+ <code>shortname$@AD.DOMAIN</code>, where shortname is
-+ the NetBIOS name which is limited to 15 characters.</para>
-+ <para>If there are applications which are not aware of
-+ the AD default and are using a hard-coded default
-+ principal the <option>--user-principal</option> can be
-+ used to make AD aware of this principal. Please note
-+ that <option>userPrincipalName</option> is a single
-+ value LDAP attribute, i.e. only one alternative user
-+ principal besides the AD default user principal can be
-+ set.</para></listitem>
- </varlistentry>
- </variablelist>
-
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index f0b0879..a26a60c 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -365,12 +365,17 @@ computer-name = SERVER01
- </listitem>
- </varlistentry>
- <varlistentry>
-- <term><option>user-prinicpal</option></term>
-+ <term><option>user-principal</option></term>
- <listitem>
-- <para>Set the <option>user-prinicpal</option> to <code>yes</code>
-- to create <option>userPrincipalName</option> attributes for the
-- computer account in the realm, in the form
-- <code>host/computer@REALM</code></para>
-+ <para>Set the <option>user-principal</option> to <code>yes</code>
-+ to create <option>userPrincipalName</option> attribute for the
-+ computer accounts in the realm. The exact value depends on the
-+ defaults of the used membership software. To have full control
-+ over the value please use the
-+ <option>--user-principal</option> option of the
-+ <command>realm</command> command, see
-+ <citerefentry><refentrytitle>realm</refentrytitle>
-+ <manvolnum>8</manvolnum></citerefentry> for details.</para>
-
- <informalexample>
- <programlisting language="js">
---
-2.21.0
-
diff --git a/SOURCES/0001-doc-fix-discover-name-only.patch b/SOURCES/0001-doc-fix-discover-name-only.patch
deleted file mode 100644
index 861f306..0000000
--- a/SOURCES/0001-doc-fix-discover-name-only.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 29 Nov 2019 18:49:15 +0100
-Subject: [PATCH 1/2] doc: fix discover name-only
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
----
- doc/manual/realmd.conf.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index a26a60c..fc6a785 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
-
- <informalexample>
- <screen>
--$ <command>realm discover --name DOMAIN.example.com</command>
-+$ <command>realm discover --name-only DOMAIN.example.com</command>
- domain.example.com
- ...
- </screen>
---
-2.21.0
-
diff --git a/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch b/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch
deleted file mode 100644
index 2cd54ec..0000000
--- a/SOURCES/0001-doc-make-sure-cross-reference-ids-are-predictable.patch
+++ /dev/null
@@ -1,1500 +0,0 @@
-From 4f3c02dc14300c0b8e51a55d627c57f73c108f64 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 28 Sep 2018 10:36:19 +0200
-Subject: [PATCH] doc: make sure cross-reference ids are predictable
-
-To make sure the cross-reference ids are predictable in the
-auto-generated DBus documentation as well the xsl and css files form the
-gtk-doc package are updated as well.
----
- doc/manual/devhelp2.xsl | 173 ++++++++
- doc/manual/gtk-doc.xsl | 436 ++++++++-----------
- doc/manual/realm.xml | 14 +-
- doc/manual/realmd-guide-active-directory.xml | 4 +-
- doc/manual/realmd-guide-ipa.xml | 2 +-
- doc/manual/realmd-guide-kerberos.xml | 2 +-
- doc/manual/realmd.conf.xml | 4 +-
- doc/manual/static/gtk-doc.css | 420 +++++++++++++-----
- 8 files changed, 688 insertions(+), 367 deletions(-)
- create mode 100644 doc/manual/devhelp2.xsl
-
-diff --git a/doc/manual/devhelp2.xsl b/doc/manual/devhelp2.xsl
-new file mode 100644
-index 0000000..bab6692
---- /dev/null
-+++ b/doc/manual/devhelp2.xsl
-@@ -0,0 +1,173 @@
-+<?xml version='1.0'?> <!--*- mode: xml -*-->
-+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-+ version='1.0'
-+ xmlns="http://www.devhelp.net/book"
-+ xmlns:str="http://exslt.org/strings"
-+ exclude-result-prefixes="str">
-+
-+ <xsl:template name="generate.devhelp2">
-+ <xsl:call-template name="write.chunk">
-+ <xsl:with-param name="filename">
-+ <xsl:choose>
-+ <xsl:when test="$gtkdoc.bookname">
-+ <xsl:value-of select="$gtkdoc.bookname"/>
-+ </xsl:when>
-+ <xsl:otherwise>
-+ <xsl:text>book</xsl:text>
-+ </xsl:otherwise>
-+ </xsl:choose>
-+ <xsl:text>.devhelp2</xsl:text>
-+ </xsl:with-param>
-+ <xsl:with-param name="method" select="'xml'"/>
-+ <xsl:with-param name="indent" select="'yes'"/>
-+ <xsl:with-param name="encoding" select="'utf-8'"/>
-+ <xsl:with-param name="doctype-public"/>
-+ <xsl:with-param name="content">
-+ <xsl:call-template name="devhelp2"/>
-+ </xsl:with-param>
-+ </xsl:call-template>
-+ </xsl:template>
-+
-+ <xsl:variable name="gtkdoc.refsect2" select="//refsect2"/>
-+
-+ <xsl:template name="devhelp2">
-+ <xsl:variable name="title">
-+ <xsl:apply-templates select="." mode="generate.devhelp2.toc.title.mode"/>
-+ </xsl:variable>
-+ <xsl:variable name="link">
-+ <xsl:call-template name="href.target"/>
-+ </xsl:variable>
-+ <xsl:variable name="author">
-+ <xsl:if test="articleinfo|bookinfo">
-+ <xsl:apply-templates mode="generate.devhelp2.authors"
-+ select="articleinfo|bookinfo"/>
-+ </xsl:if>
-+ </xsl:variable>
-+ <xsl:variable name="online">
-+ <xsl:value-of select="/book/bookinfo/releaseinfo/ulink[@role='online-location']/@url"/>
-+ </xsl:variable>
-+ <xsl:variable name="toc.nodes" select="part|reference|preface|chapter|
-+ appendix|article|bibliography|
-+ glossary|index|refentry|
-+ bridgehead|sect1"/>
-+
-+ <book title="{$title}" link="{$link}" author="{$author}" name="{$gtkdoc.bookname}" version="2" language="c">
-+ <xsl:if test="$online != ''">
-+ <xsl:attribute name="online"><xsl:value-of select="$online"/></xsl:attribute>
-+ </xsl:if>
-+ <xsl:if test="$toc.nodes">
-+ <chapters>
-+ <xsl:apply-templates select="$toc.nodes"
-+ mode="generate.devhelp2.toc.mode"/>
-+ </chapters>
-+ </xsl:if>
-+ <functions>
-+ <xsl:apply-templates select="$gtkdoc.refsect2[@role]"
-+ mode="generate.devhelp2.index.mode"/>
-+ <xsl:apply-templates select="$gtkdoc.refsect2/refsect3[@role='enum_members']/informaltable/tgroup/tbody/row[@role='constant']"
-+ mode="generate.devhelp2.index.mode"/>
-+ <xsl:apply-templates select="$gtkdoc.refsect2/refsect3[@role='struct_members']/informaltable/tgroup/tbody/row[@role='member']"
-+ mode="generate.devhelp2.index.mode"/>
-+ </functions>
-+ </book>
-+ </xsl:template>
-+
-+ <xsl:template match="*" mode="generate.devhelp2.toc.mode">
-+ <xsl:variable name="title">
-+ <xsl:apply-templates select="." mode="generate.devhelp2.toc.title.mode"/>
-+ </xsl:variable>
-+ <xsl:variable name="target">
-+ <xsl:variable name="anchor" select="title/anchor"/>
-+ <xsl:choose>
-+ <xsl:when test="$anchor">
-+ <xsl:call-template name="href.target">
-+ <xsl:with-param name="object" select="$anchor"/>
-+ </xsl:call-template>
-+ </xsl:when>
-+ <xsl:otherwise>
-+ <xsl:call-template name="href.target"/>
-+ </xsl:otherwise>
-+ </xsl:choose>
-+ </xsl:variable>
-+
-+ <sub name="{$title}" link="{$target}">
-+ <xsl:apply-templates select="section|sect1|
-+ refentry|refsect|
-+ bridgehead|part|chapter|glossary|index"
-+ mode="generate.devhelp2.toc.mode"/>
-+ </sub>
-+ </xsl:template>
-+
-+ <xsl:template match="*" mode="generate.devhelp2.index.mode">
-+ <xsl:variable name="title" select="title|
-+ term/literal|
-+ entry[@role='enum_member_name']/para|
-+ entry[@role='struct_member_name']/para/structfield/@id"/>
-+ <xsl:variable name="anchor" select="title/anchor|
-+ entry[@role='enum_member_name']/para|
-+ entry[@role='struct_member_name']/para/structfield"/>
-+ <xsl:variable name="type" select="@role"/>
-+ <xsl:variable name="condition" select="@condition"/>
-+ <xsl:variable name="target">
-+ <xsl:choose>
-+ <xsl:when test="$anchor">
-+ <xsl:call-template name="href.target">
-+ <xsl:with-param name="object" select="$anchor"/>
-+ </xsl:call-template>
-+ </xsl:when>
-+ <xsl:otherwise>
-+ <xsl:call-template name="href.target"/>
-+ </xsl:otherwise>
-+ </xsl:choose>
-+ </xsl:variable>
-+ <keyword type="{$type}" name="{$title}" link="{$target}">
-+ <xsl:if test="$condition">
-+ <xsl:for-each select="str:split($condition,'|')">
-+ <xsl:variable name="attrname">
-+ <xsl:value-of select="substring-before(.,':')"/>
-+ </xsl:variable>
-+ <xsl:choose>
-+ <xsl:when test="string-length($attrname)=0">
-+ <xsl:variable name="attrname2">
-+ <xsl:value-of select="."/>
-+ </xsl:variable>
-+ <xsl:attribute name="{$attrname2}"/>
-+ </xsl:when>
-+ <xsl:otherwise>
-+ <xsl:attribute name="{$attrname}">
-+ <xsl:value-of select="substring-after(.,':')"/>
-+ </xsl:attribute>
-+ </xsl:otherwise>
-+ </xsl:choose>
-+ </xsl:for-each>
-+ </xsl:if>
-+ </keyword>
-+ </xsl:template>
-+
-+ <!-- get title -->
-+ <xsl:template match="article" mode="generate.devhelp2.toc.title.mode">
-+ <xsl:value-of select="articleinfo/title"/>
-+ </xsl:template>
-+ <xsl:template match="book" mode="generate.devhelp2.toc.title.mode">
-+ <xsl:value-of select="bookinfo/title"/>
-+ </xsl:template>
-+ <xsl:template match="refentry" mode="generate.devhelp2.toc.title.mode">
-+ <xsl:value-of select="refmeta/refentrytitle"/>
-+ </xsl:template>
-+ <xsl:template match="*" mode="generate.devhelp2.toc.title.mode">
-+ <xsl:value-of select="title"/>
-+ </xsl:template>
-+
-+ <!-- generate list of authors ... -->
-+ <xsl:template match="articleinfo|bookinfo" mode="generate.devhelp2.authors">
-+ <xsl:for-each select="authorgroup/author">
-+ <xsl:value-of select="firstname"/>
-+ <xsl:text> </xsl:text>
-+ <xsl:value-of select="surname"/>
-+ <xsl:if test="not(last())">
-+ <xsl:text>, </xsl:text>
-+ </xsl:if>
-+ </xsl:for-each>
-+ </xsl:template>
-+
-+</xsl:stylesheet>
-diff --git a/doc/manual/gtk-doc.xsl b/doc/manual/gtk-doc.xsl
-index 9c0901b..3471e6c 100644
---- a/doc/manual/gtk-doc.xsl
-+++ b/doc/manual/gtk-doc.xsl
-@@ -5,20 +5,19 @@
- version="1.0">
-
- <!-- import the chunked XSL stylesheet -->
-- <!-- http://www.sagehill.net/docbookxsl/Chunking.html says we should use
-- "chunkfast.xsl", but I can see a difference -->
-+ <!-- http://www.sagehill.net/docbookxsl/Chunking.html#FastChunking says we should use
-+ "chunkfast.xsl", but I can't see a difference. Also it is not clear wheter
-+ one should still set "chunk.fast". Again, no meassuable difference. -->
- <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl"/>
-+ <xsl:include href="devhelp2.xsl"/>
- <xsl:include href="version-greater-or-equal.xsl"/>
-
-- <xsl:key name="acronym.key"
-- match="glossentry/glossterm"
-- use="."/>
-- <xsl:key name="gallery.key"
-- match="para[@role='gallery']/link"
-- use="@linkend"/>
-+ <xsl:key name="acronym.key" match="glossentry/glossterm" use="."/>
-+ <xsl:key name="gallery.key" match="para[@role='gallery']/link" use="@linkend"/>
-
- <!-- change some parameters -->
- <!-- http://docbook.sourceforge.net/release/xsl/current/doc/html/index.html -->
-+ <xsl:param name="admon.style"/>
- <xsl:param name="toc.section.depth">2</xsl:param>
- <xsl:param name="generate.toc">
- book toc
-@@ -28,16 +27,17 @@
- part toc
- reference toc
- </xsl:param>
-+ <xsl:param name="process.empty.source.toc">1</xsl:param>
-
- <xsl:param name="chunker.output.encoding" select="'UTF-8'"/>
- <xsl:param name="chunker.output.indent" select="'yes'"/>
- <xsl:param name="chunker.output.doctype-public" select="'-//W3C//DTD HTML 4.01 Transitional//EN'"/>
- <xsl:param name="chunk.fast" select="1"/>
-- <xsl:param name="chunk.quietly" select="1"/>
-
- <xsl:param name="default.encoding" select="'UTF-8'"/>
- <xsl:param name="chapter.autolabel" select="0"/>
- <xsl:param name="use.id.as.filename" select="1"/>
-+ <xsl:param name="generate.consistent.ids" select="1"/>
- <xsl:param name="html.ext" select="'.html'"/>
- <xsl:param name="refentry.generate.name" select="0"/>
- <xsl:param name="refentry.generate.title" select="1"/>
-@@ -60,6 +60,9 @@
- <xsl:param name="gtkdoc.version" select="''"/>
- <xsl:param name="gtkdoc.bookname" select="''"/>
-
-+ <!-- Override the typical template to prevent showing titles -->
-+ <xsl:param name="admon.textlabel" select="0"/>
-+
- <!-- ========================================================= -->
-
- <!-- l10n is slow, we don't ue it, so we'd like to turn it off
-@@ -68,12 +71,8 @@
-
- <xsl:param name="gtkdoc.l10n.xml" select="document('http://docbook.sourceforge.net/release/xsl/current/common/en.xml')"/>
-
-- <xsl:key name="gtkdoc.gentext.key"
-- match="l:gentext[@key]"
-- use="@key"/>
-- <xsl:key name="gtkdoc.context.key"
-- match="l:context[@name]"
-- use="@name"/>
-+ <xsl:key name="gtkdoc.gentext.key" match="l:gentext[@key]" use="@key"/>
-+ <xsl:key name="gtkdoc.context.key" match="l:context[@name]" use="@name"/>
-
- <xsl:template name="gentext">
- <xsl:param name="key" select="local-name(.)"/>
-@@ -250,7 +249,6 @@
- </xsl:if>
- </xsl:variable>
-
--
- <xsl:variable name="is.title-unnumbered">
- <xsl:if test="$is.title = 0 and $is.title-numbered = 0">
- <xsl:call-template name="gentext.template.exists">
-@@ -309,52 +307,8 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- </xsl:if>
- <xsl:apply-imports/>
-
-- <!-- generate the index.sgml href index -->
-- <xsl:call-template name="generate.index"/>
-- </xsl:template>
--
-- <xsl:template name="generate.index">
-- <xsl:call-template name="write.text.chunk">
-- <xsl:with-param name="filename" select="'index.sgml'"/>
-- <xsl:with-param name="content">
-- <xsl:apply-templates select="/book/bookinfo/releaseinfo/ulink"
-- mode="generate.index.mode"/>
-- <!-- check all anchor and refentry elements -->
-- <!--
-- The obvious way to write this is //anchor|//refentry|etc...
-- The obvious way is slow because it causes multiple traversals
-- in libxslt. This take about half the time.
-- -->
-- <xsl:apply-templates select="//*[name()='anchor' or name()='refentry' or name()='refsect1' or
-- name() = 'refsect2' or name()='refsynopsisdiv' or
-- name()='varlistentry']"
-- mode="generate.index.mode"/>
-- </xsl:with-param>
-- <xsl:with-param name="default.encoding" select="'UTF-8'"/>
-- <xsl:with-param name="chunker.output.indent" select="'no'"/>
-- </xsl:call-template>
-- </xsl:template>
--
-- <xsl:template match="*" mode="generate.index.mode">
-- <xsl:if test="not(@href) and count(@id) > 0">
-- <xsl:text><ANCHOR id="</xsl:text>
-- <xsl:value-of select="@id"/>
-- <xsl:text>" href="</xsl:text>
-- <xsl:if test="$gtkdoc.bookname">
-- <xsl:value-of select="$gtkdoc.bookname"/>
-- <xsl:text>/</xsl:text>
-- </xsl:if>
-- <xsl:call-template name="href.target"/>
-- <xsl:text>"> </xsl:text>
-- </xsl:if>
-- </xsl:template>
--
-- <xsl:template match="/book/bookinfo/releaseinfo/ulink" mode="generate.index.mode">
-- <xsl:if test="@role='online-location'">
-- <xsl:text><ONLINE href="</xsl:text>
-- <xsl:value-of select="@url"/>
-- <xsl:text>"> </xsl:text>
-- </xsl:if>
-+ <!-- generate $book.devhelp2 -->
-+ <xsl:call-template name="generate.devhelp2"/>
- </xsl:template>
-
- <!-- ========================================================= -->
-@@ -387,6 +341,15 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <xsl:apply-imports/>
- </xsl:template>
-
-+ <xsl:template name="user.head.title">
-+ <xsl:param name="node" select="."/>
-+ <xsl:param name="title"/>
-+ <xsl:variable name="home" select="/*[1]"/>
-+ <title>
-+ <xsl:copy-of select="$title"/>: <xsl:apply-templates select="$home" mode="object.title.markup"/>
-+ </title>
-+ </xsl:template>
-+
- <xsl:template name="user.head.content">
- <xsl:if test="$gtkdoc.version">
- <meta name="generator" content="GTK-Doc V{$gtkdoc.version} (XML mode)"/>
-@@ -399,10 +362,10 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <hr />
- <xsl:choose>
- <xsl:when test="$gtkdoc.version">
-- Generated by GTK-Doc V<xsl:copy-of select="$gtkdoc.version" />
-+ <xsl:text>Generated by GTK-Doc V</xsl:text><xsl:copy-of select="$gtkdoc.version" />
- </xsl:when>
- <xsl:otherwise>
-- Generated by GTK-Doc
-+ <xsl:text>Generated by GTK-Doc</xsl:text>
- </xsl:otherwise>
- </xsl:choose>
- </div>
-@@ -451,21 +414,119 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
-
- <xsl:if test="$suppress.navigation = '0' and $home != .">
- <table class="navigation" id="top" width="100%"
-- summary = "Navigation header" cellpadding="2" cellspacing="2">
-+ summary = "Navigation header" cellpadding="2" cellspacing="5">
- <tr valign="middle">
-+ <td width="100%" align="left" class="shortcuts">
-+ <!--<xsl:if test="name()='refentry'"-->
-+ <xsl:choose>
-+ <xsl:when test="count($refsections) > 0">
-+ <a href="#" class="shortcut">Top</a>
-+ <xsl:if test="count($sect_desc) > 0">
-+ <span id="nav_description">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.description" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='desc']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_object_hierarchy) > 0">
-+ <span id="nav_hierarchy">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.object-hierarchy" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='object_hierarchy']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_impl_interfaces) > 0">
-+ <span id="nav_interfaces">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.implemented-interfaces" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='impl_interfaces']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_prerequisites) > 0">
-+ <span id="nav_prerequisites">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.prerequisites" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='prerequisites']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_derived_interfaces) > 0">
-+ <span id="nav_derived_interfaces">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.derived-interfaces" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='derived_interfaces']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_implementations) > 0">
-+ <span id="nav_implementations">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.implementations" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='implementations']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_properties) > 0">
-+ <span id="nav_properties">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.properties" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='properties']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_child_properties) > 0">
-+ <span id="nav_child_properties">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.child-properties" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='child_properties']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_style_properties) > 0">
-+ <span id="nav_style_properties">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.style-properties" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='style_properties']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ <xsl:if test="count($sect_signal_proto) > 0">
-+ <span id="nav_signals">  <span class="dim">|</span> 
-+ <a href="#{$section_id}.signals" class="shortcut">
-+ <xsl:value-of select="./refsect1[@role='signal_proto']/title"/>
-+ </a></span>
-+ </xsl:if>
-+ </xsl:when>
-+ <!-- this is not yet very nice, as it requires all glossdic/indexdiv
-+ elements having a anchor element. maybe we can customize the xsl
-+ to automaticaly create local anchors
-+ -->
-+ <xsl:when test="count($glssections) > 0">
-+ <span id="nav_glossary">
-+ <xsl:for-each select="./glossdiv">
-+ <xsl:if test="position() > 1">
-+  <span class="dim">|</span> 
-+ </xsl:if>
-+ <a class="shortcut">
-+ <xsl:attribute name="href">#gls<xsl:value-of select="./title"/></xsl:attribute>
-+ <xsl:value-of select="./title"/>
-+ </a>
-+ </xsl:for-each>
-+ </span>
-+ </xsl:when>
-+ <xsl:when test="count($idxsections) > 0">
-+ <span id="nav_index">
-+ <xsl:for-each select="./indexdiv/indexdiv">
-+ <xsl:if test="position() > 1">
-+  <span class="dim">|</span> 
-+ </xsl:if>
-+ <a class="shortcut">
-+ <xsl:attribute name="href">#idx<xsl:value-of select="./title"/></xsl:attribute>
-+ <xsl:value-of select="./title"/>
-+ </a>
-+ </xsl:for-each>
-+ </span>
-+ </xsl:when>
-+ </xsl:choose>
-+ </td>
- <xsl:choose>
-- <xsl:when test="count($prev) > 0">
-+ <xsl:when test="$home != .">
- <td>
-- <a accesskey="p">
-+ <a accesskey="h">
- <xsl:attribute name="href">
- <xsl:call-template name="href.target">
-- <xsl:with-param name="object" select="$prev"/>
-+ <xsl:with-param name="object" select="$home"/>
- </xsl:call-template>
- </xsl:attribute>
-- <img src="left.png" width="24" height="24" border="0">
-+ <img src="home.png" width="16" height="16" border="0">
- <xsl:attribute name="alt">
- <xsl:call-template name="gentext">
-- <xsl:with-param name="key">nav-prev</xsl:with-param>
-+ <xsl:with-param name="key">nav-home</xsl:with-param>
- </xsl:call-template>
- </xsl:attribute>
- </img>
-@@ -485,7 +546,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <xsl:with-param name="object" select="$up"/>
- </xsl:call-template>
- </xsl:attribute>
-- <img src="up.png" width="24" height="24" border="0">
-+ <img src="up.png" width="16" height="16" border="0">
- <xsl:attribute name="alt">
- <xsl:call-template name="gentext">
- <xsl:with-param name="key">nav-up</xsl:with-param>
-@@ -496,22 +557,22 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- </td>
- </xsl:when>
- <xsl:otherwise>
-- <td> </td>
-+ <td><img src="up-insensitive.png" width="16" height="16" border="0"/></td>
- </xsl:otherwise>
- </xsl:choose>
- <xsl:choose>
-- <xsl:when test="$home != .">
-+ <xsl:when test="count($prev) > 0">
- <td>
-- <a accesskey="h">
-+ <a accesskey="p">
- <xsl:attribute name="href">
- <xsl:call-template name="href.target">
-- <xsl:with-param name="object" select="$home"/>
-+ <xsl:with-param name="object" select="$prev"/>
- </xsl:call-template>
- </xsl:attribute>
-- <img src="home.png" width="24" height="24" border="0">
-+ <img src="left.png" width="16" height="16" border="0">
- <xsl:attribute name="alt">
- <xsl:call-template name="gentext">
-- <xsl:with-param name="key">nav-home</xsl:with-param>
-+ <xsl:with-param name="key">nav-prev</xsl:with-param>
- </xsl:call-template>
- </xsl:attribute>
- </img>
-@@ -519,12 +580,9 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- </td>
- </xsl:when>
- <xsl:otherwise>
-- <td> </td>
-+ <td><img src="left-insensitive.png" width="16" height="16" border="0"/></td>
- </xsl:otherwise>
- </xsl:choose>
-- <th width="100%" align="center">
-- <xsl:apply-templates select="$home" mode="object.title.markup"/>
-- </th>
- <xsl:choose>
- <xsl:when test="count($next) > 0">
- <td>
-@@ -534,7 +592,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <xsl:with-param name="object" select="$next"/>
- </xsl:call-template>
- </xsl:attribute>
-- <img src="right.png" width="24" height="24" border="0">
-+ <img src="right.png" width="16" height="16" border="0">
- <xsl:attribute name="alt">
- <xsl:call-template name="gentext">
- <xsl:with-param name="key">nav-next</xsl:with-param>
-@@ -545,148 +603,10 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- </td>
- </xsl:when>
- <xsl:otherwise>
-- <td> </td>
-+ <td><img src="right-insensitive.png" width="16" height="16" border="0"/></td>
- </xsl:otherwise>
- </xsl:choose>
- </tr>
-- <!--<xsl:if test="name()='refentry'"-->
-- <xsl:choose>
-- <xsl:when test="count($refsections) > 0">
-- <tr>
-- <td colspan="5" class="shortcuts">
-- <xsl:if test="count($sect_synopsis) > 0">
-- <a href="#{$section_id}.synopsis" class="shortcut">Top</a>
-- </xsl:if>
-- <xsl:if test="count($sect_desc) > 0">
--  | 
-- <a href="#{$section_id}.description" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='desc']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_object_hierarchy) > 0">
--  | 
-- <a href="#{$section_id}.object-hierarchy" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='object_hierarchy']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_impl_interfaces) > 0">
--  | 
-- <a href="#{$section_id}.implemented-interfaces" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='impl_interfaces']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_prerequisites) > 0">
--  | 
-- <a href="#{$section_id}.prerequisites" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='prerequisites']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_derived_interfaces) > 0">
--  | 
-- <a href="#{$section_id}.derived-interfaces" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='derived_interfaces']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_implementations) > 0">
--  | 
-- <a href="#{$section_id}.implementations" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='implementations']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_properties) > 0">
--  | 
-- <a href="#{$section_id}.properties" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='properties']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_child_properties) > 0">
--  | 
-- <a href="#{$section_id}.child-properties" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='child_properties']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_style_properties) > 0">
--  | 
-- <a href="#{$section_id}.style-properties" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='style_properties']/title"/>
-- </a>
-- </xsl:if>
-- <xsl:if test="count($sect_signal_proto) > 0">
--  | 
-- <a href="#{$section_id}.signals" class="shortcut">
-- <xsl:value-of select="./refsect1[@role='signal_proto']/title"/>
-- </a>
-- </xsl:if>
-- <!--
-- <xsl:if test="count($sect_details) > 0">
-- <a href="#details" class="shortcut">
-- <xsl:value-of select="./refsect1[@id='details']/title"/>
-- </a>
--  | 
-- </xsl:if>
-- <xsl:if test="count($sect_property_details) > 0">
-- <a href="#property_details" class="shortcut">
-- <xsl:value-of select="./refsect1[@id='property_details']/title"/>
-- </a>
--  | 
-- </xsl:if>
-- <xsl:if test="count($sect_child_property_details) > 0">
-- <a href="#child_property_details" class="shortcut">
-- <xsl:value-of select="./refsect1[@id='property_child_details']/title"/>
-- </a>
--  | 
-- </xsl:if>
-- <xsl:if test="count($sect_style_property_details) > 0">
-- <a href="#style_property_details" class="shortcut">
-- <xsl:value-of select="./refsect1[@id='style_property_details']/title"/>
-- </a>
--  | 
-- </xsl:if>
-- <xsl:if test="count($sect_signals) > 0">
-- <a href="#signals" class="shortcut">
-- <xsl:value-of select="./refsect1[@id='signals']/title"/>
-- </a>
--  | 
-- </xsl:if>
-- -->
-- </td>
-- </tr>
-- </xsl:when>
-- <!-- this is not yet very nice, as it requires all glossdic/indexdiv
-- elements having a anchor element. maybe we can customize the xsl
-- to automaticaly create local anchors
-- -->
-- <xsl:when test="count($glssections) > 0">
-- <tr>
-- <td colspan="5" class="shortcuts">
-- <xsl:for-each select="./glossdiv">
-- <xsl:if test="position() > 1">
--  | 
-- </xsl:if>
-- <a class="shortcut">
-- <xsl:attribute name="href">#gls<xsl:value-of select="./title"/></xsl:attribute>
-- <xsl:value-of select="./title"/>
-- </a>
-- </xsl:for-each>
-- </td>
-- </tr>
-- </xsl:when>
-- <xsl:when test="count($idxsections) > 0">
-- <tr>
-- <td colspan="5" class="shortcuts">
-- <xsl:for-each select="./indexdiv/indexdiv">
-- <xsl:if test="position() > 1">
--  | 
-- </xsl:if>
-- <a class="shortcut">
-- <xsl:attribute name="href">#idx<xsl:value-of select="./title"/></xsl:attribute>
-- <xsl:value-of select="./title"/>
-- </a>
-- </xsl:for-each>
-- </td>
-- </tr>
-- </xsl:when>
-- </xsl:choose>
- </table>
- </xsl:if>
- </xsl:template>
-@@ -758,32 +678,32 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <table width="100%">
- <tr><td valign="top">
- <xsl:call-template name="anchor"/>
-- <xsl:choose>
-- <xsl:when test="$refentry.generate.name != 0">
-- <h2>
-- <xsl:call-template name="gentext">
-- <xsl:with-param name="key" select="'RefName'"/>
-- </xsl:call-template>
-- </h2>
-- </xsl:when>
-- <xsl:when test="$refentry.generate.title != 0">
-- <h2>
-- <xsl:choose>
-- <xsl:when test="../refmeta/refentrytitle">
-- <xsl:apply-templates select="../refmeta/refentrytitle"/>
-- </xsl:when>
-- <xsl:otherwise>
-- <xsl:apply-templates select="refname[1]"/>
-- </xsl:otherwise>
-- </xsl:choose>
-- </h2>
-- </xsl:when>
-- </xsl:choose>
-- <p>
-+ <xsl:choose>
-+ <xsl:when test="$refentry.generate.name != 0">
-+ <h2>
-+ <xsl:call-template name="gentext">
-+ <xsl:with-param name="key" select="'RefName'"/>
-+ </xsl:call-template>
-+ </h2>
-+ </xsl:when>
-+ <xsl:when test="$refentry.generate.title != 0">
-+ <h2>
-+ <xsl:choose>
-+ <xsl:when test="../refmeta/refentrytitle">
-+ <xsl:apply-templates select="../refmeta/refentrytitle"/>
-+ </xsl:when>
-+ <xsl:otherwise>
-+ <xsl:apply-templates select="refname[1]"/>
-+ </xsl:otherwise>
-+ </xsl:choose>
-+ </h2>
-+ </xsl:when>
-+ </xsl:choose>
-+ <p>
- <xsl:apply-templates/>
- </p>
- </td>
-- <td valign="top" align="right">
-+ <td class="gallery_image" valign="top" align="right">
- <xsl:choose>
- <xsl:when test="../refmeta/refmiscinfo/inlinegraphic">
- <xsl:apply-templates select="../refmeta/refmiscinfo/inlinegraphic"/>
-@@ -795,7 +715,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- - use it here
- -->
- <xsl:variable name="refentryid" select="../@id"/>
-- <xsl:apply-templates select="key('gallery.key', $refentryid)/inlinegraphic"/>
-+ <xsl:apply-templates select="key('gallery.key', $refentryid)/inlinegraphic"/>
- </xsl:otherwise>
- </xsl:choose>
- </td></tr>
-@@ -803,6 +723,21 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- </div>
- </xsl:template>
-
-+ <!-- a copy from refentry.xsl to add the missing mode attribute,
-+ see bug/729911, https://sourceforge.net/p/docbook/bugs/1358/
-+ fixed in: https://sourceforge.net/p/docbook/code/9962/
-+ -->
-+ <xsl:template match="refpurpose" mode="no.anchor.mode">
-+ <xsl:if test="node()">
-+ <xsl:text> </xsl:text>
-+ <xsl:call-template name="dingbat">
-+ <xsl:with-param name="dingbat">em-dash</xsl:with-param>
-+ </xsl:call-template>
-+ <xsl:text> </xsl:text>
-+ <xsl:apply-templates mode="no.anchor.mode"/>
-+ </xsl:if>
-+ </xsl:template>
-+
- <!-- add anchors for index sections -->
- <xsl:template match="indexdiv">
- <a><xsl:attribute name="name">idx<xsl:value-of select="./title"/></xsl:attribute></a>
-@@ -825,12 +760,12 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <span class="extralinks">
- <xsl:for-each select="../ulink[@role='extralinks']">
- <xsl:if test="position() = 1">[ </xsl:if>
-- <xsl:if test="position() > 1"> | </xsl:if>
-+ <xsl:if test="position() > 1">  <span class="dim">|</span> </xsl:if>
- <a>
- <xsl:attribute name="href"><xsl:value-of select="@url"/></xsl:attribute>
- <xsl:copy-of select="text()" />
- </a>
-- <xsl:if test="position() = last()"> ]</xsl:if>
-+ <xsl:if test="position() = last()">  ]</xsl:if>
- </xsl:for-each>
- </span>
- </xsl:if>
-@@ -861,11 +796,6 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <xsl:param name="acronym">
- <xsl:apply-templates/>
- </xsl:param>
-- <!--
-- We use for-each to change context to the database document because key()
-- only locates elements in the same document as the context node!
-- -->
--
- <xsl:param name="value" >
- <xsl:value-of select="key('acronym.key', $acronym)/../glossdef/para[1]" />
- </xsl:param>
-@@ -878,7 +808,7 @@ Get a newer version at http://docbook.sourceforge.net/projects/xsl/
- <a>
- <xsl:attribute name="href">
- <xsl:text>http://foldoc.org/</xsl:text>
-- <xsl:value-of select="$acronym"/>
-+ <xsl:value-of select="$acronym"/>
- </xsl:attribute>
- <xsl:call-template name="inline.charseq"/>
- </a>
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index 9d9136a..7b73331 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -49,7 +49,7 @@
- </cmdsynopsis>
- </refsynopsisdiv>
-
--<refsect1>
-+<refsect1 id="man-description">
- <title>Description</title>
- <para><command>realm</command> is a command line tool that
- can be used to manage enrollment in kerberos realms, like Active
-@@ -81,7 +81,7 @@
-
- </refsect1>
-
--<refsect1>
-+<refsect1 id="man-discover">
- <title>Discover</title>
-
- <para>Discover a realm and its capabilities.</para>
-@@ -138,7 +138,7 @@ $ realm discover domain.example.com
-
- </refsect1>
-
--<refsect1>
-+<refsect1 id="man-join">
- <title>Join</title>
-
- <para>Configure the local machine for use with a realm.</para>
-@@ -263,7 +263,7 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
-
- </refsect1>
-
--<refsect1>
-+<refsect1 id="man-leave">
- <title>Leave</title>
-
- <para>Deconfigure the local machine for use with a realm.</para>
-@@ -313,7 +313,7 @@ $ realm leave domain.example.com
-
- </refsect1>
-
--<refsect1>
-+<refsect1 id="man-list">
- <title>List</title>
-
- <para>List all the discovered and configured realms.</para>
-@@ -345,7 +345,7 @@ $ realm list
- </variablelist>
- </refsect1>
-
--<refsect1>
-+<refsect1 id="man-permit">
- <title>Permit</title>
-
- <para>Permit local login by users of the realm.</para>
-@@ -392,7 +392,7 @@ $ realm permit --withdraw user@example.com
-
- </refsect1>
-
--<refsect1>
-+<refsect1 id="man-deny">
- <title>Deny</title>
-
- <para>Deny local login by realm accounts.</para>
-diff --git a/doc/manual/realmd-guide-active-directory.xml b/doc/manual/realmd-guide-active-directory.xml
-index 362cf94..c88e8af 100644
---- a/doc/manual/realmd-guide-active-directory.xml
-+++ b/doc/manual/realmd-guide-active-directory.xml
-@@ -69,7 +69,7 @@ $ <command>realm discover --verbose domain.example.com</command>
- <ulink url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html">Winbind</ulink>.
- By default SSSD is used.</para>
-
-- <section>
-+ <section id="using-sssd-with-active-directory">
- <title>Using SSSD with Active Directory</title>
- <para><ulink url="https://fedorahosted.org/sssd/">SSSD</ulink>
- provides client software for various kerberos and/or LDAP
-@@ -91,7 +91,7 @@ $ <command>realm join --client-software=sssd domain.example.com</command>
- </informalexample>
- </section>
-
-- <section>
-+ <section id="using-winbind-with-active-directory">
- <title>Using Winbind with Active Directory</title>
- <para>Samba
- <ulink url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html">Winbind</ulink>
-diff --git a/doc/manual/realmd-guide-ipa.xml b/doc/manual/realmd-guide-ipa.xml
-index bba6504..c3ad450 100644
---- a/doc/manual/realmd-guide-ipa.xml
-+++ b/doc/manual/realmd-guide-ipa.xml
-@@ -13,7 +13,7 @@
- users locally, and log into the local machine with IPA domain
- credentials.</para>
-
-- <section>
-+ <section id="discovering-ipa-domains">
- <title>Discovering IPA domains</title>
- <para><command>realmd</command> discovers which domains or
- realms it can use or configure. It can discover and identify
-diff --git a/doc/manual/realmd-guide-kerberos.xml b/doc/manual/realmd-guide-kerberos.xml
-index a57e964..5b9d4b1 100644
---- a/doc/manual/realmd-guide-kerberos.xml
-+++ b/doc/manual/realmd-guide-kerberos.xml
-@@ -12,7 +12,7 @@
- Since there is no standard way to enroll a computer against a Kerberos
- server, it is not possible to do this with <command>realmd</command>.</para>
-
-- <section>
-+ <section id="discovering-kerberos-realms">
- <title>Discovering Kerberos realms</title>
- <para><command>realmd</command> discovers which domains or
- realms it can use or configure. It can discover and identify
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index a2b577c..f0b0879 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -28,7 +28,7 @@
- <refpurpose>Tweak behavior of realmd</refpurpose>
- </refnamediv>
-
--<refsect1>
-+<refsect1 id="realmd-conf-file">
- <title>Configuration File</title>
-
- <para><command>realmd</command> can be tweaked by network administrators
-@@ -297,7 +297,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
-
- </refsect1>
-
--<refsect1>
-+<refsect1 id="realmd-conf-specific-settings">
- <title>Realm specific settings</title>
- <para>These options should go in an section with the same name
- as the realm in the <filename>/etc/realmd.conf</filename> file.
-diff --git a/doc/manual/static/gtk-doc.css b/doc/manual/static/gtk-doc.css
-index 5618926..af6ce9c 100644
---- a/doc/manual/static/gtk-doc.css
-+++ b/doc/manual/static/gtk-doc.css
-@@ -1,15 +1,23 @@
-+body
-+{
-+ font-family: cantarell, sans-serif;
-+}
- .synopsis, .classsynopsis
- {
- /* tango:aluminium 1/2 */
- background: #eeeeec;
-- border: solid 1px #d3d7cf;
-+ background: rgba(238, 238, 236, 0.5);
-+ border: solid 1px rgb(238, 238, 236);
- padding: 0.5em;
- }
- .programlisting
- {
- /* tango:sky blue 0/1 */
-+ /* fallback for no rgba support */
- background: #e6f3ff;
- border: solid 1px #729fcf;
-+ background: rgba(114, 159, 207, 0.1);
-+ border: solid 1px rgba(114, 159, 207, 0.2);
- padding: 0.5em;
- }
- .variablelist
-@@ -22,86 +30,8 @@
- vertical-align: top;
- }
-
--@media screen {
-- sup a.footnote
-- {
-- position: relative;
-- top: 0em ! important;
-- }
-- /* this is needed so that the local anchors are displayed below the naviagtion */
-- div.footnote a[name], div.refnamediv a[name], div.refsect1 a[name], div.refsect2 a[name], div.index a[name], div.glossary a[name], div.sect1 a[name]
-- {
-- display: inline-block;
-- position: relative;
-- top:-5em;
-- }
-- /* this seems to be a bug in the xsl style sheets when generating indexes */
-- div.index div.index
-- {
-- top: 0em;
-- }
-- /* make space for the fixed navigation bar and add space at the bottom so that
-- * link targets appear somewhat close to top
-- */
-- body
-- {
-- padding-top: 3.2em;
-- padding-bottom: 20em;
-- }
-- /* style and size the navigation bar */
-- table.navigation#top
-- {
-- position: fixed;
-- /* tango:scarlet red 0/1 */
-- background: #ffe6e6;
-- border: solid 1px #ef2929;
-- margin-top: 0;
-- margin-bottom: 0;
-- top: 0;
-- left: 0;
-- height: 3em;
-- z-index: 10;
-- }
-- .navigation a, .navigation a:visited
-- {
-- /* tango:scarlet red 3 */
-- color: #a40000;
-- }
-- .navigation a:hover
-- {
-- /* tango:scarlet red 1 */
-- color: #ef2929;
-- }
-- td.shortcuts
-- {
-- /* tango:scarlet red 1 */
-- color: #ef2929;
-- font-size: 80%;
-- white-space: nowrap;
-- }
--}
--@media print {
-- table.navigation {
-- visibility: collapse;
-- display: none;
-- }
-- div.titlepage table.navigation {
-- visibility: visible;
-- display: table;
-- /* tango:scarlet red 0/1 */
-- background: #ffe6e6;
-- border: solid 1px #ef2929;
-- margin-top: 0;
-- margin-bottom: 0;
-- top: 0;
-- left: 0;
-- height: 3em;
-- }
--}
--
--.navigation .title
--{
-- font-size: 200%;
-+span.nowrap {
-+ white-space: nowrap;
- }
-
- div.gallery-float
-@@ -131,6 +61,72 @@ a:hover
- color: #729fcf;
- }
-
-+div.informaltable table
-+{
-+ border-collapse: separate;
-+ border-spacing: 1em 0.3em;
-+ border: none;
-+}
-+
-+div.informaltable table td, div.informaltable table th
-+{
-+ vertical-align: top;
-+}
-+
-+.function_type,
-+.variable_type,
-+.property_type,
-+.signal_type,
-+.parameter_name,
-+.struct_member_name,
-+.union_member_name,
-+.define_keyword,
-+.datatype_keyword,
-+.typedef_keyword
-+{
-+ text-align: right;
-+}
-+
-+/* dim non-primary columns */
-+.c_punctuation,
-+.function_type,
-+.variable_type,
-+.property_type,
-+.signal_type,
-+.define_keyword,
-+.datatype_keyword,
-+.typedef_keyword,
-+.property_flags,
-+.signal_flags,
-+.parameter_annotations,
-+.enum_member_annotations,
-+.struct_member_annotations,
-+.union_member_annotations
-+{
-+ color: #888a85;
-+}
-+
-+.function_type a,
-+.function_type a:visited,
-+.function_type a:hover,
-+.property_type a,
-+.property_type a:visited,
-+.property_type a:hover,
-+.signal_type a,
-+.signal_type a:visited,
-+.signal_type a:hover,
-+.signal_flags a,
-+.signal_flags a:visited,
-+.signal_flags a:hover
-+{
-+ color: #729fcf;
-+}
-+
-+td p
-+{
-+ margin: 0.25em;
-+}
-+
- div.table table
- {
- border-collapse: collapse;
-@@ -153,14 +149,44 @@ div.table table th
- background-color: #d3d7cf;
- }
-
-+h4
-+{
-+ color: #555753;
-+ margin-top: 1em;
-+ margin-bottom: 1em;
-+}
-+
- hr
- {
-- /* tango:aluminium 3 */
-- color: #babdb6;
-- background: #babdb6;
-+ /* tango:aluminium 1 */
-+ color: #d3d7cf;
-+ background: #d3d7cf;
- border: none 0px;
- height: 1px;
- clear: both;
-+ margin: 2.0em 0em 2.0em 0em;
-+}
-+
-+dl.toc dt
-+{
-+ padding-bottom: 0.25em;
-+}
-+
-+dl.toc > dt
-+{
-+ padding-top: 0.25em;
-+ padding-bottom: 0.25em;
-+ font-weight: bold;
-+}
-+
-+dl.toc > dl
-+{
-+ padding-bottom: 0.5em;
-+}
-+
-+.parameter
-+{
-+ font-style: normal;
- }
-
- .footer
-@@ -172,31 +198,70 @@ hr
- font-size: 80%;
- }
-
-+.informalfigure,
-+.figure
-+{
-+ margin: 1em;
-+}
-+
-+.informalexample,
-+.example
-+{
-+ margin-top: 1em;
-+ margin-bottom: 1em;
-+}
-+
- .warning
- {
- /* tango:orange 0/1 */
- background: #ffeed9;
-+ background: rgba(252, 175, 62, 0.1);
- border-color: #ffb04f;
-+ border-color: rgba(252, 175, 62, 0.2);
- }
- .note
- {
- /* tango:chameleon 0/0.5 */
- background: #d8ffb2;
-+ background: rgba(138, 226, 52, 0.1);
- border-color: #abf562;
-+ border-color: rgba(138, 226, 52, 0.2);
- }
--.note, .warning
-+div.blockquote
-+{
-+ border-color: #eeeeec;
-+}
-+.note, .warning, div.blockquote
- {
- padding: 0.5em;
- border-width: 1px;
- border-style: solid;
-+ margin: 2em;
- }
--.note h3, .warning h3
-+.note p, .warning p
- {
-- margin-top: 0.0em
-+ margin: 0;
- }
--.note p, .warning p
-+
-+div.warning h3.title,
-+div.note h3.title
-+{
-+ display: none;
-+}
-+
-+p + div.section
-+{
-+ margin-top: 1em;
-+}
-+
-+div.refnamediv,
-+div.refsynopsisdiv,
-+div.refsect1,
-+div.refsect2,
-+div.toc,
-+div.section
- {
-- margin-bottom: 0.0em
-+ margin-bottom: 1em;
- }
-
- /* blob links */
-@@ -209,33 +274,52 @@ h2 .extralinks, h3 .extralinks
- font-weight: normal;
- }
-
-+.lineart
-+{
-+ color: #d3d7cf;
-+ font-weight: normal;
-+}
-+
- .annotation
- {
- /* tango:aluminium 5 */
- color: #555753;
-- font-size: 80%;
- font-weight: normal;
- }
-
-+.structfield
-+{
-+ font-style: normal;
-+ font-weight: normal;
-+}
-+
-+acronym,abbr
-+{
-+ border-bottom: 1px dotted gray;
-+}
-+
- /* code listings */
-
--.listing_code .programlisting .cbracket { color: #a40000; } /* tango: scarlet red 3 */
--.listing_code .programlisting .comment { color: #a1a39d; } /* tango: aluminium 4 */
--.listing_code .programlisting .function { color: #000000; font-weight: bold; }
--.listing_code .programlisting .function a { color: #11326b; font-weight: bold; } /* tango: sky blue 4 */
--.listing_code .programlisting .keyword { color: #4e9a06; } /* tango: chameleon 3 */
-+.listing_code .programlisting .normal,
-+.listing_code .programlisting .normal a,
-+.listing_code .programlisting .number,
-+.listing_code .programlisting .cbracket,
-+.listing_code .programlisting .symbol { color: #555753; }
-+.listing_code .programlisting .comment,
- .listing_code .programlisting .linenum { color: #babdb6; } /* tango: aluminium 3 */
--.listing_code .programlisting .normal { color: #000000; }
--.listing_code .programlisting .number { color: #75507b; } /* tango: plum 2 */
-+.listing_code .programlisting .function,
-+.listing_code .programlisting .function a,
- .listing_code .programlisting .preproc { color: #204a87; } /* tango: sky blue 3 */
--.listing_code .programlisting .string { color: #c17d11; } /* tango: chocolate 2 */
--.listing_code .programlisting .type { color: #000000; }
--.listing_code .programlisting .type a { color: #11326b; } /* tango: sky blue 4 */
--.listing_code .programlisting .symbol { color: #ce5c00; } /* tango: orange 3 */
-+.listing_code .programlisting .string { color: #ad7fa8; } /* tango: plum */
-+.listing_code .programlisting .keyword,
-+.listing_code .programlisting .usertype,
-+.listing_code .programlisting .type,
-+.listing_code .programlisting .type a { color: #4e9a06; } /* tango: chameleon 3 */
-
- .listing_frame {
- /* tango:sky blue 1 */
- border: solid 1px #729fcf;
-+ border: solid 1px rgba(114, 159, 207, 0.2);
- padding: 0px;
- }
-
-@@ -247,18 +331,152 @@ h2 .extralinks, h3 .extralinks
- .listing_lines {
- /* tango:sky blue 0.5 */
- background: #a6c5e3;
-+ background: rgba(114, 159, 207, 0.2);
- /* tango:aluminium 6 */
- color: #2e3436;
- }
- .listing_code {
- /* tango:sky blue 0 */
- background: #e6f3ff;
-+ background: rgba(114, 159, 207, 0.1);
- }
- .listing_code .programlisting {
- /* override from previous */
- border: none 0px;
- padding: 0px;
-+ background: none;
- }
- .listing_lines pre, .listing_code pre {
- margin: 0px;
- }
-+
-+@media screen {
-+ /* these have a <sup> as a first child, but since there are no parent selectors
-+ * we can't use that. */
-+ a.footnote
-+ {
-+ position: relative;
-+ top: 0em ! important;
-+ }
-+ /* this is needed so that the local anchors are displayed below the naviagtion */
-+ div.footnote a[name], div.refnamediv a[name], div.refsect1 a[name], div.refsect2 a[name], div.index a[name], div.glossary a[name], div.sect1 a[name]
-+ {
-+ display: inline-block;
-+ position: relative;
-+ top:-5em;
-+ }
-+ /* this seems to be a bug in the xsl style sheets when generating indexes */
-+ div.index div.index
-+ {
-+ top: 0em;
-+ }
-+ /* make space for the fixed navigation bar and add space at the bottom so that
-+ * link targets appear somewhat close to top
-+ */
-+ body
-+ {
-+ padding-top: 2.5em;
-+ padding-bottom: 500px;
-+ max-width: 60em;
-+ }
-+ p
-+ {
-+ max-width: 60em;
-+ }
-+ /* style and size the navigation bar */
-+ table.navigation#top
-+ {
-+ position: fixed;
-+ background: #e2e2e2;
-+ border-bottom: solid 1px #babdb6;
-+ border-spacing: 5px;
-+ margin-top: 0;
-+ margin-bottom: 0;
-+ top: 0;
-+ left: 0;
-+ z-index: 10;
-+ }
-+ table.navigation#top td
-+ {
-+ padding-left: 6px;
-+ padding-right: 6px;
-+ }
-+ .navigation a, .navigation a:visited
-+ {
-+ /* tango:sky blue 3 */
-+ color: #204a87;
-+ }
-+ .navigation a:hover
-+ {
-+ /* tango:sky blue 2 */
-+ color: #3465a4;
-+ }
-+ td.shortcuts
-+ {
-+ /* tango:sky blue 2 */
-+ color: #3465a4;
-+ font-size: 80%;
-+ white-space: nowrap;
-+ }
-+ td.shortcuts .dim
-+ {
-+ color: #babdb6;
-+ }
-+ .navigation .title
-+ {
-+ font-size: 80%;
-+ max-width: none;
-+ margin: 0px;
-+ font-weight: normal;
-+ }
-+}
-+@media screen and (min-width: 60em) {
-+ /* screen larger than 60em */
-+ body { margin: auto; }
-+}
-+@media screen and (max-width: 60em) {
-+ /* screen less than 60em */
-+ #nav_hierarchy { display: none; }
-+ #nav_interfaces { display: none; }
-+ #nav_prerequisites { display: none; }
-+ #nav_derived_interfaces { display: none; }
-+ #nav_implementations { display: none; }
-+ #nav_child_properties { display: none; }
-+ #nav_style_properties { display: none; }
-+ #nav_index { display: none; }
-+ #nav_glossary { display: none; }
-+ .gallery_image { display: none; }
-+ .property_flags { display: none; }
-+ .signal_flags { display: none; }
-+ .parameter_annotations { display: none; }
-+ .enum_member_annotations { display: none; }
-+ .struct_member_annotations { display: none; }
-+ .union_member_annotations { display: none; }
-+ /* now that a column is hidden, optimize space */
-+ col.parameters_name { width: auto; }
-+ col.parameters_description { width: auto; }
-+ col.struct_members_name { width: auto; }
-+ col.struct_members_description { width: auto; }
-+ col.enum_members_name { width: auto; }
-+ col.enum_members_description { width: auto; }
-+ col.union_members_name { width: auto; }
-+ col.union_members_description { width: auto; }
-+ .listing_lines { display: none; }
-+}
-+@media print {
-+ table.navigation {
-+ visibility: collapse;
-+ display: none;
-+ }
-+ div.titlepage table.navigation {
-+ visibility: visible;
-+ display: table;
-+ background: #e2e2e2;
-+ border: solid 1px #babdb6;
-+ margin-top: 0;
-+ margin-bottom: 0;
-+ top: 0;
-+ left: 0;
-+ height: 3em;
-+ }
-+}
---
-2.21.0
-
diff --git a/SOURCES/0001-ldap-add-socket-timeout.patch b/SOURCES/0001-ldap-add-socket-timeout.patch
deleted file mode 100644
index 2ba2db6..0000000
--- a/SOURCES/0001-ldap-add-socket-timeout.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 24 Nov 2021 17:25:18 +0100
-Subject: [PATCH] ldap: add socket timeout
-
-During the discovery phase realmd tries to open LDAP connections to
-multiple DC addresses returned by DNS. When cleaning up we have to call
-ldap_destroy() to release the resources allocated for the LDAP context.
-ldap_destroy() tries to send a LDAP unbind request independent of the
-connection state. If the related address is block by a firewall or a not
-properly routed IPv6 address there might be no reply on the TCP level
-and the request might be stuck for quite some tome in the kernel.
-
-To avoid the unexpected long delays will block realmd this patch lowers
-the timeout considerably to 5s. As multiple other timeouts this value is
-currently hardcoded.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
----
- service/realm-ldap.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index bdfb96c..f7b6d13 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -22,6 +22,7 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
-+#include <netinet/tcp.h>
-
- #include <errno.h>
-
-@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
-
- /* Not included in ldap.h but documented */
- int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
-+#define LDAP_SOCKET_TIMEOUT 5
-
- GSource *
- realm_ldap_connect_anonymous (GSocketAddress *address,
-@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- int opt_rc;
- int ldap_opt_val;
- const char *errmsg = NULL;
-+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
-+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
-
- g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
-
-@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
- g_warning ("couldn't set to blocking");
-
-+ /* Lower the kernel defaults which might be minutes to hours */
-+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
-+ &tv, sizeof (tv));
-+ if (rc != 0) {
-+ g_warning ("couldn't set SO_RCVTIMEO");
-+ }
-+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
-+ &tv, sizeof (tv));
-+ if (rc != 0) {
-+ g_warning ("couldn't set SO_SNDTIMEO");
-+ }
-+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
-+ &milli, sizeof (milli));
-+ if (rc != 0) {
-+ g_warning ("couldn't set TCP_USER_TIMEOUT");
-+ }
-+
- if (family == G_SOCKET_FAMILY_IPV4) {
- url = g_strdup_printf ("%s://%s:%d",
- use_ldaps ? "ldaps" : "ldap",
---
-2.34.1
-
diff --git a/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch b/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch
deleted file mode 100644
index ebfda2b..0000000
--- a/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From e41de8344a09092ae4d973f495eef54a106a11ee Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 26 Nov 2020 17:24:10 +0100
-Subject: [PATCH] ldap: setup TLS when using ldaps
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- service/realm-ldap.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index 2076d1e..e07a299 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -263,6 +263,14 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- return NULL;
- }
-
-+ if (use_ldaps) {
-+ rc = ldap_install_tls (ls->ldap);
-+ if (rc != LDAP_SUCCESS) {
-+ g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
-+ return NULL;
-+ }
-+ }
-+
- break;
-
- case G_SOCKET_PROTOCOL_UDP:
---
-2.28.0
-
diff --git a/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch b/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch
deleted file mode 100644
index 3200e8a..0000000
--- a/SOURCES/0001-samba-use-new-Samba-4.15-command-line-options.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 14 Dec 2021 15:32:32 +0100
-Subject: [PATCH] samba: use new Samba-4.15 command line options
-
-Samba-4.15 changed a couple of command line options of the net utility.
-This patch adds a configure option to select the new or the old style.
-If the option is not used configure tries to call the net utility to
-check for the options. If this fails the old style is used.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
----
- configure.ac | 34 ++++++++++++++++++++++++++++++++++
- service/realm-samba-enroll.c | 18 +++++++++++++-----
- 2 files changed, 47 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index ea51f92..ddc25d0 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
- AC_SUBST(LDAP_LIBS)
- AC_SUBST(LDAP_CFLAGS)
-
-+# -------------------------------------------------------------------
-+# Samba
-+
-+AC_ARG_WITH(new-samba-cli-options,
-+ AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
-+ [Use new command line options introduced with Samba-4.15,
-+ if not provided the output of 'net help' is checked or old
-+ style options are used]))
-+
-+if test "$with_new_samba_cli_options" = "no"; then
-+ AC_MSG_RESULT([Using old Samba command line options])
-+elif test "$with_new_samba_cli_options" = "yes"; then
-+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
-+ [Use new command line options introduced with Samba-4.15])
-+ AC_MSG_RESULT([Using new Samba command line options])
-+else
-+ AC_PATH_PROG([SAMBA_NET], [net])
-+ if test ! -x "$SAMBA_NET"; then
-+ AC_MSG_NOTICE([Could not find Samba's net utility, ]
-+ [assuming old style command line options, ]
-+ [please install the net utility for proper detection.])
-+ else
-+ AC_MSG_CHECKING([for --debug-stdout option of net])
-+ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
-+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
-+ [Use new command line options introduced with Samba-4.15])
-+ AC_MSG_RESULT([yes])
-+ else
-+ AC_MSG_RESULT([no])
-+ fi
-+ fi
-+fi
-+
-+
- # -------------------------------------------------------------------
- # Directories
-
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index 5624a08..8b2ee38 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -37,6 +37,14 @@
- #include <sys/socket.h>
- #include <netdb.h>
-
-+#ifdef WITH_NEW_SAMBA_CLI_OPTS
-+#define SMBCLI_KERBEROS "--use-kerberos=required"
-+#define SMBCLI_CONF "--configfile"
-+#else
-+#define SMBCLI_KERBEROS "-k"
-+#define SMBCLI_CONF "-s"
-+#endif
-+
- typedef struct {
- GDBusMethodInvocation *invocation;
- gchar *join_args[8];
-@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
- /* Use our custom smb.conf */
- g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
- if (join->custom_smb_conf) {
-- g_ptr_array_add (args, "-s");
-+ g_ptr_array_add (args, SMBCLI_CONF);
- g_ptr_array_add (args, join->custom_smb_conf);
- }
-
-@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
- } else {
- begin_net_process (join, NULL,
- on_keytab_do_finish, g_object_ref (task),
-- "-k", "ads", "keytab", "create", NULL);
-+ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
- }
-
- g_object_unref (task);
-@@ -428,7 +436,7 @@ begin_join (GTask *task,
- begin_net_process (join, join->password_input,
- on_join_do_keytab, g_object_ref (task),
- "-U", join->user_name,
-- "-k", "ads", "join", join->disco->domain_name,
-+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
- join->join_args[0], join->join_args[1],
- join->join_args[2], join->join_args[3],
- join->join_args[4], NULL);
-@@ -437,7 +445,7 @@ begin_join (GTask *task,
- } else {
- begin_net_process (join, NULL,
- on_join_do_keytab, g_object_ref (task),
-- "-k", "ads", "join", join->disco->domain_name,
-+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
- join->join_args[0], join->join_args[1],
- join->join_args[2], join->join_args[3],
- join->join_args[4], NULL);
-@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
- join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
- begin_net_process (join, NULL,
- on_leave_complete, g_object_ref (task),
-- "-k", "ads", "leave", NULL);
-+ SMBCLI_KERBEROS, "ads", "leave", NULL);
- break;
- default:
- g_return_if_reached ();
---
-2.33.1
-
diff --git a/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch b/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
deleted file mode 100644
index 8b8f633..0000000
--- a/SOURCES/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
-From: Stef Walter <stefw@redhat.com>
-Date: Fri, 28 Oct 2016 20:27:48 +0200
-Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
-
-After adding a domain to sssd.conf add the nss and pam services
-to the [sssd] block.
-
-https://bugs.freedesktop.org/show_bug.cgi?id=98479
----
- service/realm-sssd-ad.c | 3 +++
- service/realm-sssd-config.c | 2 --
- service/realm-sssd-ipa.c | 3 +++
- tests/test-sssd-config.c | 4 ++--
- 4 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 5ed384d..5fa81ce 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
- gboolean use_adcli,
- GError **error)
- {
-+ const gchar *services[] = { "nss", "pam", NULL };
- GString *realmd_tags;
- const gchar *access_provider;
- const gchar *shell;
-@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
- "ldap_sasl_authid", authid,
- NULL);
-
-+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+
- g_free (authid);
- g_string_free (realmd_tags, TRUE);
-
-diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
-index 2096afd..d4398b9 100644
---- a/service/realm-sssd-config.c
-+++ b/service/realm-sssd-config.c
-@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
- g_strfreev (already);
-
- /* Setup a default sssd section */
-- if (!realm_ini_config_have (config, "section", "services"))
-- realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
- if (!realm_ini_config_have (config, "sssd", "config_file_version"))
- realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
-
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index b12136e..001870d 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
- {
-+ const gchar *services[] = { "nss", "pam", NULL };
- GTask *task = G_TASK (user_data);
- EnrollClosure *enroll = g_task_get_task_data (task);
- RealmSssd *sssd = g_task_get_source_object (task);
-@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
- "realmd_tags", realmd_tags,
- NULL);
-
-+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+
- g_free (home);
- }
-
-diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
-index 59eab75..892b9d5 100644
---- a/tests/test-sssd-config.c
-+++ b/tests/test-sssd-config.c
-@@ -90,7 +90,7 @@ test_add_domain (Test *test,
- gconstpointer unused)
- {
- const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
-- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
-+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
- GError *error = NULL;
- gchar *output;
- gboolean ret;
-@@ -140,7 +140,7 @@ static void
- test_add_domain_only (Test *test,
- gconstpointer unused)
- {
-- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
-+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
- GError *error = NULL;
- gchar *output;
- gboolean ret;
---
-2.9.3
-
diff --git a/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch b/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
deleted file mode 100644
index 6c44727..0000000
--- a/SOURCES/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 25 Apr 2017 07:20:17 +0200
-Subject: [PATCH] service: Add "pam" and "nss" services in
- realm_sssd_config_add_domain()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-realm_sssd_config_add_domain() must setup the services line in sssd.conf
-otherwise SSSD won't be able to start any of its services.
-
-It's a regression caused by 402cbab which leaves SSSD with no services
-line when joining to an ad client doing "realm join ad.example".
-
-https://bugs.freedesktop.org/show_bug.cgi?id=98479
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
----
- service/realm-sssd-ad.c | 3 ++-
- service/realm-sssd-config.c | 2 ++
- service/realm-sssd-ipa.c | 3 ++-
- tests/test-sssd-config.c | 4 ++--
- 4 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 5fa81ce..8543ca8 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
- "ldap_sasl_authid", authid,
- NULL);
-
-- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+ if (ret)
-+ ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
-
- g_free (authid);
- g_string_free (realmd_tags, TRUE);
-diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
-index d4398b9..140d7dc 100644
---- a/service/realm-sssd-config.c
-+++ b/service/realm-sssd-config.c
-@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
- gchar **already;
- gboolean ret;
- gchar *section;
-+ const gchar *services[] = { "nss", "pam", NULL };
- va_list va;
- gint i;
-
-@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
- g_strfreev (already);
-
- /* Setup a default sssd section */
-+ realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
- if (!realm_ini_config_have (config, "sssd", "config_file_version"))
- realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
-
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index 001870d..ff1dc8a 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
- "realmd_tags", realmd_tags,
- NULL);
-
-- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+ if (error == NULL)
-+ realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
-
- g_free (home);
- }
-diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
-index 892b9d5..59eab75 100644
---- a/tests/test-sssd-config.c
-+++ b/tests/test-sssd-config.c
-@@ -90,7 +90,7 @@ test_add_domain (Test *test,
- gconstpointer unused)
- {
- const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
-- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
-+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
- GError *error = NULL;
- gchar *output;
- gboolean ret;
-@@ -140,7 +140,7 @@ static void
- test_add_domain_only (Test *test,
- gconstpointer unused)
- {
-- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
-+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
- GError *error = NULL;
- gchar *output;
- gboolean ret;
---
-2.9.3
-
diff --git a/SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch b/SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
deleted file mode 100644
index 241ee39..0000000
--- a/SOURCES/0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From cf40987b7f847be70ef3a5a0fa359116c0259477 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 30 Oct 2020 13:19:09 +0100
-Subject: [PATCH 1/6] service: add REALM_DBUS_OPTION_USE_LDAPS and
- realm_get_use_ldaps
-
-Add a new option to the realmd service to use ldaps where possible and
-supported.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- dbus/realm-dbus-constants.h | 1 +
- service/realm-options.c | 17 +++++++++++++++++
- service/realm-options.h | 2 ++
- 3 files changed, 20 insertions(+)
-
-diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
-index 40ffa2d..0bd7a5d 100644
---- a/dbus/realm-dbus-constants.h
-+++ b/dbus/realm-dbus-constants.h
-@@ -70,6 +70,7 @@ G_BEGIN_DECLS
- #define REALM_DBUS_OPTION_OS_NAME "os-name"
- #define REALM_DBUS_OPTION_OS_VERSION "os-version"
- #define REALM_DBUS_OPTION_LEGACY_SMB_CONF "legacy-samba-config"
-+#define REALM_DBUS_OPTION_USE_LDAPS "use-ldaps"
-
- #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory"
- #define REALM_DBUS_IDENTIFIER_WINBIND "winbind"
-diff --git a/service/realm-options.c b/service/realm-options.c
-index 34a209f..d42eb7c 100644
---- a/service/realm-options.c
-+++ b/service/realm-options.c
-@@ -199,3 +199,20 @@ realm_options_ad_specific (GVariant *options,
-
- return g_strdup (value);
- }
-+
-+gboolean realm_option_use_ldaps (GVariant *options)
-+{
-+ gchar *use_ldaps_str;
-+
-+ use_ldaps_str = realm_options_ad_specific (options,
-+ REALM_DBUS_OPTION_USE_LDAPS);
-+ if (use_ldaps_str != NULL
-+ && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
-+ || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
-+ g_free (use_ldaps_str);
-+ return TRUE;
-+ }
-+ g_free (use_ldaps_str);
-+
-+ return FALSE;
-+}
-diff --git a/service/realm-options.h b/service/realm-options.h
-index b71d219..bc13cd7 100644
---- a/service/realm-options.h
-+++ b/service/realm-options.h
-@@ -48,6 +48,8 @@ const gchar * realm_options_computer_name (GVariant *options,
- const gchar * realm_options_ad_specific (GVariant *options,
- const gchar *option_name);
-
-+gboolean realm_option_use_ldaps (GVariant *options);
-+
- G_END_DECLS
-
- #endif /* __REALM_OPTIONS_H__ */
---
-2.26.2
-
diff --git a/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch b/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
deleted file mode 100644
index fbbc2d4..0000000
--- a/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From ccf48aa7761065283483d667f3efaf33b5b2a728 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 1 Dec 2020 14:12:33 +0100
-Subject: [PATCH 1/3] service: make sure use_ldaps is not only set for
- automatic join
-
-The check if ldaps is requested or not was only called if an automatic
-join was enabled. With this patch it is checked in all cases.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- service/realm-sssd-ad.c | 26 +++++++++++++-------------
- 1 file changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 00a9093..ea5f28c 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -349,19 +349,6 @@ parse_join_options (JoinClosure *join,
- return FALSE;
- }
-
-- /*
-- * Check if ldaps should be used and if membership software supports
-- * it.
-- */
-- join->use_ldaps = realm_option_use_ldaps (options);
-- if (join->use_ldaps &&
-- g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
-- realm_diagnostics_info (join->invocation,
-- "Membership software %s does "
-- "not support ldaps, trying "
-- "without.", software);
-- }
--
- /*
- * If we are enrolling with a user password, then we have to use samba,
- * adcli only supports admin passwords.
-@@ -393,6 +380,19 @@ parse_join_options (JoinClosure *join,
-
- g_assert (software != NULL);
-
-+ /*
-+ * Check if ldaps should be used and if membership software supports
-+ * it.
-+ */
-+ join->use_ldaps = realm_option_use_ldaps (options);
-+ if (join->use_ldaps &&
-+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
-+ realm_diagnostics_info (join->invocation,
-+ "Membership software %s does "
-+ "not support ldaps, trying "
-+ "without.", software);
-+ }
-+
- if (g_str_equal (software, REALM_DBUS_IDENTIFIER_ADCLI)) {
- join->use_adcli = TRUE;
- join->packages = ADCLI_PACKAGES;
---
-2.28.0
-
diff --git a/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch b/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
deleted file mode 100644
index 6f3cd34..0000000
--- a/SOURCES/0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
+++ /dev/null
@@ -1,166 +0,0 @@
-From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 12 Aug 2020 12:58:27 +0200
-Subject: [PATCH] service: use 'additional dns hostnames' with net ads join
-
-With newer versions of Samba the net ads join does not add services
-principals with the configured host name anymore but added the new
-option 'additional dns hostnames' for this.
-
-realmd will try to figure out a fully-qualified host name and use it
-with the new option if it is from a different domain.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912
----
- service/realm-disco.c | 1 +
- service/realm-disco.h | 1 +
- service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++-
- service/realm-samba.c | 6 ++++
- 4 files changed, 64 insertions(+), 1 deletion(-)
-
-diff --git a/service/realm-disco.c b/service/realm-disco.c
-index ab06939..a12be50 100644
---- a/service/realm-disco.c
-+++ b/service/realm-disco.c
-@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data)
- g_free (disco->explicit_netbios);
- g_free (disco->kerberos_realm);
- g_free (disco->workgroup);
-+ g_free (disco->dns_fqdn);
- if (disco->server_address)
- g_object_unref (disco->server_address);
- g_free (disco);
-diff --git a/service/realm-disco.h b/service/realm-disco.h
-index 5f3e5e9..35532d2 100644
---- a/service/realm-disco.h
-+++ b/service/realm-disco.h
-@@ -30,6 +30,7 @@ typedef struct {
- gchar *explicit_server;
- gchar *explicit_netbios;
- GSocketAddress *server_address;
-+ gchar *dns_fqdn;
- } RealmDisco;
-
- #define REALM_TYPE_DISCO (realm_disco_get_type ())
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index 3f86c51..5624a08 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -33,6 +33,9 @@
- #include <errno.h>
- #include <fcntl.h>
- #include <string.h>
-+#include <sys/types.h>
-+#include <sys/socket.h>
-+#include <netdb.h>
-
- typedef struct {
- GDBusMethodInvocation *invocation;
-@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm)
- return g_utf8_strup (realm, pos - realm);
- }
-
-+static char *
-+try_to_get_fqdn (void)
-+{
-+ char hostname[HOST_NAME_MAX + 1];
-+ gchar *fqdn = NULL;
-+ int ret;
-+ struct addrinfo *res;
-+ struct addrinfo hints;
-+
-+ ret = gethostname (hostname, sizeof (hostname));
-+ if (ret < 0) {
-+ return NULL;
-+ }
-+
-+ if (strchr (hostname, '.') == NULL) {
-+ memset (&hints, 0, sizeof (struct addrinfo));
-+ hints.ai_socktype = SOCK_DGRAM;
-+ hints.ai_flags = AI_CANONNAME;
-+
-+ ret = getaddrinfo (hostname, NULL, &hints, &res);
-+ if (ret != 0) {
-+ return NULL;
-+ }
-+
-+ /* Only use a fully-qualified name */
-+ if (strchr (res->ai_canonname, '.') != NULL) {
-+ fqdn = g_strdup (res->ai_canonname);
-+ }
-+
-+ freeaddrinfo (res);
-+
-+ } else {
-+ fqdn = g_strdup (hostname);
-+ }
-+
-+ return fqdn;
-+}
-+
- static JoinClosure *
- join_closure_init (GTask *task,
- RealmDisco *disco,
-@@ -95,5 +136,7 @@ join_closure_init (GTask *task,
- const gchar *explicit_computer_name = NULL;
- const gchar *authid = NULL;
-+ gchar *fqdn = NULL;
-+ gchar *fqdn_dom = NULL;
-
- join = g_new0 (JoinClosure, 1);
- join->disco = realm_disco_ref (disco);
-@@ -124,7 +167,7 @@ join_closure_init (GTask *task,
- "netbios name", authid,
- NULL);
-
-- /*
-+ /*
- * Samba complains if we don't set a 'workgroup' setting for the realm we're
- * going to join. If we didn't yet manage to lookup the workgroup, then go ahead
- * and assume that the first domain component is the workgroup name.
-@@ -144,6 +187,18 @@ join_closure_init (GTask *task,
- g_free (workgroup);
- }
-
-+ /* Add the fully-qualified DNS hostname as additional name if it is from
-+ * a different domain. */
-+ fqdn = try_to_get_fqdn ();
-+ if (fqdn != NULL && join->disco->domain_name != NULL
-+ && (fqdn_dom = strchr (fqdn, '.')) != NULL
-+ && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) {
-+ disco->dns_fqdn = g_strdup (fqdn);
-+ realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
-+ "additional dns hostnames", disco->dns_fqdn, NULL);
-+ }
-+ g_free (fqdn);
-+
- /* Write out the config file for use by various net commands */
- join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL);
- temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR);
-diff --git a/service/realm-samba.c b/service/realm-samba.c
-index 4940b38..fe33600 100644
---- a/service/realm-samba.c
-+++ b/service/realm-samba.c
-@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source,
- NULL);
- }
-
-+ if (error == NULL && enroll->disco->dns_fqdn != NULL) {
-+ realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
-+ "additional dns hostnames", enroll->disco->dns_fqdn,
-+ NULL);
-+ }
-
- if (error == NULL) {
- name = realm_kerberos_get_name (REALM_KERBEROS (self));
-@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self,
- if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
- "workgroup", NULL,
- "realm", NULL,
-+ "additional dns hostnames", NULL,
- "security", "user",
- NULL)) {
- g_task_return_error (task, error);
---
-2.26.2
-
diff --git a/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch b/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch
deleted file mode 100644
index 69674e4..0000000
--- a/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 21 Feb 2020 14:06:16 +0100
-Subject: [PATCH] service: use "kerberos method" "secrets and keytab"
-
-When using Samba with Winbind the host password stored in secrets.tdb is
-still important so the "secrets and keytab" should be the preferred
-"kerberos method".
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195
----
- service/realm-samba.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/service/realm-samba.c b/service/realm-samba.c
-index e2a3608..4940b38 100644
---- a/service/realm-samba.c
-+++ b/service/realm-samba.c
-@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source,
- "template shell", realm_settings_string ("users", "default-shell"),
- "netbios name", computer_name,
- "password server", enroll->disco->explicit_server,
-- "kerberos method", "system keytab",
-+ "kerberos method", "secrets and keytab",
- NULL);
- }
-
---
-2.24.1
-
diff --git a/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch b/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
deleted file mode 100644
index 27a881c..0000000
--- a/SOURCES/0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 11 Aug 2020 11:18:17 +0200
-Subject: [PATCH] service: use net ads join with -k for user join as well
-
-The NTLM authentication used by 'net ads join' does only support crypto
-algorithms which e.g. are not allowed by FIPS. It would be better to
-tell 'net ads join' to try Kerberos first before falling back to NTLM by
-adding the '-k' option.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
----
- service/realm-samba-enroll.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index f5edca3..3f86c51 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -372,7 +372,8 @@ begin_join (GTask *task,
- } else if (join->user_name) {
- begin_net_process (join, join->password_input,
- on_join_do_keytab, g_object_ref (task),
-- "-U", join->user_name, "ads", "join", join->disco->domain_name,
-+ "-U", join->user_name,
-+ "-k", "ads", "join", join->disco->domain_name,
- join->join_args[0], join->join_args[1],
- join->join_args[2], join->join_args[3],
- join->join_args[4], NULL);
---
-2.26.2
-
diff --git a/SOURCES/0001-switch-to-authselect.patch b/SOURCES/0001-switch-to-authselect.patch
deleted file mode 100644
index d750d6d..0000000
--- a/SOURCES/0001-switch-to-authselect.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 19 Feb 2018 11:51:06 +0100
-Subject: [PATCH] switch to authselect
-
----
- service/realmd-redhat.conf | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
-index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
---- a/service/realmd-redhat.conf
-+++ b/service/realmd-redhat.conf
-@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
- freeipa-client = /usr/sbin/ipa-client-install
-
- [commands]
--winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
--winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
-+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
- winbind-enable-service = /usr/bin/systemctl enable winbind.service
- winbind-disable-service = /usr/bin/systemctl disable winbind.service
- winbind-restart-service = /usr/bin/systemctl restart winbind.service
- winbind-stop-service = /usr/bin/systemctl stop winbind.service
-
--sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
--sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
-+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
- sssd-enable-service = /usr/bin/systemctl enable sssd.service
- sssd-disable-service = /usr/bin/systemctl disable sssd.service
- sssd-restart-service = /usr/bin/systemctl restart sssd.service
---
-2.9.3
-
diff --git a/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch b/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch
deleted file mode 100644
index 9e044bc..0000000
--- a/SOURCES/0001-syslog-avoid-duplicate-log-messages.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 25 Nov 2021 14:36:10 +0100
-Subject: [PATCH] syslog: avoid duplicate log messages
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
----
- service/realm-diagnostics.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
-index 850b2e3..6aa5288 100644
---- a/service/realm-diagnostics.c
-+++ b/service/realm-diagnostics.c
-@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
- while ((ptr = memchr (at, '\n', length)) != NULL) {
- *ptr = '\0';
- if (line_buffer && line_buffer->len > 0) {
-+#ifdef WITH_JOURNAL
-+ /* Call realm_daemon_syslog directly to add
-+ * REALMD_OPERATION to the jounrnal */
- realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
-+#else
- g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
-+#endif
- g_string_set_size (line_buffer, 0);
- } else {
-+#ifdef WITH_JOURNAL
- realm_daemon_syslog (operation, log_level, "%s", at);
-+#else
- g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
-+#endif
- }
-
- *ptr = '\n';
---
-2.33.1
-
diff --git a/SOURCES/0001-tests-run-tests-with-python3.patch b/SOURCES/0001-tests-run-tests-with-python3.patch
deleted file mode 100644
index 607afa4..0000000
--- a/SOURCES/0001-tests-run-tests-with-python3.patch
+++ /dev/null
@@ -1,374 +0,0 @@
-From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 4 Jul 2018 16:41:16 +0200
-Subject: [PATCH] tests: run tests with python3
-
-To allow the test to run with python3 build/tap-driver and
-build/tap-gtester are updated to the latest version provided by the
-cockpit project https://github.com/cockpit-project/cockpit.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
----
- build/tap-driver | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
- build/tap-gtester | 59 ++++++++++++++++++++++---------
- 2 files changed, 125 insertions(+), 38 deletions(-)
-
-diff --git a/build/tap-driver b/build/tap-driver
-index 42f57c8..241fd50 100755
---- a/build/tap-driver
-+++ b/build/tap-driver
-@@ -1,4 +1,5 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
-+# This can also be run with Python 2.
-
- # Copyright (C) 2013 Red Hat, Inc.
- #
-@@ -29,20 +30,58 @@
- #
-
- import argparse
-+import fcntl
- import os
- import select
-+import struct
- import subprocess
- import sys
-+import termios
-+import errno
-+
-+_PY3 = sys.version[0] >= '3'
-+_str = _PY3 and str or unicode
-+
-+def out(data, stream=None, flush=False):
-+ if not isinstance(data, bytes):
-+ data = data.encode("UTF-8")
-+ if not stream:
-+ stream = _PY3 and sys.stdout.buffer or sys.stdout
-+ while True:
-+ try:
-+ if data:
-+ stream.write(data)
-+ data = None
-+ if flush:
-+ stream.flush()
-+ flush = False
-+ break
-+ except IOError as e:
-+ if e.errno == errno.EAGAIN:
-+ continue
-+ raise
-+
-+def terminal_width():
-+ try:
-+ h, w, hp, wp = struct.unpack('HHHH',
-+ fcntl.ioctl(1, termios.TIOCGWINSZ,
-+ struct.pack('HHHH', 0, 0, 0, 0)))
-+ return w
-+ except IOError as e:
-+ if e.errno != errno.ENOTTY:
-+ sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
-+ return sys.maxsize
-
- class Driver:
- def __init__(self, args):
- self.argv = args.command
- self.test_name = args.test_name
-- self.log = open(args.log_file, "w")
-- self.log.write("# %s\n" % " ".join(sys.argv))
-+ self.log = open(args.log_file, "wb")
-+ self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
- self.trs = open(args.trs_file, "w")
- self.color_tests = args.color_tests
- self.expect_failure = args.expect_failure
-+ self.width = terminal_width() - 9
-
- def report(self, code, *args):
- CODES = {
-@@ -57,17 +96,18 @@ class Driver:
- # Print out to console
- if self.color_tests:
- if code in CODES:
-- sys.stdout.write(CODES[code])
-- sys.stdout.write(code)
-+ out(CODES[code])
-+ out(code)
- if self.color_tests:
-- sys.stdout.write('\x1b[m')
-- sys.stdout.write(": ")
-- sys.stdout.write(self.test_name)
-- sys.stdout.write(" ")
-- for arg in args:
-- sys.stdout.write(str(arg))
-- sys.stdout.write("\n")
-- sys.stdout.flush()
-+ out('\x1b[m')
-+ out(": ")
-+ msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
-+ if code == "PASS" and len(msg) > self.width:
-+ out(msg[:self.width])
-+ out("...")
-+ else:
-+ out(msg)
-+ out("\n", flush=True)
-
- # Book keeping
- if code in CODES:
-@@ -100,12 +140,14 @@ class Driver:
- def execute(self):
- try:
- proc = subprocess.Popen(self.argv, close_fds=True,
-+ stdin=subprocess.PIPE,
- stdout=subprocess.PIPE,
- stderr=subprocess.PIPE)
-- except OSError, ex:
-+ except OSError as ex:
- self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
- return
-
-+ proc.stdin.close()
- outf = proc.stdout.fileno()
- errf = proc.stderr.fileno()
- rset = [outf, errf]
-@@ -113,18 +155,25 @@ class Driver:
- ret = select.select(rset, [], [], 10)
- if outf in ret[0]:
- data = os.read(outf, 1024)
-- if data == "":
-+ if data == b"":
- rset.remove(outf)
- self.log.write(data)
- self.process(data)
- if errf in ret[0]:
- data = os.read(errf, 1024)
-- if data == "":
-+ if data == b"":
- rset.remove(errf)
- self.log.write(data)
-- sys.stderr.write(data)
-+ stream = _PY3 and sys.stderr.buffer or sys.stderr
-+ out(data, stream=stream, flush=True)
-
- proc.wait()
-+
-+ # Make sure the test didn't change blocking output
-+ assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
-+ assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
-+ assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
-+
- return proc.returncode
-
-
-@@ -137,6 +186,7 @@ class TapDriver(Driver):
- self.late_plan = False
- self.errored = False
- self.bail_out = False
-+ self.skip_all_reason = None
-
- def report(self, code, num, *args):
- if num:
-@@ -170,13 +220,19 @@ class TapDriver(Driver):
- else:
- self.result_fail(num, description)
-
-- def consume_test_plan(self, first, last):
-+ def consume_test_plan(self, line):
- # Only one test plan is supported
- if self.test_plan:
- self.report_error("Get a second TAP test plan")
- return
-
-+ if line.lower().startswith('1..0 # skip'):
-+ self.skip_all_reason = line[5:].strip()
-+ self.bail_out = True
-+ return
-+
- try:
-+ (first, unused, last) = line.partition("..")
- first = int(first)
- last = int(last)
- except ValueError:
-@@ -192,7 +248,7 @@ class TapDriver(Driver):
-
- def process(self, output):
- if output:
-- self.output += output
-+ self.output += output.decode("UTF-8")
- elif self.output:
- self.output += "\n"
- (ready, unused, self.output) = self.output.rpartition("\n")
-@@ -202,8 +258,7 @@ class TapDriver(Driver):
- elif line.startswith("not ok "):
- self.consume_test_line(False, line[7:])
- elif line and line[0].isdigit() and ".." in line:
-- (first, unused, last) = line.partition("..")
-- self.consume_test_plan(first, last)
-+ self.consume_test_plan(line)
- elif line.lower().startswith("bail out!"):
- self.consume_bail_out(line)
-
-@@ -213,6 +268,13 @@ class TapDriver(Driver):
- failed = False
- skipped = True
-
-+ if self.skip_all_reason is not None:
-+ self.result_skip("skipping:", self.skip_all_reason)
-+ self.trs.write(":global-test-result: SKIP\n")
-+ self.trs.write(":test-global-result: SKIP\n")
-+ self.trs.write(":recheck: no\n")
-+ return 0
-+
- # Basic collation of results
- for (num, code) in self.reported.items():
- if code == "ERROR":
-diff --git a/build/tap-gtester b/build/tap-gtester
-index 7e667d4..bbda266 100755
---- a/build/tap-gtester
-+++ b/build/tap-gtester
-@@ -1,4 +1,5 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
-+# This can also be run with Python 2.
-
- # Copyright (C) 2014 Red Hat, Inc.
- #
-@@ -30,9 +31,19 @@
- import argparse
- import os
- import select
-+import signal
- import subprocess
- import sys
-
-+# Yes, it's dumb, but strsignal is not exposed in python
-+# In addition signal numbers varify heavily from arch to arch
-+def strsignal(sig):
-+ for name in dir(signal):
-+ if name.startswith("SIG") and sig == getattr(signal, name):
-+ return name
-+ return str(sig)
-+
-+
- class NullCompiler:
- def __init__(self, command):
- self.command = command
-@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
- elif cmd == "result":
- if self.test_name:
- if data == "OK":
-- print "ok %d %s" % (self.test_num, self.test_name)
-+ print("ok %d %s" % (self.test_num, self.test_name))
- if data == "FAIL":
-- print "not ok %d %s", (self.test_num, self.test_name)
-+ print("not ok %d %s" % (self.test_num, self.test_name))
- self.test_name = None
- elif cmd == "skipping":
- if "/subprocess" not in data:
-- print "ok %d # skip -- %s" % (self.test_num, data)
-+ print("ok %d # skip -- %s" % (self.test_num, data))
- self.test_name = None
- elif data:
-- print "# %s: %s" % (cmd, data)
-+ print("# %s: %s" % (cmd, data))
- else:
-- print "# %s" % cmd
-+ print("# %s" % cmd)
- elif line.startswith("(MSG: "):
-- print "# %s" % line[6:-1]
-+ print("# %s" % line[6:-1])
- elif line:
-- print "# %s" % line
-+ print("# %s" % line)
- sys.stdout.flush()
-
- def run(self, proc, output=""):
-@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
- if line.startswith("/"):
- self.test_remaining.append(line.strip())
- if not self.test_remaining:
-- print "Bail out! No tests found in GTest: %s" % self.command[0]
-+ print("Bail out! No tests found in GTest: %s" % self.command[0])
- return 0
-
-- print "1..%d" % len(self.test_remaining)
-+ print("1..%d" % len(self.test_remaining))
-
- # First try to run all the tests in a batch
-- proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
-+ proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
-+ stdout=subprocess.PIPE, universal_newlines=True)
- result = self.process(proc)
- if result == 0:
- return 0
-
-+ if result < 0:
-+ sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
-+
- # Now pick up any stragglers due to failures
- while True:
- # Assume that the last test failed
- if self.test_name:
-- print "not ok %d %s" % (self.test_num, self.test_name)
-+ print("not ok %d %s" % (self.test_num, self.test_name))
- self.test_name = None
-
- # Run any tests which didn't get run
-@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
- break
-
- proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
-- close_fds=True, stdout=subprocess.PIPE)
-+ close_fds=True, stdout=subprocess.PIPE,
-+ universal_newlines=True)
- result = self.process(proc)
-
- # The various exit codes and signals we continue for
-@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
- return result
-
- def main(argv):
-- parser = argparse.ArgumentParser(description='Automake TAP compiler')
-+ parser = argparse.ArgumentParser(description='Automake TAP compiler',
-+ usage="tap-gtester [--format FORMAT] command ...")
- parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
- default="auto", help='The input format to compile')
- parser.add_argument('--verbose', action='store_true',
- default=True, help='Verbose mode (ignored)')
-- parser.add_argument('command', nargs='+', help="A test command to run")
-+ parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
- args = parser.parse_args(argv[1:])
-
- output = None
- format = args.format
- cmd = args.command
-+ if not cmd:
-+ sys.stderr.write("tap-gtester: specify a command to run\n")
-+ return 2
-+ if cmd[0] == '--':
-+ cmd.pop(0)
-+
- proc = None
-
- os.environ['HARNESS_ACTIVE'] = '1'
-
- if format in ["auto", "gtest"]:
- list_cmd = cmd + ["-l", "--verbose"]
-- proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
-+ proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
-+ universal_newlines=True)
- output = proc.stdout.readline()
- # Smell whether we're dealing with GTest list output from first line
- if "random seed" in output or "GTest" in output or output.startswith("/"):
-@@ -164,7 +188,8 @@ def main(argv):
- else:
- format = "tap"
- else:
-- proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
-+ proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
-+ universal_newlines=True)
-
- if format == "gtest":
- compiler = GTestCompiler(cmd)
---
-2.14.4
-
diff --git a/SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch b/SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
deleted file mode 100644
index a0d62d0..0000000
--- a/SOURCES/0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 3bdf6f25923c3a3bd8404f4a1228053d6a7551b2 Mon Sep 17 00:00:00 2001
-From: Stef Walter <stefw@redhat.com>
-Date: Mon, 6 Feb 2017 12:32:20 +0100
-Subject: [PATCH] tools: Update the usage help text of the realm commands
-
-Add better synopsis, sort arguments appropriately, and include
-missing arguments.
----
- tools/realm-discover.c | 4 ++--
- tools/realm-join.c | 30 +++++++++++++++---------------
- 2 files changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/tools/realm-discover.c b/tools/realm-discover.c
-index cec3fd0..8dde4ed 100644
---- a/tools/realm-discover.c
-+++ b/tools/realm-discover.c
-@@ -186,7 +186,7 @@ realm_discover (RealmClient *client,
- { NULL, }
- };
-
-- context = g_option_context_new ("realm-or-domain");
-+ context = g_option_context_new ("discover REALM-OR-DOMAIN");
- g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
- g_option_context_add_main_entries (context, option_entries, NULL);
- g_option_context_add_main_entries (context, realm_global_options, NULL);
-@@ -274,7 +274,7 @@ realm_list (RealmClient *client,
- { NULL, }
- };
-
-- context = g_option_context_new ("realm");
-+ context = g_option_context_new ("list");
- g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
- g_option_context_add_main_entries (context, option_entries, NULL);
- g_option_context_add_main_entries (context, realm_global_options, NULL);
-diff --git a/tools/realm-join.c b/tools/realm-join.c
-index 8e46c20..249f502 100644
---- a/tools/realm-join.c
-+++ b/tools/realm-join.c
-@@ -286,28 +286,28 @@ realm_join (RealmClient *client,
- gint ret = 0;
-
- GOptionEntry option_entries[] = {
-- { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
-- N_("User name to use for enrollment"), NULL },
-- { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
-- N_("Computer OU DN to join"), NULL },
-- { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
-- N_("Use specific computer name instead of hostname"), NULL },
-- { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
-- N_("Use specific operation system name"), NULL },
-- { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
-- N_("Use specific operation system version"), NULL },
-+ { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
-+ realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
- { "client-software", 0, 0, G_OPTION_ARG_STRING, &args.client_software,
- N_("Use specific client software"), NULL },
-- { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
-- N_("Use specific server software"), NULL },
-+ { "computer-name", 0, 0, G_OPTION_ARG_STRING, &args.computer_name,
-+ N_("Use specific computer name instead of hostname"), NULL },
-+ { "computer-ou", 0, 0, G_OPTION_ARG_STRING, &args.computer_ou,
-+ N_("Computer OU DN to join"), NULL },
- { "membership-software", 0, 0, G_OPTION_ARG_STRING, &args.membership_software,
- N_("Use specific membership software"), NULL },
- { "no-password", 0, 0, G_OPTION_ARG_NONE, &args.no_password,
- N_("Join automatically without a password"), NULL },
- { "one-time-password", 0, 0, G_OPTION_ARG_STRING, &args.one_time_password,
- N_("Join using a preset one time password"), NULL },
-- { "automatic-id-mapping", 0, G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK,
-- realm_join_arg_id_mapping, N_("Turn off automatic id mapping"), "no" },
-+ { "os-name", 0, 0, G_OPTION_ARG_STRING, &args.os_name,
-+ N_("Use specific operation system name"), NULL },
-+ { "os-version", 0, 0, G_OPTION_ARG_STRING, &args.os_version,
-+ N_("Use specific operation system version"), NULL },
-+ { "server-software", 0, 0, G_OPTION_ARG_STRING, &args.server_software,
-+ N_("Use specific server software"), NULL },
-+ { "user", 'U', 0, G_OPTION_ARG_STRING, &args.user,
-+ N_("User name to use for enrollment"), NULL },
- { "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
- N_("Set the user principal for the computer account"), NULL },
- { NULL, }
-@@ -315,7 +315,7 @@ realm_join (RealmClient *client,
-
- memset (&args, 0, sizeof (args));
-
-- context = g_option_context_new ("realm");
-+ context = g_option_context_new ("join REALM");
- g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
-
- group = g_option_group_new (NULL, NULL, NULL, &args, realm_join_args_clear);
---
-2.26.2
-
diff --git a/SOURCES/0002-doc-add-see-also-to-man-pages.patch b/SOURCES/0002-doc-add-see-also-to-man-pages.patch
deleted file mode 100644
index 87d8b26..0000000
--- a/SOURCES/0002-doc-add-see-also-to-man-pages.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 29 Nov 2019 18:49:51 +0100
-Subject: [PATCH 2/2] doc: add see also to man pages
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
----
- doc/manual/realm.xml | 7 +++++++
- doc/manual/realmd.conf.xml | 7 +++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index 55a7640..e5d4608 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -440,4 +440,11 @@ $ realm deny --all
-
- </refsect1>
-
-+<refsect1 id='realm_see_also'>
-+ <title>SEE ALSO</title>
-+
-+ <para><citerefentry><refentrytitle>realmd.conf</refentrytitle>
-+ <manvolnum>5</manvolnum></citerefentry></para>
-+</refsect1>
-+
- </refentry>
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index fc6a785..1592291 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -471,4 +471,11 @@ fully-qualified-names = no
- </variablelist>
- </refsect1>
-
-+<refsect1 id='realmd_conf_see_also'>
-+ <title>SEE ALSO</title>
-+
-+ <para><citerefentry><refentrytitle>realm</refentrytitle>
-+ <manvolnum>8</manvolnum></citerefentry></para>
-+</refsect1>
-+
- </refentry>
---
-2.21.0
-
diff --git a/SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch b/SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
deleted file mode 100644
index d730483..0000000
--- a/SOURCES/0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
+++ /dev/null
@@ -1,271 +0,0 @@
-From 20adfff6c0db657d302bd96f986f2e79a8b2d791 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 30 Oct 2020 13:20:46 +0100
-Subject: [PATCH 2/6] service: allow to use ldaps for rootDSE lookup
-
-Let the realmd service use ldaps for the rootDSE lookup when requested.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- service/realm-disco-dns.c | 10 +++++++---
- service/realm-disco-dns.h | 1 +
- service/realm-disco-domain.c | 8 +++++++-
- service/realm-disco-domain.h | 1 +
- service/realm-disco-mscldap.c | 2 +-
- service/realm-disco-rootdse.c | 3 ++-
- service/realm-disco-rootdse.h | 1 +
- service/realm-ldap.c | 5 ++++-
- service/realm-ldap.h | 1 +
- service/realm-samba-provider.c | 5 ++++-
- service/realm-sssd-provider.c | 5 ++++-
- 11 files changed, 33 insertions(+), 9 deletions(-)
-
-diff --git a/service/realm-disco-dns.c b/service/realm-disco-dns.c
-index 446010c..77d5034 100644
---- a/service/realm-disco-dns.c
-+++ b/service/realm-disco-dns.c
-@@ -32,6 +32,7 @@ typedef struct {
- GQueue addresses;
- GQueue targets;
- gint current_port;
-+ gboolean use_ldaps;
- gint returned;
- DiscoPhase phase;
- GResolver *resolver;
-@@ -180,7 +181,7 @@ return_or_resolve (RealmDiscoDns *self,
-
- target = g_queue_pop_head (&self->targets);
- if (target) {
-- self->current_port = g_srv_target_get_port (target);
-+ self->current_port = self->use_ldaps ? 636 : g_srv_target_get_port (target);
- g_resolver_lookup_by_name_async (self->resolver, g_srv_target_get_hostname (target),
- g_task_get_cancellable (task), on_name_resolved,
- g_object_ref (task));
-@@ -201,7 +202,7 @@ return_or_resolve (RealmDiscoDns *self,
- g_resolver_lookup_by_name_async (self->resolver, self->name,
- g_task_get_cancellable (task), on_name_resolved,
- g_object_ref (task));
-- self->current_port = 389;
-+ self->current_port = self->use_ldaps ? 636 : 389;
- self->phase = PHASE_HOST;
- break;
- case PHASE_HOST:
-@@ -251,6 +252,7 @@ realm_disco_dns_class_init (RealmDiscoDnsClass *klass)
-
- GSocketAddressEnumerator *
- realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation)
- {
- RealmDiscoDns *self;
-@@ -262,12 +264,14 @@ realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
-
- self = g_object_new (REALM_TYPE_DISCO_DNS, NULL);
- self->name = g_hostname_to_ascii (input);
-+ self->use_ldaps = use_ldaps;
- self->invocation = g_object_ref (invocation);
-
- /* If is an IP, skip resolution */
- if (g_hostname_is_ip_address (input)) {
- inet = g_inet_address_new_from_string (input);
-- g_queue_push_head (&self->addresses, g_inet_socket_address_new (inet, 389));
-+ g_queue_push_head (&self->addresses,
-+ g_inet_socket_address_new (inet, use_ldaps ? 636 : 389));
- g_object_unref (inet);
- self->phase = PHASE_HOST;
- } else {
-diff --git a/service/realm-disco-dns.h b/service/realm-disco-dns.h
-index a51777f..5b20fe9 100644
---- a/service/realm-disco-dns.h
-+++ b/service/realm-disco-dns.h
-@@ -26,6 +26,7 @@ typedef enum {
- G_BEGIN_DECLS
-
- GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation);
-
- RealmDiscoDnsHint realm_disco_dns_get_hint (GSocketAddressEnumerator *enumerator);
-diff --git a/service/realm-disco-domain.c b/service/realm-disco-domain.c
-index 3f0ccb5..fdda8f6 100644
---- a/service/realm-disco-domain.c
-+++ b/service/realm-disco-domain.c
-@@ -37,6 +37,7 @@ typedef struct _Callback {
- typedef struct {
- GObject parent;
- gchar *input;
-+ gboolean use_ldaps;
- GCancellable *cancellable;
- GDBusMethodInvocation *invocation;
- GSocketAddressEnumerator *enumerator;
-@@ -206,6 +207,7 @@ on_discover_next_address (GObject *source,
-
- realm_diagnostics_info (self->invocation, "Performing LDAP DSE lookup on: %s", string);
- realm_disco_rootdse_async (address, explicit_host,
-+ self->use_ldaps,
- self->invocation, self->cancellable,
- on_discover_rootdse, g_object_ref (self));
- self->outstanding++;
-@@ -248,6 +250,7 @@ on_cancel_propagate (GCancellable *source,
-
- void
- realm_disco_domain_async (const gchar *string,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GAsyncReadyCallback callback,
- gpointer user_data)
-@@ -267,8 +270,11 @@ realm_disco_domain_async (const gchar *string,
- if (self == NULL) {
- self = g_object_new (REALM_TYPE_DISCO_DOMAIN, NULL);
- self->input = g_strdup (string);
-+ self->use_ldaps = use_ldaps;
- self->invocation = g_object_ref (invocation);
-- self->enumerator = realm_disco_dns_enumerate_servers (string, invocation);
-+ self->enumerator = realm_disco_dns_enumerate_servers (string,
-+ use_ldaps,
-+ invocation);
-
- g_hash_table_insert (discover_cache, self->input, self);
- g_assert (!self->completed);
-diff --git a/service/realm-disco-domain.h b/service/realm-disco-domain.h
-index 27dcc6c..02d4998 100644
---- a/service/realm-disco-domain.h
-+++ b/service/realm-disco-domain.h
-@@ -24,6 +24,7 @@
- G_BEGIN_DECLS
-
- void realm_disco_domain_async (const gchar *string,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GAsyncReadyCallback callback,
- gpointer user_data);
-diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
-index d3d3c10..2504904 100644
---- a/service/realm-disco-mscldap.c
-+++ b/service/realm-disco-mscldap.c
-@@ -348,7 +348,7 @@ realm_disco_mscldap_async (GSocketAddress *address,
- return;
- }
-
-- clo->source = realm_ldap_connect_anonymous (address, protocol, cancellable);
-+ clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
- g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
- g_object_ref (task), g_object_unref);
- g_source_attach (clo->source, g_task_get_context (task));
-diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
-index 7614071..4ed19e5 100644
---- a/service/realm-disco-rootdse.c
-+++ b/service/realm-disco-rootdse.c
-@@ -452,6 +452,7 @@ on_ldap_io (LDAP *ldap,
- void
- realm_disco_rootdse_async (GSocketAddress *address,
- const gchar *explicit_server,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GCancellable *cancellable,
- GAsyncReadyCallback callback,
-@@ -473,7 +474,7 @@ realm_disco_rootdse_async (GSocketAddress *address,
- g_task_set_task_data (task, clo, closure_free);
-
- clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
-- cancellable);
-+ use_ldaps, cancellable);
- g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
- g_object_ref (task), g_object_unref);
- g_source_attach (clo->source, g_task_get_context (task));
-diff --git a/service/realm-disco-rootdse.h b/service/realm-disco-rootdse.h
-index e024c84..7b21960 100644
---- a/service/realm-disco-rootdse.h
-+++ b/service/realm-disco-rootdse.h
-@@ -21,6 +21,7 @@
-
- void realm_disco_rootdse_async (GSocketAddress *address,
- const gchar *explicit_server,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GCancellable *cancellable,
- GAsyncReadyCallback callback,
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index 7831b5b..28c5c8a 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -183,6 +183,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
- GSource *
- realm_ldap_connect_anonymous (GSocketAddress *address,
- GSocketProtocol protocol,
-+ gboolean use_ldaps,
- GCancellable *cancellable)
- {
- GSource *source;
-@@ -238,7 +239,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
- g_warning ("couldn't set to blocking");
-
-- url = g_strdup_printf ("ldap://%s:%d", addrname, port);
-+ url = g_strdup_printf ("%s://%s:%d",
-+ use_ldaps ? "ldaps" : "ldap",
-+ addrname, port);
- rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
- g_free (url);
-
-diff --git a/service/realm-ldap.h b/service/realm-ldap.h
-index 263f72a..0f9f40e 100644
---- a/service/realm-ldap.h
-+++ b/service/realm-ldap.h
-@@ -37,6 +37,7 @@ typedef GIOCondition (* RealmLdapCallback) (LDAP *ldap,
-
- GSource * realm_ldap_connect_anonymous (GSocketAddress *address,
- GSocketProtocol protocol,
-+ gboolean use_ldaps,
- GCancellable *cancellable);
-
- void realm_ldap_set_condition (GSource *source,
-diff --git a/service/realm-samba-provider.c b/service/realm-samba-provider.c
-index 9b489ce..de9f5e6 100644
---- a/service/realm-samba-provider.c
-+++ b/service/realm-samba-provider.c
-@@ -27,6 +27,7 @@
- #include "realm-samba-enroll.h"
- #include "realm-samba-provider.h"
- #include "realm-samba-winbind.h"
-+#include "realm-options.h"
-
- #include <glib/gstdio.h>
-
-@@ -121,7 +122,9 @@ realm_samba_provider_discover_async (RealmProvider *provider,
- g_task_return_pointer (task, NULL, NULL);
-
- } else {
-- realm_disco_domain_async (string, invocation,
-+ realm_disco_domain_async (string,
-+ realm_option_use_ldaps (options),
-+ invocation,
- on_ad_discover, g_object_ref (task));
- }
-
-diff --git a/service/realm-sssd-provider.c b/service/realm-sssd-provider.c
-index 7ac0645..db183c0 100644
---- a/service/realm-sssd-provider.c
-+++ b/service/realm-sssd-provider.c
-@@ -26,6 +26,7 @@
- #include "realm-sssd-ipa.h"
- #include "realm-sssd-provider.h"
- #include "realm-sssd-config.h"
-+#include "realm-options.h"
-
- #include <glib/gstdio.h>
-
-@@ -140,7 +141,9 @@ realm_sssd_provider_discover_async (RealmProvider *provider,
- g_task_return_pointer (task, NULL, NULL);
-
- } else {
-- realm_disco_domain_async (string, invocation, on_kerberos_discover,
-+ realm_disco_domain_async (string,
-+ realm_option_use_ldaps (options),
-+ invocation, on_kerberos_discover,
- g_object_ref (task));
- }
-
---
-2.26.2
-
diff --git a/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch b/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch
deleted file mode 100644
index 5ab6209..0000000
--- a/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From d7089129b966df83f083cb56ee90f6b906971cb6 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 1 Dec 2020 16:09:10 +0100
-Subject: [PATCH 2/3] service: avoid crash if LDAP connection fails
-
-There was always a chance for a crash if the connection to LDAP failed.
-In the ldaps case a failed connection became more likely e.g. due to
-failed certificate checks.
-
-This patch avoids the crash and returns an error to the client cleanly.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- po/POTFILES.in | 1 +
- service/realm-disco-mscldap.c | 7 +++++++
- service/realm-disco-rootdse.c | 6 ++++++
- 3 files changed, 14 insertions(+)
-
-diff --git a/po/POTFILES.in b/po/POTFILES.in
-index 2de67c8..140ed4c 100644
---- a/po/POTFILES.in
-+++ b/po/POTFILES.in
-@@ -1,6 +1,7 @@
- service/org.freedesktop.realmd.policy.in
- service/realm-command.c
- service/realm-disco-mscldap.c
-+service/realm-disco-rootdse.c
- service/realm-example.c
- service/realm-ini-config.c
- service/realm-invocation.c
-diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
-index 2504904..003bb66 100644
---- a/service/realm-disco-mscldap.c
-+++ b/service/realm-disco-mscldap.c
-@@ -349,6 +349,13 @@ realm_disco_mscldap_async (GSocketAddress *address,
- }
-
- clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
-+ if (clo->source == NULL) {
-+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
-+ _("Failed to setup LDAP connection"));
-+ g_object_unref (task);
-+ return;
-+ }
-+
- g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
- g_object_ref (task), g_object_unref);
- g_source_attach (clo->source, g_task_get_context (task));
-diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
-index 4ed19e5..d9b44b3 100644
---- a/service/realm-disco-rootdse.c
-+++ b/service/realm-disco-rootdse.c
-@@ -475,6 +475,12 @@ realm_disco_rootdse_async (GSocketAddress *address,
-
- clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
- use_ldaps, cancellable);
-+ if (clo->source == NULL) {
-+ g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
-+ _("Failed to setup LDAP connection"));
-+ g_object_unref (task);
-+ return;
-+ }
- g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
- g_object_ref (task), g_object_unref);
- g_source_attach (clo->source, g_task_get_context (task));
---
-2.28.0
-
diff --git a/SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch b/SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch
deleted file mode 100644
index bff6fd0..0000000
--- a/SOURCES/0003-service-add-ldaps-support-when-using-adcli.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 30 Oct 2020 13:28:52 +0100
-Subject: [PATCH 3/6] service: add ldaps support when using adcli
-
-Call adcli with the --use-ldaps option if the realmd service is
-requested to do so.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- service/realm-adcli-enroll.c | 10 ++++++++++
- service/realm-adcli-enroll.h | 2 ++
- service/realm-samba.c | 11 +++++++++--
- service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++-
- 4 files changed, 47 insertions(+), 3 deletions(-)
-
-diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
-index 05947fa..2731283 100644
---- a/service/realm-adcli-enroll.c
-+++ b/service/realm-adcli-enroll.c
-@@ -68,6 +68,7 @@ void
- realm_adcli_enroll_join_async (RealmDisco *disco,
- RealmCredential *cred,
- GVariant *options,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GAsyncReadyCallback callback,
- gpointer user_data)
-@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
- g_ptr_array_add (args, "--domain-realm");
- g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
-
-+ if (use_ldaps) {
-+ g_ptr_array_add (args, "--use-ldaps");
-+ }
-+
- if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
- address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
- server_arg = g_inet_address_to_string (address);
-@@ -218,6 +223,7 @@ void
- realm_adcli_enroll_delete_async (RealmDisco *disco,
- RealmCredential *cred,
- GVariant *options,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GAsyncReadyCallback callback,
- gpointer user_data)
-@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
- g_ptr_array_add (args, "--domain-realm");
- g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
-
-+ if (use_ldaps) {
-+ g_ptr_array_add (args, "--use-ldaps");
-+ }
-+
- if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
- address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
- server_arg = g_inet_address_to_string (address);
-diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
-index 855b2f7..3f535d0 100644
---- a/service/realm-adcli-enroll.h
-+++ b/service/realm-adcli-enroll.h
-@@ -29,6 +29,7 @@ G_BEGIN_DECLS
- void realm_adcli_enroll_join_async (RealmDisco *disco,
- RealmCredential *cred,
- GVariant *options,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GAsyncReadyCallback callback,
- gpointer user_data);
-@@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result,
- void realm_adcli_enroll_delete_async (RealmDisco *disco,
- RealmCredential *cred,
- GVariant *options,
-+ gboolean use_ldaps,
- GDBusMethodInvocation *invocation,
- GAsyncReadyCallback callback,
- gpointer user_data);
-diff --git a/service/realm-samba.c b/service/realm-samba.c
-index e7b80a0..7aa5416 100644
---- a/service/realm-samba.c
-+++ b/service/realm-samba.c
-@@ -257,7 +257,8 @@ on_install_do_join (GObject *source,
- }
-
- static gboolean
--validate_membership_options (GVariant *options,
-+validate_membership_options (EnrollClosure *enroll,
-+ GVariant *options,
- GError **error)
- {
- const gchar *software;
-@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options,
- }
- }
-
-+ if (realm_option_use_ldaps (options)) {
-+ realm_diagnostics_info (enroll->invocation,
-+ "Membership software %s does "
-+ "not support ldaps, trying without.",
-+ software);
-+ }
- return TRUE;
- }
-
-@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership,
- g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED,
- _("Already joined to a domain"));
-
-- } else if (!validate_membership_options (options, &error)) {
-+ } else if (!validate_membership_options (enroll, options, &error)) {
- g_task_return_error (task, error);
-
- } else {
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 6b2f9f8..00a9093 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -98,6 +98,7 @@ typedef struct {
- GVariant *options;
- RealmDisco *disco;
- gboolean use_adcli;
-+ gboolean use_ldaps;
- const gchar **packages;
- } JoinClosure;
-
-@@ -294,6 +295,7 @@ on_install_do_join (GObject *source,
- realm_adcli_enroll_join_async (join->disco,
- join->cred,
- join->options,
-+ join->use_ldaps,
- join->invocation,
- on_join_do_sssd,
- g_object_ref (task));
-@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join,
- return FALSE;
- }
-
-+ /*
-+ * Check if ldaps should be used and if membership software supports
-+ * it.
-+ */
-+ join->use_ldaps = realm_option_use_ldaps (options);
-+ if (join->use_ldaps &&
-+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
-+ realm_diagnostics_info (join->invocation,
-+ "Membership software %s does "
-+ "not support ldaps, trying "
-+ "without.", software);
-+ }
-+
- /*
- * If we are enrolling with a user password, then we have to use samba,
- * adcli only supports admin passwords.
-@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
- GTask *task;
- LeaveClosure *leave;
- gchar *tags;
-+ gboolean use_ldaps = FALSE;
-
- task = g_task_new (self, NULL, callback, user_data);
-
-@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
- leave->invocation = g_object_ref (invocation);
- leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
- g_task_set_task_data (task, leave, leave_closure_free);
-+
-+ use_ldaps = realm_option_use_ldaps (options);
- if (leave->use_adcli) {
-- realm_adcli_enroll_delete_async (disco, cred, options, invocation,
-+ realm_adcli_enroll_delete_async (disco, cred, options,
-+ use_ldaps, invocation,
- on_leave_do_deconfigure, g_object_ref (task));
- } else {
-+ if (use_ldaps) {
-+ realm_diagnostics_info (leave->invocation,
-+ "Membership software does "
-+ "not support ldaps, trying "
-+ "without.");
-+ }
- realm_samba_enroll_leave_async (disco, cred, options, invocation,
- on_leave_do_deconfigure, g_object_ref (task));
- }
---
-2.26.2
-
diff --git a/SOURCES/0003-service-make-TLS-check-more-releaxed.patch b/SOURCES/0003-service-make-TLS-check-more-releaxed.patch
deleted file mode 100644
index 292d0db..0000000
--- a/SOURCES/0003-service-make-TLS-check-more-releaxed.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 2 Dec 2020 10:10:37 +0100
-Subject: [PATCH 3/3] service: make TLS check more releaxed
-
-Since realmd is most often the first application called to discover a
-domain we do not require a strict certificate check when using the ldaps
-port to connect to a domain controller.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- doc/manual/realm.xml | 8 +++++++-
- service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++-
- 2 files changed, 38 insertions(+), 2 deletions(-)
-
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index 01af62e..d7d8e5e 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- which offers a comparable level of security than ldaps.
- This option is only needed if the standard LDAP port
- (389/tcp) is blocked by a firewall and only the LDAPS
-- port (636/tcp) is available.</para>
-+ port (636/tcp) is available. Given that and to lower
-+ the initial effort to discover a remote domain
-+ <command>realmd</command> does not require a strict
-+ certificate check. If the validation of the LDAP server
-+ certificate fails <command>realmd</command> will
-+ continue to setup the encrypted connection to the LDAP
-+ server.</para>
-
- <para>If this option is set to
- <parameter>yes</parameter> <command>realmd</command>
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index e07a299..bdfb96c 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- gint port;
- gchar *url;
- int rc;
-+ int opt_rc;
-+ int ldap_opt_val;
-+ const char *errmsg = NULL;
-
- g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
-
-@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- }
-
- if (use_ldaps) {
-+ /* Since we currently use the IP address in the URI
-+ * the certificate check might fail because in most
-+ * cases the IP address won't be listed in the SANs of
-+ * the LDAP server certificate. We will try to
-+ * continue in this case and not fail. */
-+ ldap_opt_val = LDAP_OPT_X_TLS_ALLOW;
-+ rc = ldap_set_option (ls->ldap,
-+ LDAP_OPT_X_TLS_REQUIRE_CERT,
-+ &ldap_opt_val);
-+ if (rc != LDAP_OPT_SUCCESS) {
-+ g_debug ("Failed to disable certificate checking, trying without");
-+ }
-+
-+ ldap_opt_val = 0;
-+ rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX,
-+ &ldap_opt_val);
-+ if (rc != LDAP_OPT_SUCCESS) {
-+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
-+ }
-+
- rc = ldap_install_tls (ls->ldap);
- if (rc != LDAP_SUCCESS) {
-- g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
-+ opt_rc = ldap_get_option (ls->ldap,
-+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
-+ (void *) &errmsg);
-+ if (opt_rc != LDAP_SUCCESS) {
-+ errmsg = "- no details -";
-+ }
-+ g_warning ("ldap_start_tls_s() failed [%s]: %s",
-+ ldap_err2string (rc), errmsg);
- return NULL;
- }
- }
---
-2.28.0
-
diff --git a/SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch b/SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
deleted file mode 100644
index 9834783..0000000
--- a/SOURCES/0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 7daf5993995baad0f5c7f7ae3822dae37eb9f46f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 30 Oct 2020 16:44:23 +0100
-Subject: [PATCH 4/6] service: do not copy option values to avoid memory leaks
-
----
- service/realm-adcli-enroll.c | 15 ++++++++-------
- service/realm-options.c | 8 +++-----
- 2 files changed, 11 insertions(+), 12 deletions(-)
-
-diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
-index 2731283..e0d752b 100644
---- a/service/realm-adcli-enroll.c
-+++ b/service/realm-adcli-enroll.c
-@@ -80,7 +80,8 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
- GBytes *input = NULL;
- const gchar *upn;
- GPtrArray *args;
-- const gchar *os;
-+ const gchar *os_n = NULL;
-+ const gchar *os_v = NULL;
- gchar *ccache_arg = NULL;
- gchar *upn_arg = NULL;
- gchar *server_arg = NULL;
-@@ -144,16 +145,16 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
- g_ptr_array_add (args, (gpointer)computer_ou);
- }
-
-- os = realm_options_ad_specific (options, "os-name");
-- if (os != NULL && !g_str_equal (os, "")) {
-+ os_n = realm_options_ad_specific (options, "os-name");
-+ if (os_n != NULL && !g_str_equal (os_n, "")) {
- g_ptr_array_add (args, "--os-name");
-- g_ptr_array_add (args, (gpointer)os);
-+ g_ptr_array_add (args, (gpointer)os_n);
- }
-
-- os = realm_options_ad_specific (options, "os-version");
-- if (os != NULL && !g_str_equal (os, "")) {
-+ os_v = realm_options_ad_specific (options, "os-version");
-+ if (os_v != NULL && !g_str_equal (os_v, "")) {
- g_ptr_array_add (args, "--os-version");
-- g_ptr_array_add (args, (gpointer)os);
-+ g_ptr_array_add (args, (gpointer)os_v);
- }
-
- switch (cred->type) {
-diff --git a/service/realm-options.c b/service/realm-options.c
-index d42eb7c..4ebd6c0 100644
---- a/service/realm-options.c
-+++ b/service/realm-options.c
-@@ -179,7 +179,7 @@ realm_options_computer_name (GVariant *options,
- g_free (section);
- }
-
-- return g_strdup (computer_name);
-+ return computer_name;
- }
-
- const gchar *
-@@ -197,22 +197,20 @@ realm_options_ad_specific (GVariant *options,
- value = realm_settings_value ("active-directory", option_name);
- }
-
-- return g_strdup (value);
-+ return value;
- }
-
- gboolean realm_option_use_ldaps (GVariant *options)
- {
-- gchar *use_ldaps_str;
-+ const gchar *use_ldaps_str;
-
- use_ldaps_str = realm_options_ad_specific (options,
- REALM_DBUS_OPTION_USE_LDAPS);
- if (use_ldaps_str != NULL
- && ( g_ascii_strcasecmp (use_ldaps_str, "True") == 0
- || g_ascii_strcasecmp (use_ldaps_str, "Yes") == 0)) {
-- g_free (use_ldaps_str);
- return TRUE;
- }
-- g_free (use_ldaps_str);
-
- return FALSE;
- }
---
-2.26.2
-
diff --git a/SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch b/SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
deleted file mode 100644
index aaa8648..0000000
--- a/SOURCES/0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
+++ /dev/null
@@ -1,305 +0,0 @@
-From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 30 Oct 2020 17:22:13 +0100
-Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and
- leave
-
-Add --use-ldaps option to the realm command to be able to ask the realmd
-service to use ldaps where possible.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
----
- doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++
- doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
- tools/realm-client.c | 2 ++
- tools/realm-client.h | 1 +
- tools/realm-discover.c | 7 ++++++-
- tools/realm-join.c | 6 +++++-
- tools/realm-leave.c | 15 +++++++++++----
- 7 files changed, 80 insertions(+), 6 deletions(-)
-
-diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
-index e5d4608..01af62e 100644
---- a/doc/manual/realm.xml
-+++ b/doc/manual/realm.xml
-@@ -134,6 +134,11 @@ $ realm discover domain.example.com
- Possible values include <replaceable>samba</replaceable> or
- <replaceable>adcli</replaceable>. </para></listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term><option>--use-ldaps</option></term>
-+ <listitem><para>See option description in
-+ <xref linkend="man-join"/>.</para></listitem>
-+ </varlistentry>
- </variablelist>
-
- </refsect1>
-@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
- principal besides the AD default user principal can be
- set.</para></listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term><option>--use-ldaps</option></term>
-+ <listitem><para>Use the ldaps port when connecting to AD
-+ where possible. In general this option is not needed
-+ because <command>realmd</command> itself only read
-+ public information from the Active Directory domain
-+ controller which is available anonymously. The
-+ supported membership software products will use
-+ encrypted connections protected with GSS-SPNEGO/GSSAPI
-+ which offers a comparable level of security than ldaps.
-+ This option is only needed if the standard LDAP port
-+ (389/tcp) is blocked by a firewall and only the LDAPS
-+ port (636/tcp) is available.</para>
-+
-+ <para>If this option is set to
-+ <parameter>yes</parameter> <command>realmd</command>
-+ will use the ldaps port when reading the rootDSE and
-+ call the <command>adcli</command> membership software
-+ with the option <option>--use-ldaps</option>. The Samba
-+ base membership currently offers only deprecated ways
-+ to enable ldaps. Support will be added in
-+ <command>realmd</command> when a new way is available.
-+ </para></listitem>
-+ </varlistentry>
- </variablelist>
-
- </refsect1>
-@@ -326,6 +355,11 @@ $ realm leave domain.example.com
- with when leaving the realm. You will be prompted for a
- password. Implies <option>--remove</option>.</para></listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term><option>--use-ldaps</option></term>
-+ <listitem><para>See option description in
-+ <xref linkend="man-join"/>.</para></listitem>
-+ </varlistentry>
- </variablelist>
-
- </refsect1>
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index 97d2e8d..72b706c 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -141,6 +141,27 @@ domain.example.com
- </listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term><option>use-ldaps</option></term>
-+ <listitem><para>Use the ldaps port when connecting to AD where possible.
-+ In general this option is not needed because <command>realmd</command>
-+ itself only read public information from the Active Directory domain
-+ controller which is available anonymously. The supported membership
-+ software products will use encrypted connections protected with
-+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than
-+ ldaps. This option is only needed if the standard LDAP port (389/tcp)
-+ is blocked by a firewall and only the LDAPS port (636/tcp) is
-+ available.</para>
-+
-+ <para>If this option is set to <parameter>yes</parameter>
-+ <command>realmd</command> will use the ldaps port when reading the
-+ rootDSE and call the <command>adcli</command> membership software with
-+ the option <option>--use-ldaps</option>. The Samba base membership
-+ currently offers only deprecated ways to enable ldaps. Support will be
-+ added in <command>realmd</command> when a new way is available.</para>
-+ </listitem>
-+ </varlistentry>
-+
- <varlistentry>
- <term><option>os-name</option></term>
- <listitem><para>(see below)</para></listitem>
-diff --git a/tools/realm-client.c b/tools/realm-client.c
-index 2f102db..c386e64 100644
---- a/tools/realm-client.c
-+++ b/tools/realm-client.c
-@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
- GList *
- realm_client_discover (RealmClient *self,
- const gchar *string,
-+ gboolean use_ldaps,
- const gchar *client_software,
- const gchar *server_software,
- const gchar *membership_software,
-@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
- options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
- REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
- REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
-+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
- NULL);
-
- /* Start actual operation */
-diff --git a/tools/realm-client.h b/tools/realm-client.h
-index 5ecf2de..e9e50cd 100644
---- a/tools/realm-client.h
-+++ b/tools/realm-client.h
-@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien
-
- GList * realm_client_discover (RealmClient *self,
- const gchar *string,
-+ gboolean use_ldaps,
- const gchar *client_software,
- const gchar *server_software,
- const gchar *membership_software,
-diff --git a/tools/realm-discover.c b/tools/realm-discover.c
-index 8dde4ed..c0acd79 100644
---- a/tools/realm-discover.c
-+++ b/tools/realm-discover.c
-@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
- const gchar *string,
- gboolean all,
- gboolean name_only,
-+ gboolean use_ldaps,
- const gchar *server_software,
- const gchar *client_software,
- const gchar *membership_software)
-@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
- GList *realms;
- GList *l;
-
-- realms = realm_client_discover (client, string, client_software,
-+ realms = realm_client_discover (client, string, use_ldaps, client_software,
- server_software, membership_software,
- REALM_DBUS_REALM_INTERFACE, NULL, &error);
-
-@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
- GError *error = NULL;
- gboolean arg_all = FALSE;
- gboolean arg_name_only = FALSE;
-+ gboolean arg_use_ldaps = FALSE;
- gint result = 0;
- gint ret;
- gint i;
-@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
- { "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
- { "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
- { "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
-+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
- { NULL, }
- };
-
-@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
- } else if (argc == 1) {
- result = perform_discover (client, NULL, arg_all,
- arg_name_only,
-+ arg_use_ldaps,
- arg_server_software,
- arg_client_software,
- arg_membership_software);
-@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
- for (i = 1; i < argc; i++) {
- ret = perform_discover (client, argv[i], arg_all,
- arg_name_only,
-+ arg_use_ldaps,
- arg_server_software,
- arg_client_software,
- arg_membership_software);
-diff --git a/tools/realm-join.c b/tools/realm-join.c
-index 249f502..dbe6197 100644
---- a/tools/realm-join.c
-+++ b/tools/realm-join.c
-@@ -179,6 +179,7 @@ typedef struct {
- gchar *user_principal;
- gboolean automatic_id_mapping_set;
- gboolean automatic_id_mapping;
-+ gboolean use_ldaps;
- } RealmJoinArgs;
-
- static void
-@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
- GList *realms;
- gint ret;
-
-- realms = realm_client_discover (client, string, args->client_software,
-+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
- args->server_software, args->membership_software,
- REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
- &had_mismatched, &error);
-@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
- REALM_DBUS_OPTION_OS_VERSION, args->os_version,
- REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
- REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
-+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
- args->automatic_id_mapping_set ?
- REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
- args->automatic_id_mapping,
-@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
- N_("User name to use for enrollment"), NULL },
- { "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
- N_("Set the user principal for the computer account"), NULL },
-+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
-+ N_("Use ldaps to connect to LDAP"), NULL },
- { NULL, }
- };
-
-diff --git a/tools/realm-leave.c b/tools/realm-leave.c
-index 45a9c46..c88a110 100644
---- a/tools/realm-leave.c
-+++ b/tools/realm-leave.c
-@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
-
- static int
- perform_user_leave (RealmClient *client,
-+ gboolean use_ldaps,
- RealmDbusKerberosMembership *membership,
- const gchar *user_name)
- {
-@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
- return 1;
- }
-
-- options = realm_build_options(NULL, NULL);
-+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
-+ NULL);
- ret = call_leave (membership, credentials, options, &error);
-
- if (error != NULL)
-@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
- static int
- perform_leave (RealmClient *client,
- const gchar *realm_name,
-+ gboolean use_ldaps,
- gboolean remove,
- const gchar *user_name,
- const gchar *client_software,
-@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
- if (!remove)
- ret = perform_deconfigure (client, realm);
- else
-- ret = perform_user_leave (client, membership, user_name);
-+ ret = perform_user_leave (client, use_ldaps, membership,
-+ user_name);
-
- g_object_unref (membership);
- g_object_unref (realm);
-@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
- gchar *arg_server_software = NULL;
- GError *error = NULL;
- const gchar *realm_name;
-+ gboolean arg_use_ldaps = FALSE;
- gint ret = 0;
-
- GOptionEntry option_entries[] = {
-@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
- { "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
- N_("Use specific server software"), NULL },
- { "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
-+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
- { NULL, }
- };
-
-@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
-
- } else {
- realm_name = argc < 2 ? NULL : argv[1];
-- ret = perform_leave (client, realm_name, arg_remove, arg_user,
-- arg_client_software, arg_server_software);
-+ ret = perform_leave (client, realm_name, arg_use_ldaps,
-+ arg_remove, arg_user, arg_client_software,
-+ arg_server_software);
- }
-
- g_free (arg_user);
---
-2.26.2
-
diff --git a/SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch b/SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
deleted file mode 100644
index f79c86e..0000000
--- a/SOURCES/0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 8cddf81199e96c7edc701bcb7ca782d7bcddbddd Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 30 Oct 2020 19:24:40 +0100
-Subject: [PATCH 6/6] ldap: generate proper ldap uri for IPv6 addresses
-
-When using IPv6 addresses the address must be put into brackets.
-
-Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
----
- service/realm-ldap.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index 28c5c8a..2076d1e 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -190,6 +190,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- LdapSource *ls;
- gchar *addrname;
- GInetSocketAddress *inet;
-+ GSocketFamily family;
- struct berval cred;
- Sockbuf *sb = NULL;
- gsize native_len;
-@@ -204,6 +205,7 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- inet = G_INET_SOCKET_ADDRESS (address);
- addrname = g_inet_address_to_string (g_inet_socket_address_get_address (inet));
- port = g_inet_socket_address_get_port (inet);
-+ family = g_inet_address_get_family (g_inet_socket_address_get_address (inet));
- if (port == 0)
- port = 389;
-
-@@ -239,9 +241,17 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
- if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
- g_warning ("couldn't set to blocking");
-
-- url = g_strdup_printf ("%s://%s:%d",
-- use_ldaps ? "ldaps" : "ldap",
-- addrname, port);
-+ if (family == G_SOCKET_FAMILY_IPV4) {
-+ url = g_strdup_printf ("%s://%s:%d",
-+ use_ldaps ? "ldaps" : "ldap",
-+ addrname, port);
-+ } else if (family == G_SOCKET_FAMILY_IPV6) {
-+ url = g_strdup_printf ("%s://[%s]:%d",
-+ use_ldaps ? "ldaps" : "ldap",
-+ addrname, port);
-+ } else {
-+ url = NULL;
-+ }
- rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
- g_free (url);
-
---
-2.26.2
-
diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec
index 25a4e2b..f0710ed 100644
--- a/SPECS/realmd.spec
+++ b/SPECS/realmd.spec
@@ -1,102 +1,38 @@
-Name: realmd
-Version: 0.16.3
-Release: 25%{?dist}
-Summary: Kerberos realm enrollment service
-License: LGPLv2+
-URL: http://cgit.freedesktop.org/realmd/realmd/
-Source0: http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
-
-Patch1: 0001-LDAP-don-t-close-LDAP-socket-twice.patch
-Patch2: 0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
-Patch3: 0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
-Patch4: 0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
-Patch5: 0001-switch-to-authselect.patch
-Patch6: 0001-Fix-man-page-reference-in-systemd-service-file.patch
-Patch7: 0001-Use-current-idmap-options-for-smb.conf.patch
-Patch8: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
-Patch9: 0001-tests-run-tests-with-python3.patch
-Patch10: ipa-packages.patch
-Patch11: 0001-Fix-issues-found-by-Coverity.patch
-
-Patch12: 0001-Change-qualified-names-default-for-IPA.patch
-
-Patch13: 0001-IPA-do-not-call-sssd-enable-logins.patch
-
-# rhbz#1747454 - rebuild fails if DISTRO variable is exported
-Patch14: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
-
-# rhbz#1747452 - realmd.conf user-principal RFE and clarification (plus dependencies)
-Patch15: 0001-doc-Add-short-arguments-like-U-arguments-to-realm-ma.patch
-Patch16: 0001-doc-make-sure-cross-reference-ids-are-predictable.patch
-Patch17: 0001-doc-extend-user-principal-section.patch
-
-# rhbz#1747457 - realmd.conf documentation incorrect
-Patch18: 0001-doc-fix-discover-name-only.patch
-Patch19: 0002-doc-add-see-also-to-man-pages.patch
-
-# rhbz#1747456 - Document realmd.conf and how realmd reads the configuration
-Patch20: 0001-doc-extend-description-of-config-handling.patch
-
-# rhbz#1801195
-Patch21: 0001-service-use-kerberos-method-secrets-and-keytab.patch
-
-# rhbz#1859503 - Realm join fails with error 'Failed to join domain: failed to
-# lookup DC info ...'
-Patch22: 0001-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
-
-# rhbz#1867912 - realm command to use option like dnshostname=fqdn
-Patch23: 0001-service-use-additional-dns-hostnames-with-net-ads-jo.patch
-
-# rhbz#1791016 - realmd should handle default_realm in krb5.conf
-Patch24: 0001-Kerberos-add-default_domain-and-udp_preference_limit.patch
-
-# rhbz#1826964 - [RFE] Enable LDAPS functionality in realmd join
-Patch25: 0001-tools-Update-the-usage-help-text-of-the-realm-comman.patch
-Patch26: 0001-Use-startTLS-with-FreeIPA.patch
-Patch27: 0001-service-add-REALM_DBUS_OPTION_USE_LDAPS-and-realm_ge.patch
-Patch28: 0002-service-allow-to-use-ldaps-for-rootDSE-lookup.patch
-Patch29: 0003-service-add-ldaps-support-when-using-adcli.patch
-Patch30: 0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
-Patch31: 0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
-Patch32: 0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
-Patch33: 0001-ldap-setup-TLS-when-using-ldaps.patch
-Patch34: 0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
-Patch35: 0002-service-avoid-crash-if-LDAP-connection-fails.patch
-Patch36: 0003-service-make-TLS-check-more-releaxed.patch
-
-Patch37: 0001-doc-add-computer-name-to-realm-man-page.patch
-Patch38: 0001-build-add-with-vendor-error-message-configure-option.patch
-
-# rhbz#2024248 - realmd logs are duplicated
-Patch39: 0001-syslog-avoid-duplicate-log-messages.patch
-
-# rhbz#2028528 - realm join needs to updated to use the command line options of
-# Samba's net command
-Patch40: 0001-samba-use-new-Samba-4.15-command-line-options.patch
-
-# rhbz#2037864 - realmd operations hang if a DC is unreachable
-Patch41: 0001-ldap-add-socket-timeout.patch
-
-BuildRequires: gcc
-BuildRequires: automake
-BuildRequires: autoconf
-BuildRequires: intltool pkgconfig
-BuildRequires: gettext-devel
-BuildRequires: glib2-devel >= 2.32.0
-BuildRequires: openldap-devel
-BuildRequires: polkit-devel
-BuildRequires: krb5-devel
-BuildRequires: systemd-devel
-BuildRequires: libxslt
-BuildRequires: xmlto
-BuildRequires: samba-common-tools
-BuildRequires: %{_bindir}/python3
-
-Requires: authselect
-Requires: polkit
+Name: realmd
+Version: 0.17.1
+Release: 1%{?dist}
+Summary: Kerberos realm enrollment service
+License: LGPLv2+
+URL: https://gitlab.freedesktop.org/realmd/realmd
+Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
+
+### Downstream Patches ###
+# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
+# using freeipa-*, the following patch applies the needed changes.
+Patch0100: ipa-packages.patch
+
+BuildRequires: make
+BuildRequires: gcc
+BuildRequires: automake
+BuildRequires: autoconf
+BuildRequires: intltool pkgconfig
+BuildRequires: gettext-devel
+BuildRequires: glib2-devel >= 2.32.0
+BuildRequires: openldap-devel
+BuildRequires: polkit-devel
+BuildRequires: krb5-devel
+BuildRequires: systemd-devel
+BuildRequires: libxslt
+BuildRequires: xmlto
+BuildRequires: samba-common-tools
+BuildRequires: python3
+
+Requires: authselect
+Requires: polkit
+Conflicts: realmd-devel-docs < %{version}-%{release}
# This build will use Samba's new command line options so it cannot be used
# with older versions of Samba.
-Conflicts: samba-common-tools < 4.15
+Conflicts: samba-common-tools < 4.15
%description
realmd is a DBus system service which manages discovery and enrollment in realms
@@ -104,7 +40,8 @@ and domains like Active Directory or IPA. The control center uses realmd as the
back end to 'join' a domain simply and automatically configure things correctly.
%package devel-docs
-Summary: Developer documentation files for %{name}
+Summary: Developer documentation files for %{name}
+Conflicts: realmd < %{version}-%{release}
%description devel-docs
The %{name}-devel package contains developer documentation for developing
@@ -124,7 +61,6 @@ autoreconf -fi
%endif
%{nil}
-
make %{?_smp_mflags}
%check
@@ -146,10 +82,10 @@ make install DESTDIR=%{buildroot}
%files -f realmd.lang
%doc AUTHORS COPYING NEWS README
-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
%{_sbindir}/realm
%dir %{_prefix}/lib/realmd
-%{_prefix}/lib/realmd/realmd
+%{_libexecdir}/realmd
%{_prefix}/lib/realmd/realmd-defaults.conf
%{_prefix}/lib/realmd/realmd-distro.conf
%{_unitdir}/realmd.service
@@ -164,6 +100,10 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
+* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
+- Update to upstream release 0.17.1
+ Resolves: rhbz#2133841
+
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- add LDAP socket timeout
Resolves: rhbz#2037864