5 changed files with 4 additions and 274 deletions
--- a/SOURCES/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
+++ b/SOURCES/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
@ -1,74 +0,0 @@
 From 19923985b69ccd5f2a33a067bfc3ed020889377e Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Tue, 13 Jun 2023 18:02:52 +0200
 Subject: [PATCH 1/3] service: allow multiple names and _srv_ ad_server option
 realmd checks if the 'ad_server' option is set in sssd.conf before
 calling adcli to remove the host from the AD server. If set the value is
 used as value for dcli's '--domain-controller' option. But if multiple
 names are set in sssd.conf this currently fails because the whole string
 is used.
 With this patch the 'ad_server' option is properly evaluated and only
 the first domain controller name is used.
 ---
 service/realm-sssd-ad.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)
 diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
 index 2817e73..096b6c5 100644
 --- a/service/realm-sssd-ad.c
 +++ b/service/realm-sssd-ad.c
@@ -649,6 +649,40 @@ realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
 	return g_task_propagate_boolean (G_TASK (result), error);
 }
 +static gchar *get_ad_server_from_config (RealmKerberos *realm)
 +{
 +	RealmSssd *sssd = REALM_SSSD (realm);
 +	RealmIniConfig *config;
 +	const gchar *section;
 +	gchar **servers;
 +	gchar *tmp;
 +	size_t c;
 +	gchar *value = NULL;
 +
 +	config = realm_sssd_get_config (sssd);
 +	section = realm_sssd_get_config_section (sssd);
 +
 +	if (section == NULL) {
 +		return NULL;
 +	}
 +
 +	servers = realm_ini_config_get_list (config, section, "ad_server", ",");
 +	/* Only use the first server defined given in 'ad_server' and ignore
 +	 * '_srv_'. */
 +	if (servers != NULL) {
 +		for (c = 0; servers[c] != NULL; c++) {
 +			tmp = g_strstrip (servers[c]);
 +			if (strcasecmp ("_srv_", tmp) != 0) {
 +				value = g_strdup (tmp);
 +				break;
 +			}
 +		}
 +		g_strfreev (servers);
 +	}
 +
 +	return value;
 +}
 +
 static void
 realm_sssd_ad_discover_myself (RealmKerberos *realm,
                                RealmDisco *disco)
@@ -665,7 +699,7 @@ realm_sssd_ad_discover_myself (RealmKerberos *realm,
 	if (section == NULL)
 		return;
 -	value = realm_ini_config_get (config, section, "ad_server");
 +	value = get_ad_server_from_config (realm);
 	g_free (disco->explicit_server);
 	disco->explicit_server = value;
 -- 
 2.43.0
--- a/SOURCES/0001-tools-fix-ccache-handling-for-leave-operation.patch
+++ b/SOURCES/0001-tools-fix-ccache-handling-for-leave-operation.patch
@ -1,69 +0,0 @@
 From f648ae06012d1de137f12095d1bd7aaacb382042 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Wed, 10 Jan 2024 09:18:20 +0100
 Subject: [PATCH] tools: fix ccache handling for leave operation
 krb5_cc_initialize() must be called before anything can be written into
 a ccache.
 While checking the available credential types the order/preference was
 not respected.
 Resolves: https://issues.redhat.com/browse/SSSD-6420
 ---
 tools/realm-client.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)
 diff --git a/tools/realm-client.c b/tools/realm-client.c
 index c386e64..06420ea 100644
 --- a/tools/realm-client.c
 +++ b/tools/realm-client.c
@@ -498,13 +498,16 @@ are_credentials_supported (GVariant *supported,
 	GVariantIter iter;
 	const gchar *type;
 	const gchar *owner;
 -
 -	g_variant_iter_init (&iter, supported);
 -	while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
 -		if (g_strcmp0 (credential_type_1, type) == 0 ||
 -		    g_strcmp0 (credential_type_2, type) == 0) {
 -			*ret_owner = owner;
 -			return type;
 +	const gchar *list[] = {credential_type_1, credential_type_2, NULL};
 +	size_t c;
 +
 +	for (c = 0; list[c] != NULL; c++) {
 +		g_variant_iter_init (&iter, supported);
 +		while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
 +			if (g_strcmp0 (list[c], type) == 0) {
 +				*ret_owner = owner;
 +				return type;
 +			}
 		}
 	}
@@ -622,8 +625,6 @@ copy_to_ccache (krb5_context krb5,
 	memset (&mcred, 0, sizeof (mcred));
 	mcred.client = principal;
 	mcred.server = server;
 -	mcred.times.starttime = g_get_real_time () / G_TIME_SPAN_MILLISECOND;
 -	mcred.times.endtime = mcred.times.starttime;
 	code = krb5_cc_retrieve_cred (krb5, def_ccache, KRB5_TC_MATCH_TIMES,
 	                              &mcred, &creds);
@@ -639,6 +640,12 @@ copy_to_ccache (krb5_context krb5,
 		return FALSE;
 	}
 +	code = krb5_cc_initialize (krb5, ccache, creds.client);
 +	if (code != 0) {
 +		g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
 +		return FALSE;
 +	}
 +
 	code = krb5_cc_store_cred (krb5, ccache, &creds);
 	krb5_free_cred_contents (krb5, &creds);
 -- 
 2.43.0
--- a/SOURCES/0002-service-fix-error-message-when-removing-host-from-AD.patch
+++ b/SOURCES/0002-service-fix-error-message-when-removing-host-from-AD.patch
@ -1,88 +0,0 @@
 From d691c679c1531b3eb457c494141bafdc4e0bc692 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Fri, 1 Dec 2023 12:14:06 +0100
 Subject: [PATCH 2/3] service: fix error message when removing host from AD
 If there is an error while trying to remove the host from AD with the
 help of adcli the error message talks about "joining" which might be
 irritating when figuring out the reason for the failure. This patch
 adds a better message when leaving the domain.
 ---
 service/realm-adcli-enroll.c | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)
 diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
 index e0d752b..c913987 100644
 --- a/service/realm-adcli-enroll.c
 +++ b/service/realm-adcli-enroll.c
@@ -25,9 +25,10 @@
 #include "realm-settings.h"
 static void
 -on_join_process (GObject *source,
 -                 GAsyncResult *result,
 -                 gpointer user_data)
 +on_join_leave_process (GObject *source,
 +                       GAsyncResult *result,
 +                       gpointer user_data,
 +                       gboolean is_join)
 {
 	GTask *task = G_TASK (user_data);
 	GError *error = NULL;
@@ -39,15 +40,18 @@ on_join_process (GObject *source,
 		switch (status) {
 		case 2: /* ADCLI_ERR_UNEXPECTED */
 			g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
 -			             "Internal unexpected error joining the domain");
 +			             is_join ? "Internal unexpected error joining the domain"
 +			                     : "Internal unexpected error removing host from the domain");
 			break;
 		case 6: /* ADCLI_ERR_CREDENTIALS */
 			g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
 -			             "Insufficient permissions to join the domain");
 +			             is_join ? "Insufficient permissions to join the domain"
 +			                     : "Insufficient permissions to remove the host from the domain");
 			break;
 		default:
 			g_set_error (&error, REALM_ERROR, REALM_ERROR_FAILED,
 -			             "Failed to join the domain");
 +			             is_join ? "Failed to join the domain"
 +			                     : "Failed to remove the host from the domain");
 			break;
 		}
 	}
@@ -64,6 +68,22 @@ on_join_process (GObject *source,
 	g_object_unref (task);
 }
 +static void
 +on_join_process (GObject *source,
 +                 GAsyncResult *result,
 +                 gpointer user_data)
 +{
 +	on_join_leave_process (source, result, user_data, TRUE);
 +}
 +
 +static void
 +on_leave_process (GObject *source,
 +                  GAsyncResult *result,
 +                  gpointer user_data)
 +{
 +	on_join_leave_process (source, result, user_data, FALSE);
 +}
 +
 void
 realm_adcli_enroll_join_async (RealmDisco *disco,
                                RealmCredential *cred,
@@ -290,7 +310,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
 	g_ptr_array_add (args, NULL);
 	realm_command_runv_async ((gchar **)args->pdata, environ, input,
 -	                          invocation, on_join_process,
 +	                          invocation, on_leave_process,
 	                          g_object_ref (task));
 	g_ptr_array_free (args, TRUE);
 -- 
 2.43.0
--- a/SOURCES/0003-doc-fix-reference-in-realmd.conf-man-page.patch
+++ b/SOURCES/0003-doc-fix-reference-in-realmd.conf-man-page.patch
@ -1,26 +0,0 @@
 From 56aedbceec3e6ff0d6142a16ca0c343c523b6d7a Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Fri, 1 Dec 2023 13:07:10 +0100
 Subject: [PATCH 3/3] doc: fix reference in realmd.conf man page
 ---
 doc/manual/realmd.conf.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
 index 72b706c..ad17639 100644
 --- a/doc/manual/realmd.conf.xml
 +++ b/doc/manual/realmd.conf.xml
@@ -110,7 +110,8 @@ default-client = sssd
 		</para>
 		<para>Some callers of <command>realmd</command> such as the
 -		<link linkend="realm"><command>realm</command></link>
 +		<citerefentry><refentrytitle>realm</refentrytitle>
 +		<manvolnum>8</manvolnum></citerefentry>
 		command line tool allow specifying which client software should
 		be used. Others, such as GNOME Control Center, simplify choose
 		the default.</para>
 -- 
 2.43.0
--- a/SPECS/realmd.spec
+++ b/SPECS/realmd.spec
@ -1,16 +1,11 @@
 Name:    realmd
 Version: 0.17.1
-Release: 2%{?dist}
+Release: 1%{?dist}
 Summary: Kerberos realm enrollment service
-License: LGPL-2.1-or-later
+License: LGPLv2+
 URL:     https://gitlab.freedesktop.org/realmd/realmd
 Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
 Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
 Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
 Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
 Patch0004: 0001-tools-fix-ccache-handling-for-leave-operation.patch
 ### Downstream Patches ###
 # In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
 # using freeipa-*, the following patch applies the needed changes.
@ -66,13 +61,13 @@ autoreconf -fi
 %endif
    %{nil}
-%make_build
+make %{?_smp_mflags}
 %check
 make check
 %install
-%make_install
+make install DESTDIR=%{buildroot}
 %find_lang realmd
@ -105,14 +100,6 @@ make check
 %doc ChangeLog
 %changelog
 * Tue Feb 20 2024 Sumit Bose <sbose@redhat.com>
 - Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 - migrated to SPDX license
 - allow multiple names and _srv_ ad_server option
  Resolves: jira#RHEL-12112
 - fix ccache handling for leave operation
  Resolves: jira#RHEL-5104
 * Fri Oct 14 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
 - Update to upstream release 0.17.1
  Resolves: rhbz#2129050, rhbz#2133839