diff --git a/SOURCES/0001-Change-qualified-names-default-for-IPA.patch b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch
new file mode 100644
index 0000000..4977bc4
--- /dev/null
+++ b/SOURCES/0001-Change-qualified-names-default-for-IPA.patch
@@ -0,0 +1,113 @@
+From 34e6ec1d52db7f184be5ccc1fde993b07b32910c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 16:44:39 +0200
+Subject: [PATCH] Change qualified names default for IPA
+
+In a FreeIPA domain it is typically expected that the IPA accounts use
+sort names while accounts from trusted domains have fully qualified
+names. This is automatically done by SSSD's IPA provider so there is no
+need to force fully qualified names in the SSSD configuration.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1575538
+---
+ service/realm-options.c | 9 +++++----
+ service/realm-options.h | 3 ++-
+ service/realm-samba-winbind.c | 2 +-
+ service/realm-sssd-ad.c | 2 +-
+ service/realm-sssd-ipa.c | 2 +-
+ 5 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/service/realm-options.c b/service/realm-options.c
+index bd804ea..34a209f 100644
+--- a/service/realm-options.c
++++ b/service/realm-options.c
+@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
+
+ if (realm_name && !option) {
+ section = g_utf8_casefold (realm_name, -1);
+- mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
++ mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
+ g_free (section);
+ }
+
+@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
+ gboolean mapping;
+
+ section = g_utf8_casefold (realm_name, -1);
+- mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
++ mapping = realm_settings_boolean (section, "automatic-join", FALSE);
+ g_free (section);
+
+ return mapping;
+ }
+
+ gboolean
+-realm_options_qualify_names (const gchar *realm_name)
++realm_options_qualify_names (const gchar *realm_name,
++ gboolean def)
+ {
+ gchar *section;
+ gboolean qualify;
+
+ section = g_utf8_casefold (realm_name, -1);
+- qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
++ qualify = realm_settings_boolean (section, "fully-qualified-names", def);
+ g_free (section);
+
+ return qualify;
+diff --git a/service/realm-options.h b/service/realm-options.h
+index 7a1355e..b71d219 100644
+--- a/service/realm-options.h
++++ b/service/realm-options.h
+@@ -37,7 +37,8 @@ const gchar * realm_options_user_principal (GVariant *options,
+ gboolean realm_options_automatic_mapping (GVariant *options,
+ const gchar *realm_name);
+
+-gboolean realm_options_qualify_names (const gchar *realm_name);
++gboolean realm_options_qualify_names (const gchar *realm_name,
++ gboolean def);
+
+ gboolean realm_options_check_domain_name (const gchar *domain_name);
+
+diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
+index 9335e26..61988eb 100644
+--- a/service/realm-samba-winbind.c
++++ b/service/realm-samba-winbind.c
+@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
+ "winbind enum groups", "no",
+ "winbind offline logon", "yes",
+ "winbind refresh tickets", "yes",
+- "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
++ "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
+ "template shell", realm_settings_string ("users", "default-shell"),
+ NULL);
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 8543ca8..de7ce30 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
+ gchar *home;
+
+ home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
+- qualify = realm_options_qualify_names (disco->domain_name);
++ qualify = realm_options_qualify_names (disco->domain_name, TRUE);
+ shell = realm_settings_string ("users", "default-shell");
+ explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
+ realmd_tags = g_string_new ("");
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index ff1dc8a..5029f6b 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
+
+ realm_sssd_config_update_domain (config, domain, &error,
+ "cache_credentials", "True",
+- "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
++ "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
+ "krb5_store_password_if_offline", "True",
+ "default_shell", shell,
+ "fallback_homedir", home,
+--
+2.26.2
+
diff --git a/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch b/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
new file mode 100644
index 0000000..1c688d7
--- /dev/null
+++ b/SOURCES/0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
@@ -0,0 +1,32 @@
+From 506887297ea33339d8ad8b274be643d220bf22f8 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 28 Nov 2019 18:51:30 +0100
+Subject: [PATCH] configure: do not inherit DISTRO from the environment
+
+The argument of the --with-distro configure option is stored in the
+variable DISTRO. If DISTRO is already set in the build environment it
+should not be used hence DISTRO must be cleared by the configure script
+if not set by --with-distro.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1638396
+---
+ configure.ac | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index e335247..a424a49 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -31,7 +31,8 @@ AC_ARG_WITH([distro],
+ [AS_HELP_STRING([--with-distro],
+ [Configure for a specific distribution (eg: redhat)]
+ )],
+- [DISTRO=$withval])
++ [DISTRO=$withval],
++ [DISTRO=])
+
+ if test -z $DISTRO; then
+ AC_CHECK_FILE(/etc/redhat-release, [DISTRO="redhat"])
+--
+2.26.2
+
diff --git a/SOURCES/0001-doc-extend-description-of-config-handling.patch b/SOURCES/0001-doc-extend-description-of-config-handling.patch
new file mode 100644
index 0000000..3e13f29
--- /dev/null
+++ b/SOURCES/0001-doc-extend-description-of-config-handling.patch
@@ -0,0 +1,104 @@
+From 98a69ca00e3441128b181b59c06bb06e8c362360 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 29 Nov 2019 21:57:02 +0100
+Subject: [PATCH] doc: extend description of config handling
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625005
+---
+ doc/manual/Makefile.am | 8 ++++++++
+ doc/manual/realmd.conf.xml | 15 +++++++++++----
+ doc/privatedir.xml.in | 1 +
+ 4 files changed, 21 insertions(+), 4 deletions(-)
+ create mode 100644 doc/privatedir.xml.in
+
+diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
+index 8b33fdd..9812c45 100644
+--- a/doc/manual/Makefile.am
++++ b/doc/manual/Makefile.am
+@@ -1,14 +1,20 @@
++XSLTPROC_FLAGS = --path $(abs_builddir):$(abs_srcdir):$(abs_builddir)/doc
+
+ man8_MANS += \
+ doc/manual/realm.8
+ man5_MANS += \
+ doc/manual/realmd.conf.5
+
++$(man5_MANS): doc/privatedir.xml
++
+ MAN_IN_FILES = \
+ $(man8_MANS:.8=.xml) \
+ $(man5_MANS:.5=.xml) \
+ $(NULL)
+
++doc/privatedir.xml: doc/privatedir.xml.in
++ $(V_SED) $(MKDIR_P) $(dir $@) && $(SED_SUBST) $< > $@
++
+ MANUAL_DOCBOOK = doc/manual/realmd-docs.xml
+
+ MANUAL_INCLUDES = \
+@@ -41,6 +47,7 @@ MANUAL_XSLT = \
+ $(NULL)
+
+ EXTRA_DIST += \
++ doc/privatedir.xml.in \
+ $(MANUAL_DOCBOOK) \
+ $(MANUAL_INCLUDES) \
+ $(MAN_IN_FILES) \
+@@ -50,6 +57,7 @@ EXTRA_DIST += \
+
+ CLEANFILES += \
+ realmd-org.freedesktop.realmd.generated \
++ doc/privatedir.xml \
+ $(DBUS_DOC_GENERATED) \
+ $(DBUS_ESCAPED) \
+ $(man8_MANS) \
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index 1592291..9062252 100644
+--- a/doc/manual/realmd.conf.xml
++++ b/doc/manual/realmd.conf.xml
+@@ -1,6 +1,9 @@
+ <?xml version='1.0'?>
+ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
++ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
++[
++<!ENTITY privatedir SYSTEM "privatedir.xml">
++]>
+
+ <refentry id="realmd-conf">
+
+@@ -35,7 +38,9 @@
+ to act in specific ways. This is done by placing settings in a
+ <filename>/etc/realmd.conf</filename>. This file does not exist by
+ default. The syntax of this file is the same as an INI file or
+- Desktop Entry file.</para>
++ Desktop Entry file. If the file is changed and
++ <command>realmd</command> is running <command>realmd</command> must be
++ restarted to read the new values.</para>
+
+ <para>In general, settings in this file only apply at the point of
+ joining a domain or realm. Once the realm has been setup the settings
+@@ -46,8 +51,10 @@
+
+ <para>Only specify the settings you wish to override in the
+ <filename>/etc/realmd.conf</filename> file. Settings not specified will
+- be loaded from their packaged defaults. Only override the settings
+- below. You may find other settings if you look through the
++ be loaded from their packaged defaults which can be found in
++ <filename>&privatedir;/realmd-defaults.conf</filename> and
++ <filename>&privatedir;/realmd-distro.conf</filename>. Only override the
++ settings below. You may find other settings if you look through the
+ <command>realmd</command> source code. However these are not guaranteed
+ to remain stable.</para>
+
+diff --git a/doc/privatedir.xml.in b/doc/privatedir.xml.in
+new file mode 100644
+index 0000000..7f71afe
+--- /dev/null
++++ b/doc/privatedir.xml.in
+@@ -0,0 +1 @@
++@privatedir@
+\ No newline at end of file
+--
+2.26.2
+
diff --git a/SOURCES/0001-doc-fix-discover-name-only.patch b/SOURCES/0001-doc-fix-discover-name-only.patch
new file mode 100644
index 0000000..3719cd5
--- /dev/null
+++ b/SOURCES/0001-doc-fix-discover-name-only.patch
@@ -0,0 +1,26 @@
+From 878e40f5a3b50d37a0ed981a4f0872a9d5d99e6b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 29 Nov 2019 18:49:15 +0100
+Subject: [PATCH 1/2] doc: fix discover name-only
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
+---
+ doc/manual/realmd.conf.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index a26a60c..fc6a785 100644
+--- a/doc/manual/realmd.conf.xml
++++ b/doc/manual/realmd.conf.xml
+@@ -308,7 +308,7 @@ DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
+
+ <informalexample>
+ <screen>
+-$ <command>realm discover --name DOMAIN.example.com</command>
++$ <command>realm discover --name-only DOMAIN.example.com</command>
+ domain.example.com
+ ...
+ </screen>
+--
+2.26.2
+
diff --git a/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch b/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch
new file mode 100644
index 0000000..0bd4734
--- /dev/null
+++ b/SOURCES/0001-service-use-kerberos-method-secrets-and-keytab.patch
@@ -0,0 +1,30 @@
+From 517fa766782421302da827278ca17e6b2ad57da3 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 21 Feb 2020 14:06:16 +0100
+Subject: [PATCH] service: use "kerberos method" "secrets and keytab"
+
+When using Samba with Winbind the host password stored in secrets.tdb is
+still important so the "secrets and keytab" should be the preferred
+"kerberos method".
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1801195
+---
+ service/realm-samba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/service/realm-samba.c b/service/realm-samba.c
+index e2a3608..4940b38 100644
+--- a/service/realm-samba.c
++++ b/service/realm-samba.c
+@@ -200,7 +200,7 @@ on_join_do_winbind (GObject *source,
+ "template shell", realm_settings_string ("users", "default-shell"),
+ "netbios name", computer_name,
+ "password server", enroll->disco->explicit_server,
+- "kerberos method", "system keytab",
++ "kerberos method", "secrets and keytab",
+ NULL);
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0002-doc-add-see-also-to-man-pages.patch b/SOURCES/0002-doc-add-see-also-to-man-pages.patch
new file mode 100644
index 0000000..05f3f1f
--- /dev/null
+++ b/SOURCES/0002-doc-add-see-also-to-man-pages.patch
@@ -0,0 +1,46 @@
+From 799821650c538754aae842d400df75d3bd8864bf Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 29 Nov 2019 18:49:51 +0100
+Subject: [PATCH 2/2] doc: add see also to man pages
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1625001
+---
+ doc/manual/realm.xml | 7 +++++++
+ doc/manual/realmd.conf.xml | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
+index 55a7640..e5d4608 100644
+--- a/doc/manual/realm.xml
++++ b/doc/manual/realm.xml
+@@ -440,4 +440,11 @@ $ realm deny --all
+
+ </refsect1>
+
++<refsect1 id='realm_see_also'>
++ <title>SEE ALSO</title>
++
++ <para><citerefentry><refentrytitle>realmd.conf</refentrytitle>
++ <manvolnum>5</manvolnum></citerefentry></para>
++</refsect1>
++
+ </refentry>
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index fc6a785..1592291 100644
+--- a/doc/manual/realmd.conf.xml
++++ b/doc/manual/realmd.conf.xml
+@@ -471,4 +471,11 @@ fully-qualified-names = no
+ </variablelist>
+ </refsect1>
+
++<refsect1 id='realmd_conf_see_also'>
++ <title>SEE ALSO</title>
++
++ <para><citerefentry><refentrytitle>realm</refentrytitle>
++ <manvolnum>8</manvolnum></citerefentry></para>
++</refsect1>
++
+ </refentry>
+--
+2.26.2
+
diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec
index 67f9d4e..5d3c2c7 100644
--- a/SPECS/realmd.spec
+++ b/SPECS/realmd.spec
@@ -1,6 +1,6 @@
Name: realmd
Version: 0.16.1
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/realmd/
@@ -28,6 +28,24 @@ Patch29: 0001-Use-current-idmap-options-for-smb.conf.patch
Patch30: 0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
Patch31: 0001-Fix-issues-found-by-Coverity.patch
+# rhbz#1625001 - realmd.conf documentation incorrect
+Patch32: 0001-doc-fix-discover-name-only.patch
+Patch33: 0002-doc-add-see-also-to-man-pages.patch
+
+# rhbz#1625005 - Document realmd.conf and how realmd reads the configuration
+Patch34: 0001-doc-extend-description-of-config-handling.patch
+
+# rhbz#1638396 - rebuild fails if DISTRO variable is exported
+Patch35: 0001-configure-do-not-inherit-DISTRO-from-the-environment.patch
+
+# rhbz#1714223 - realm join should not enable use_fully_qualified_names by default
+Patch36: 0001-Change-qualified-names-default-for-IPA.patch
+
+# rhbz#1832134 - realmdjoin to AD server with client-software winbind
+# membership-software samba does not set 'kerberos method =
+# secrets and keytab'
+Patch37: 0001-service-use-kerberos-method-secrets-and-keytab.patch
+
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: intltool pkgconfig
@@ -79,6 +97,12 @@ applications that use %{name}.
%patch29 -p1
%patch30 -p1
%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
%build
aclocal
@@ -124,6 +148,14 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
+* Fri May 08 2020 Sumit Bose <sbose@redhat.com> - 0.16.1-12
+Fixes for RHEL-7.9
+- Resolves: rhbz#1625001
+- Resolves: rhbz#1625005
+- Resolves: rhbz#1638396
+- Resolves: rhbz#1714223
+- Resolves: rhbz#1832134
+
* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.1-11
Improve fix for rhbz#1370457 and fix Coverity issues
- Resolves: rhbz#1370457