rpms
/
realmd
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:i8c-beta
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'i8c-beta' have entirely different histories.
c9 ... i8c-beta

5 changed files with 343 additions and 94 deletions
Show Stats

74
SOURCES/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
Unescape View File

@ -0,0 +1,74 @@
From 19923985b69ccd5f2a33a067bfc3ed020889377e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 13 Jun 2023 18:02:52 +0200
Subject: [PATCH 1/3] service: allow multiple names and _srv_ ad_server option
realmd checks if the 'ad_server' option is set in sssd.conf before
calling adcli to remove the host from the AD server. If set the value is
used as value for dcli's '--domain-controller' option. But if multiple
names are set in sssd.conf this currently fails because the whole string
is used.
With this patch the 'ad_server' option is properly evaluated and only
the first domain controller name is used.
---
service/realm-sssd-ad.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 2817e73..096b6c5 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -649,6 +649,40 @@ realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
return g_task_propagate_boolean (G_TASK (result), error);
}
+static gchar *get_ad_server_from_config (RealmKerberos *realm)
+{
+ RealmSssd *sssd = REALM_SSSD (realm);
+ RealmIniConfig *config;
+ const gchar *section;
+ gchar **servers;
+ gchar *tmp;
+ size_t c;
+ gchar *value = NULL;
+
+ config = realm_sssd_get_config (sssd);
+ section = realm_sssd_get_config_section (sssd);
+
+ if (section == NULL) {
+ return NULL;
+ }
+
+ servers = realm_ini_config_get_list (config, section, "ad_server", ",");
+ /* Only use the first server defined given in 'ad_server' and ignore
+ * '_srv_'. */
+ if (servers != NULL) {
+ for (c = 0; servers[c] != NULL; c++) {
+ tmp = g_strstrip (servers[c]);
+ if (strcasecmp ("_srv_", tmp) != 0) {
+ value = g_strdup (tmp);
+ break;
+ }
+ }
+ g_strfreev (servers);
+ }
+
+ return value;
+}
+
static void
realm_sssd_ad_discover_myself (RealmKerberos *realm,
RealmDisco *disco)
@@ -665,7 +699,7 @@ realm_sssd_ad_discover_myself (RealmKerberos *realm,
if (section == NULL)
return;
- value = realm_ini_config_get (config, section, "ad_server");
+ value = get_ad_server_from_config (realm);
g_free (disco->explicit_server);
disco->explicit_server = value;
--
2.43.0

69
SOURCES/0001-tools-fix-ccache-handling-for-leave-operation.patch
Unescape View File

@ -0,0 +1,69 @@
From f648ae06012d1de137f12095d1bd7aaacb382042 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Jan 2024 09:18:20 +0100
Subject: [PATCH] tools: fix ccache handling for leave operation
krb5_cc_initialize() must be called before anything can be written into
a ccache.
While checking the available credential types the order/preference was
not respected.
Resolves: https://issues.redhat.com/browse/SSSD-6420
---
tools/realm-client.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/tools/realm-client.c b/tools/realm-client.c
index c386e64..06420ea 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -498,13 +498,16 @@ are_credentials_supported (GVariant *supported,
GVariantIter iter;
const gchar *type;
const gchar *owner;
-
- g_variant_iter_init (&iter, supported);
- while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
- if (g_strcmp0 (credential_type_1, type) == 0 ||
- g_strcmp0 (credential_type_2, type) == 0) {
- *ret_owner = owner;
- return type;
+ const gchar *list[] = {credential_type_1, credential_type_2, NULL};
+ size_t c;
+
+ for (c = 0; list[c] != NULL; c++) {
+ g_variant_iter_init (&iter, supported);
+ while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
+ if (g_strcmp0 (list[c], type) == 0) {
+ *ret_owner = owner;
+ return type;
+ }
}
}
@@ -622,8 +625,6 @@ copy_to_ccache (krb5_context krb5,
memset (&mcred, 0, sizeof (mcred));
mcred.client = principal;
mcred.server = server;
- mcred.times.starttime = g_get_real_time () / G_TIME_SPAN_MILLISECOND;
- mcred.times.endtime = mcred.times.starttime;
code = krb5_cc_retrieve_cred (krb5, def_ccache, KRB5_TC_MATCH_TIMES,
&mcred, &creds);
@@ -639,6 +640,12 @@ copy_to_ccache (krb5_context krb5,
return FALSE;
}
+ code = krb5_cc_initialize (krb5, ccache, creds.client);
+ if (code != 0) {
+ g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
+ return FALSE;
+ }
+
code = krb5_cc_store_cred (krb5, ccache, &creds);
krb5_free_cred_contents (krb5, &creds);
--
2.43.0

88
SOURCES/0002-service-fix-error-message-when-removing-host-from-AD.patch
Unescape View File

@ -0,0 +1,88 @@
From d691c679c1531b3eb457c494141bafdc4e0bc692 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Dec 2023 12:14:06 +0100
Subject: [PATCH 2/3] service: fix error message when removing host from AD
If there is an error while trying to remove the host from AD with the
help of adcli the error message talks about "joining" which might be
irritating when figuring out the reason for the failure. This patch
adds a better message when leaving the domain.
---
service/realm-adcli-enroll.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index e0d752b..c913987 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -25,9 +25,10 @@
#include "realm-settings.h"
static void
-on_join_process (GObject *source,
- GAsyncResult *result,
- gpointer user_data)
+on_join_leave_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data,
+ gboolean is_join)
{
GTask *task = G_TASK (user_data);
GError *error = NULL;
@@ -39,15 +40,18 @@ on_join_process (GObject *source,
switch (status) {
case 2: /* ADCLI_ERR_UNEXPECTED */
g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
- "Internal unexpected error joining the domain");
+ is_join ? "Internal unexpected error joining the domain"
+ : "Internal unexpected error removing host from the domain");
break;
case 6: /* ADCLI_ERR_CREDENTIALS */
g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
- "Insufficient permissions to join the domain");
+ is_join ? "Insufficient permissions to join the domain"
+ : "Insufficient permissions to remove the host from the domain");
break;
default:
g_set_error (&error, REALM_ERROR, REALM_ERROR_FAILED,
- "Failed to join the domain");
+ is_join ? "Failed to join the domain"
+ : "Failed to remove the host from the domain");
break;
}
}
@@ -64,6 +68,22 @@ on_join_process (GObject *source,
g_object_unref (task);
}
+static void
+on_join_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, TRUE);
+}
+
+static void
+on_leave_process (GObject *source,
+ GAsyncResult *result,
+ gpointer user_data)
+{
+ on_join_leave_process (source, result, user_data, FALSE);
+}
+
void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
@@ -290,7 +310,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
g_ptr_array_add (args, NULL);
realm_command_runv_async ((gchar **)args->pdata, environ, input,
- invocation, on_join_process,
+ invocation, on_leave_process,
g_object_ref (task));
g_ptr_array_free (args, TRUE);
--
2.43.0

26
SOURCES/0003-doc-fix-reference-in-realmd.conf-man-page.patch
Unescape View File

@ -0,0 +1,26 @@
From 56aedbceec3e6ff0d6142a16ca0c343c523b6d7a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Dec 2023 13:07:10 +0100
Subject: [PATCH 3/3] doc: fix reference in realmd.conf man page
---
doc/manual/realmd.conf.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 72b706c..ad17639 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -110,7 +110,8 @@ default-client = sssd
</para>
<para>Some callers of <command>realmd</command> such as the
- <link linkend="realm"><command>realm</command></link>
+ <citerefentry><refentrytitle>realm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
command line tool allow specifying which client software should
be used. Others, such as GNOME Control Center, simplify choose
the default.</para>
--
2.43.0

180
SPECS/realmd.spec
Unescape View File

@ -1,11 +1,16 @@
Name: realmd
Version: 0.17.1
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
License: LGPL-2.1-or-later
URL: https://gitlab.freedesktop.org/realmd/realmd
Source0: https://gitlab.freedesktop.org/realmd/realmd/uploads/204d05bd487908ece2ce2705a01d2b26/realmd-%{version}.tar.gz
Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
Patch0004: 0001-tools-fix-ccache-handling-for-leave-operation.patch
### Downstream Patches ###
# In RHEL the RHEL the FreeIPA packages are call only ipa-* while upstream is
# using freeipa-*, the following patch applies the needed changes.
@ -61,13 +66,13 @@ autoreconf -fi
%endif
%{nil}
make %{?_smp_mflags}
%make_build
%check
make check
%install
make install DESTDIR=%{buildroot}
%make_install
%find_lang realmd
@ -100,106 +105,93 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Fri Oct 14 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
* Fri Mar 29 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.17.1-2
- Rebuilt for MSVSphere 8.10 beta
* Tue Feb 20 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-2
- Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- migrated to SPDX license
- allow multiple names and _srv_ ad_server option
Resolves: RHEL-12113
- fix ccache handling for leave operation
Resolves: RHEL-26166
* Fri Oct 21 2022 Sumit Bose <sbose@redhat.com> - 0.17.1-1
- Update to upstream release 0.17.1
Resolves: rhbz#2129050, rhbz#2133839
* Tue Jan 11 2022 Sumit Bose <sbose@redhat.com> - 0.17.0-9
- enforce new Samba command line options
Resolves: rhbz#2028530
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.17.0-8
- LDAP socket timeout, fix duplicated logs and new Samba command line options
Resolves: rhbz#2038260
Resolves: rhbz#2038268
Resolves: rhbz#2028530
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 01 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-6
- regression in realmd/Sanity/realmd-service-sanity
Resolves: rhbz#1978255
* Tue Jun 29 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-5
- Updates and fixes from upstream, Fedora and RHEL-8.5
Resolves: rhbz#1977163
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 03 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-3
- Use authselect instead of authconfig
Resolves: rhbz#1934124
* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-2
- Add Conflicts to avoid update/downgrade issues
* Fri Feb 19 2021 Sumit Bose <sbose@redhat.com> - 0.17.0-1
- Updated to upstream 0.17.0
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 04 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-27
- Sync with latest upstream patches
* Wed Aug 12 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- Sync with latest upstream patches
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-25
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Mar 18 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-23
- Sync with latest upstream patches and fix package URL
Resolves: rhbz#1800897
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 02 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-21
- Remove gtester support, use autosetup
Resolves: rhbz#1736578
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Feb 21 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- fix test depending on order
Resolves: rhbz#1675879
* Wed Feb 20 2019 Adam Williamson <awilliam@redhat.com> - 0.16.3-18
- Backport fix from upstream to always install latest packages via PK
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Resolves: rhbz#2133841
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.16.3-25
- add LDAP socket timeout
Resolves: rhbz#2037864
* Wed Dec 15 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-24
- Avoid duplicated log messages and use Samba's new CLI options
Resolves: rhbz#2024248
Resolves: rhbz#2028528
* Tue May 11 2021 Sumit Bose <sbose@redhat.com> - 0.16.3-23
- Add restart macro and vendor message to spec file
Resolves: rhbz#1926046
* Thu Dec 03 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-22
- Add fixes LDAPS functionality
Resolves: rhbz#1826964
* Thu Nov 26 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-21
- Add missing patch for LDAPS functionality
Resolves: rhbz#1826964
* Thu Nov 05 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-20
- realmd should handle default_realm in krb5.conf
Resolves: rhbz#1791016
- [RFE] Enable LDAPS functionality in realmd join
Resolves: rhbz#1826964
* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-19
- Realm join fails with error 'Failed to join domain: failed to lookup
DC info ...'
Resolves: rhbz#1859503
- realm command to use option like dnshostname=fqdn
Resolves: rhbz#1867912
* Fri Feb 21 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-18
- Fix kerberos method
Resolves: rhbz#1801195
* Sun Dec 01 2019 Sumit Bose <sbose@redhat.com> - 0.16.3-17
- rebuild fails if DISTRO variable is exported
Resolves: rhbz#1747454
- realmd.conf user-principal RFE and clarification
Resolves: rhbz#1747452
- realmd.conf documentation incorrect
Resolves: rhbz#1747457
- Document realmd.conf and how realmd reads the configuration
Resolves: rhbz#1747456
* Thu Sep 27 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-16
- Do not call authselect for IPA domains
Resolves: rhbz#1620097
Resolves: rhbz#1633572
* Tue Aug 21 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults and improve realm discovery
Resolves: rhbz#1575538
Resolves: rhbz#1145777
* Wed Aug 22 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-15
- Change IPA defaults
Resolves: rhbz#1619162
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Aug 14 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-14
- Fix python BuildRequires
Resolves: rhbz#1615564
- Add RHEL specific patch for IPA
Resolves: rhbz#1615320
- Fix issues found by Coverity
Resolves: rhbz#1602677
* Wed Jul 04 2018 Sumit Bose <sbose@redhat.com> - 0.16.3-13
- Drop python2 build dependency
- Add latests patches from RHEL7
- Add polkit runtime dependency
Resolves: rhbz#1577178
Resolves: rhbz#1577179
- Drop python2 build dependency
Resolves: rhbz#1595813
- Fix documentation reference in systemd unit file
Resolves: rhbz#1596323
- Use current Samba config options
Resolves: rhbz#1482926
Resolves: rhbz#1596325
* Sun Mar 18 2018 René Genz <liebundartig@freenet.de> - 0.16.3-12
- use correct authselect syntax for *-disable-logins to fix rhbz#1558245
- Iryna Shcherbina <ishcherb@redhat.com>

Write Preview
Loading…
Cancel
Save