Compare commits

...

No commits in common. 'c9' and 'c9-beta' have entirely different histories.
c9 ... c9-beta

@ -0,0 +1,74 @@
From 19923985b69ccd5f2a33a067bfc3ed020889377e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 13 Jun 2023 18:02:52 +0200
Subject: [PATCH 1/3] service: allow multiple names and _srv_ ad_server option
realmd checks if the 'ad_server' option is set in sssd.conf before
calling adcli to remove the host from the AD server. If set the value is
used as value for dcli's '--domain-controller' option. But if multiple
names are set in sssd.conf this currently fails because the whole string
is used.
With this patch the 'ad_server' option is properly evaluated and only
the first domain controller name is used.
---
service/realm-sssd-ad.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 2817e73..096b6c5 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -649,6 +649,40 @@ realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
return g_task_propagate_boolean (G_TASK (result), error);
}
+static gchar *get_ad_server_from_config (RealmKerberos *realm)
+{
+ RealmSssd *sssd = REALM_SSSD (realm);
+ RealmIniConfig *config;
+ const gchar *section;
+ gchar **servers;
+ gchar *tmp;
+ size_t c;
+ gchar *value = NULL;
+
+ config = realm_sssd_get_config (sssd);
+ section = realm_sssd_get_config_section (sssd);
+
+ if (section == NULL) {
+ return NULL;
+ }
+
+ servers = realm_ini_config_get_list (config, section, "ad_server", ",");
+ /* Only use the first server defined given in 'ad_server' and ignore
+ * '_srv_'. */
+ if (servers != NULL) {
+ for (c = 0; servers[c] != NULL; c++) {
+ tmp = g_strstrip (servers[c]);
+ if (strcasecmp ("_srv_", tmp) != 0) {
+ value = g_strdup (tmp);
+ break;
+ }
+ }
+ g_strfreev (servers);
+ }
+
+ return value;
+}
+
static void
realm_sssd_ad_discover_myself (RealmKerberos *realm,
RealmDisco *disco)
@@ -665,7 +699,7 @@ realm_sssd_ad_discover_myself (RealmKerberos *realm,
if (section == NULL)
return;
- value = realm_ini_config_get (config, section, "ad_server");
+ value = get_ad_server_from_config (realm);
g_free (disco->explicit_server);
disco->explicit_server = value;
--
2.43.0

@ -0,0 +1,69 @@
From f648ae06012d1de137f12095d1bd7aaacb382042 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Jan 2024 09:18:20 +0100
Subject: [PATCH] tools: fix ccache handling for leave operation
krb5_cc_initialize() must be called before anything can be written into
a ccache.
While checking the available credential types the order/preference was
not respected.
Resolves: https://issues.redhat.com/browse/SSSD-6420
---
tools/realm-client.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/tools/realm-client.c b/tools/realm-client.c
index c386e64..06420ea 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -498,13 +498,16 @@ are_credentials_supported (GVariant *supported,
GVariantIter iter;
const gchar *type;
const gchar *owner;
-
- g_variant_iter_init (&iter, supported);
- while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
- if (g_strcmp0 (credential_type_1, type) == 0 ||
- g_strcmp0 (credential_type_2, type) == 0) {
- *ret_owner = owner;
- return type;
+ const gchar *list[] = {credential_type_1, credential_type_2, NULL};
+ size_t c;
+
+ for (c = 0; list[c] != NULL; c++) {
+ g_variant_iter_init (&iter, supported);
+ while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
+ if (g_strcmp0 (list[c], type) == 0) {
+ *ret_owner = owner;
+ return type;
+ }
}
}
@@ -622,8 +625,6 @@ copy_to_ccache (krb5_context krb5,
memset (&mcred, 0, sizeof (mcred));
mcred.client = principal;
mcred.server = server;
- mcred.times.starttime = g_get_real_time () / G_TIME_SPAN_MILLISECOND;
- mcred.times.endtime = mcred.times.starttime;
code = krb5_cc_retrieve_cred (krb5, def_ccache, KRB5_TC_MATCH_TIMES,
&mcred, &creds);
@@ -639,6 +640,12 @@ copy_to_ccache (krb5_context krb5,
return FALSE;
}
+ code = krb5_cc_initialize (krb5, ccache, creds.client);
+ if (code != 0) {
+ g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
+ return FALSE;
+ }
+
code = krb5_cc_store_cred (krb5, ccache, &creds);
krb5_free_cred_contents (krb5, &creds);
--
2.43.0

@ -0,0 +1,88 @@
From d691c679c1531b3eb457c494141bafdc4e0bc692 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Dec 2023 12:14:06 +0100
Subject: [PATCH 2/3] service: fix error message when removing host from AD
If there is an error while trying to remove the host from AD with the
help of adcli the error message talks about "joining" which might be
irritating when figuring out the reason for the failure. This patch
adds a better message when leaving the domain.
---
service/realm-adcli-enroll.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index e0d752b..c913987 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -25,9 +25,10 @@
#include "realm-settings.h"
static void
-on_join_process (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
+on_join_leave_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data,
+ gboolean is_join)
{
GTask *task = G_TASK (user_data);
GError *error = NULL;
@@ -39,15 +40,18 @@ on_join_process (GObject *source,
switch (status) {
case 2: /* ADCLI_ERR_UNEXPECTED */
g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
- "Internal unexpected error joining the domain");
+ is_join ? "Internal unexpected error joining the domain"
+ : "Internal unexpected error removing host from the domain");
break;
case 6: /* ADCLI_ERR_CREDENTIALS */
g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
- "Insufficient permissions to join the domain");
+ is_join ? "Insufficient permissions to join the domain"
+ : "Insufficient permissions to remove the host from the domain");
break;
default:
g_set_error (&error, REALM_ERROR, REALM_ERROR_FAILED,
- "Failed to join the domain");
+ is_join ? "Failed to join the domain"
+ : "Failed to remove the host from the domain");
break;
}
}
@@ -64,6 +68,22 @@ on_join_process (GObject *source,
g_object_unref (task);
}
+static void
+on_join_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, TRUE);
+}
+
+static void
+on_leave_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, FALSE);
+}
+
void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
@@ -290,7 +310,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
g_ptr_array_add (args, NULL);
realm_command_runv_async ((gchar **)args->pdata, environ, input,
- invocation, on_join_process,
+ invocation, on_leave_process,
g_object_ref (task));
g_ptr_array_free (args, TRUE);
--
2.43.0

@ -0,0 +1,26 @@
From 56aedbceec3e6ff0d6142a16ca0c343c523b6d7a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Dec 2023 13:07:10 +0100
Subject: [PATCH 3/3] doc: fix reference in realmd.conf man page
---
doc/manual/realmd.conf.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 72b706c..ad17639 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -110,7 +110,8 @@ default-client = sssd
</para>
<para>Some callers of <command>realmd</command> such as the
- <link linkend="realm"><command>realm</command></link>
+ <citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
command line tool allow specifying which client software should
be used. Others, such as GNOME Control Center, simplify choose
the default.</para>
--
2.43.0

@ -1,11 +1,16 @@
Name: realmd
Version: 0.17.1
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/realmd
Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
Patch0004: 0001-tools-fix-ccache-handling-for-leave-operation.patch
### Downstream Patches ###
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
# using freeipa-*, the following patch applies the needed changes.
@ -61,13 +66,13 @@ autoreconf -fi
%endif
%{nil}
make %{?_smp_mflags}
%make_build
%check
make check
%install
make install DESTDIR=%{buildroot}
%make_install
%find_lang realmd
@ -100,6 +105,14 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Tue Feb 20 2024 Sumit Bose <sbose@redhat.com>
- Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- migrated to SPDX license
- allow multiple names and _srv_ ad_server option
Resolves: jira#RHEL-12112
- fix ccache handling for leave operation
Resolves: jira#RHEL-5104
* Fri Oct 14 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Update to upstream release 0.17.1
Resolves: rhbz#2129050, rhbz#2133839

Loading…
Cancel
Save