Ubuntu
realmd package

Merge ~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge into ubuntu/+source/realmd:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/realmd
  3. jammy-realmd-merge
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Andreas Hasenack
Merged at revision: 22c110ec75fa0f9069b1782a629c8755c50b53cd
Proposed branch: ~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge
Merge into: ubuntu/+source/realmd:debian/sid
Diff against target: 353 lines (+301/-1)
6 files modified
debian/changelog (+139/-0)
debian/control (+2/-1)
debian/patches/03_ldap-discovery-socket-timeout.patch (+76/-0)
debian/patches/04_add-computer-name-to-manpage.patch (+32/-0)
debian/patches/05_dont-add-services-line.patch (+49/-0)
debian/patches/series (+3/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
Canonical Server Core Reviewers Pending
Review via email: mp+413763@code.launchpad.net

This proposal supersedes a proposal from 2022-01-06.

Description of the change

Merge from debian, which updated to the latest upstream release. Upstream has all the patches but one that is ubuntu/debian specific. I'll try to send that to debian again after this.

I also grabbed two more simple fixes from upstream's git repo which I thought were useful. I'll also submit them to debian, but they will be in the next upstream release anyway, so this added delta is not indefinite anyway.

Testing. Well, that requires an AD server. I'm working on getting one up and running again in a VM, but that will take a bit of time. But will be useful for another realmd bug I plan to tackle next, #1905000.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

While testing, I found a cyrus-sasl2 bug (#1956833), for which I have an MP up as well.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello,

I'll take a stab at this.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Looks good, thank you, Andreas. Few pointers though:

-> You could use `quilt refresh` after applying the patch, that'll remove unnecessary details. Completely optional but we generally want to do that, I think.

-> I think we can really make this a sync at some point and that'd be great! The two newly added changes will already be merged in Debian so I don't think you need to send that but brownie points if you do. As for the Debian/Ubuntu specific one, I think we should so the next merge can be a sync. I know it's already on your radar to send this (as noted in the description) but I feel if you can do this before uploading, then you can also add those DEP3 headers (Forwarded one) and also add a link to the MR in the git commit but I know you have this thought out.

-> Since all of them are minor, I am approving this with two additional comments below. \o/

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm recently taking the approach of only submitting to debian after it passed our review, to avoid going back and forth with updates here in LP and also in salsa or the debian bug. And then when debian makes comments, I have to update the MP here in LP with them. Keeping both proposals up at the same time can be difficult because of that.

Revision history for this message
Andreas Hasenack (ahasenack) :
~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge updated
b85f911... by Andreas Hasenack

DEP3 update for dont-add-services-line.patch

Revision history for this message
Andreas Hasenack (ahasenack) :
~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge updated
5858754... by Andreas Hasenack

Drop "ubuntu specific" comment from d/p/series

7222508... by Andreas Hasenack

Rename the patch to follow the pattern

22c110e... by Andreas Hasenack

Changelog update about the patch rename

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The other two new added patches I submitted to debian via salsa PRs:

https://salsa.debian.org/utopia-team/realmd/-/merge_requests/2

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

On Wed, Jan 12, 2022 at 1:27 PM Utkarsh Gupta
<email address hidden> wrote:
>
> -> You could use `quilt refresh` after applying the patch, that'll remove unnecessary details. Completely optional but we generally want to do that, I think.

Umm, IIRC in case a patch from a remote source applies as-is we
usually do not refresh it so everyone can easily spot it is "the same"
(other than adding headers).
If we touch it anyway, then yes refreshing to the common format is helpful.
But anyway - all of that is somewhat soft and not a hard rule either way.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello,

This looks good, thanks, Andreas.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded (after another quick test of this, to avoid a brown paper bag bug ;).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c8e4a0a..b775d0d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,73 @@
6+realmd (0.17.0-1ubuntu1) jammy; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #1946896). Remaining changes:
9+ - d/p/dont-add-services-line.patch: in Ubuntu and Debian, the sssd_*
10+ services are socket activated and don't need a "services" line in
11+ sssd.conf (LP #1880157)
12+ * Dropped (all applied upstream):
13+ - d/p/0001-LDAP-don-t-close-LDAP-socket-twice.patch: don't close LDAP
14+ socket twice.
15+ - d/p/0001-Fix-man-page-reference-in-systemd-service-file.patch: the
16+ manpage is realm(8), not realmd(8)
17+ - d/p/0001-Use-current-idmap-options-for-smb.conf.patch: use the
18+ idmap options in smb.conf for modern versions of samba (LP #1894153)
19+ - d/p/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch: find
20+ NetBIOS name in keytab while leaving the domain (LP #1894340)
21+ - d/p/0001-Fix-issues-found-by-Coverity.patch: fix issues found by
22+ Coverity
23+ - d/p/0002-Change-qualified-names-default-for-IPA.patch: change
24+ qualified names default for IPA
25+ - d/p/0003-discover-try-to-get-domain-name-from-hostname.patch: if
26+ there is no domain name returned by DHCP check if the hostname
27+ contains a domain part and use this to discover a realm.
28+ - d/p/0001-IPA-do-not-call-sssd-enable-logins.patch: IPA: do not call
29+ sssd-enable-logins
30+ - d/p/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch:
31+ install the latest version of a package when resolving packages with
32+ PackageKit
33+ - d/p/0001-doc-make-sure-cross-reference-ids-are-predictable.patch: make
34+ sure cross-reference ids are predictable
35+ - d/p/0002-tools-remove-duplicated-va_start.patch: remove duplicated
36+ va_start()
37+ - d/p/0003-service-remove-dead-code.patch: remove unused code
38+ - d/p/0004-service-check-return-value-of-fcntl.patch: check return
39+ value of fcntl()
40+ - d/p/0005-service-avoid-dereference-of-a-null-pointer.patch: avoid
41+ dereference of a null pointer
42+ - d/p/0006-service-avoid-dereferencing-a-NULL-pointer.patch: avoid
43+ dereferencing a NULL pointer
44+ - d/p/0001-Add-missing-xsl-file-to-Makefile.am.patch: add missing xsl
45+ file to Makefile.am
46+ - d/p/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch:
47+ do not inherit DISTRO from the environment
48+ - d/p/0003-doc-extend-user-principal-section.patch: doc: extend
49+ user-principal section
50+ - d/p/0004-doc-fix-discover-name-only.patch: doc: fix discover
51+ name-only parameter
52+ - d/p/0005-doc-add-see-also-to-man-pages.patch: doc: add see also to
53+ man pages
54+ - d/p/0006-doc-extend-description-of-config-handling.patch: doc: extend
55+ description of config handling
56+ - d/p/0007-service-use-kerberos-method-secrets-and-keytab.patch: when
57+ using Samba with Winbind, set "kerberos method" to "secrets and keytab"
58+ - d/p/install-libnss-winbind.patch: install libnss-winbind when needed
59+ (LP #1894150)
60+ - d/p/0002-Use-startTLS-with-FreeIPA.patch: attempt StartTLS first
61+ when talking to FreeIPA
62+ - d/p/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch:
63+ when using samba to join a domain, and the client is from a different
64+ domain, also set "additional dns hostnames"
65+ - d/p/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch:
66+ when joining using samba, try kerberos auth first and fallback to
67+ ntlm as before
68+ * Added changes:
69+ - d/p/03_ldap-discovery-socket-timeout.patch: use a shorter timeout
70+ for the unbind request sent when finishing up the discovery phase
71+ - d/p/04_add-computer-name-to-manpage.patch: document the existing
72+ --computer-name command line option
73+
74+ -- Andreas Hasenack <andreas@canonical.com> Thu, 06 Jan 2022 17:39:36 +0000
75+
76 realmd (0.17.0-1) unstable; urgency=medium
77
78 * debian/watch: Update the URL and point to the git releases
79@@ -8,6 +78,75 @@ realmd (0.17.0-1) unstable; urgency=medium
80
81 -- Laurent Bigonville <bigon@debian.org> Mon, 16 Aug 2021 15:35:48 +0200
82
83+realmd (0.16.3-3ubuntu2) impish; urgency=medium
84+
85+ * No-change rebuild due to OpenLDAP soname bump.
86+
87+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:08:26 -0400
88+
89+realmd (0.16.3-3ubuntu1) groovy; urgency=medium
90+
91+ * d/p/0001-LDAP-don-t-close-LDAP-socket-twice.patch: don't close LDAP
92+ socket twice.
93+ * d/p/0001-Fix-man-page-reference-in-systemd-service-file.patch: the
94+ manpage is realm(8), not realmd(8)
95+ * d/p/0001-Use-current-idmap-options-for-smb.conf.patch: use the
96+ idmap options in smb.conf for modern versions of samba (LP: #1894153)
97+ * d/p/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch: find
98+ NetBIOS name in keytab while leaving the domain (LP: #1894340)
99+ * d/p/0001-Fix-issues-found-by-Coverity.patch: fix issues found by
100+ Coverity
101+ * d/p/0002-Change-qualified-names-default-for-IPA.patch: change
102+ qualified names default for IPA
103+ * d/p/0003-discover-try-to-get-domain-name-from-hostname.patch: if
104+ there is no domain name returned by DHCP check if the hostname
105+ contains a domain part and use this to discover a realm.
106+ * d/p/0001-IPA-do-not-call-sssd-enable-logins.patch: IPA: do not call
107+ sssd-enable-logins
108+ * d/p/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch:
109+ install the latest version of a package when resolving packages with
110+ PackageKit
111+ * d/p/0001-doc-make-sure-cross-reference-ids-are-predictable.patch: make
112+ sure cross-reference ids are predictable
113+ * d/p/0002-tools-remove-duplicated-va_start.patch: remove duplicated
114+ va_start()
115+ * d/p/0003-service-remove-dead-code.patch: remove unused code
116+ * d/p/0004-service-check-return-value-of-fcntl.patch: check return
117+ value of fcntl()
118+ * d/p/0005-service-avoid-dereference-of-a-null-pointer.patch: avoid
119+ dereference of a null pointer
120+ * d/p/0006-service-avoid-dereferencing-a-NULL-pointer.patch: avoid
121+ dereferencing a NULL pointer
122+ * d/p/0001-Add-missing-xsl-file-to-Makefile.am.patch: add missing xsl
123+ file to Makefile.am
124+ * d/p/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch:
125+ do not inherit DISTRO from the environment
126+ * d/p/0003-doc-extend-user-principal-section.patch: doc: extend
127+ user-principal section
128+ * d/p/0004-doc-fix-discover-name-only.patch: doc: fix discover
129+ name-only parameter
130+ * d/p/0005-doc-add-see-also-to-man-pages.patch: doc: add see also to
131+ man pages
132+ * d/p/0006-doc-extend-description-of-config-handling.patch: doc: extend
133+ description of config handling
134+ * d/p/0007-service-use-kerberos-method-secrets-and-keytab.patch: when
135+ using Samba with Winbind, set "kerberos method" to "secrets and keytab"
136+ * d/p/install-libnss-winbind.patch: install libnss-winbind when needed
137+ (LP: #1894150)
138+ * d/p/05_dont-add-services-line.patch: in Ubuntu and Debian, the sssd_*
139+ services are socket activated and don't need a "services" line in
140+ sssd.conf (LP: #1880157)
141+ * d/p/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch:
142+ when using samba to join a domain, and the client is from a different
143+ domain, also set "additional dns hostnames"
144+ * d/p/0002-Use-startTLS-with-FreeIPA.patch: attempt StartTLS first
145+ when talking to FreeIPA
146+ * d/p/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch:
147+ when joining using samba, try kerberos auth first and fallback to
148+ ntlm as before
149+
150+ -- Andreas Hasenack <andreas@canonical.com> Tue, 08 Sep 2020 15:15:12 -0300
151+
152 realmd (0.16.3-3) unstable; urgency=medium
153
154 [ Andreas Henriksson ]
155diff --git a/debian/control b/debian/control
156index a2446b1..6d16592 100644
157--- a/debian/control
158+++ b/debian/control
159@@ -1,7 +1,8 @@
160 Source: realmd
161 Section: admin
162 Priority: optional
163-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
164+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
165+XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
166 Uploaders: Laurent Bigonville <bigon@debian.org>
167 Build-Depends: debhelper (>= 12),
168 intltool (>= 0.35.0),
169diff --git a/debian/patches/03_ldap-discovery-socket-timeout.patch b/debian/patches/03_ldap-discovery-socket-timeout.patch
170new file mode 100644
171index 0000000..aec5668
172--- /dev/null
173+++ b/debian/patches/03_ldap-discovery-socket-timeout.patch
174@@ -0,0 +1,76 @@
175+commit 370bf84857d5674a092f46fa5932a0c92ad5bbf5
176+Author: Sumit Bose <sbose@redhat.com>
177+Date: Wed Nov 24 17:25:18 2021 +0100
178+
179+ ldap: add socket timeout
180+
181+ During the discovery phase realmd tries to open LDAP connections to
182+ multiple DC addresses returned by DNS. When cleaning up we have to call
183+ ldap_destroy() to release the resources allocated for the LDAP context.
184+ ldap_destroy() tries to send a LDAP unbind request independent of the
185+ connection state. If the related address is block by a firewall or a not
186+ properly routed IPv6 address there might be no reply on the TCP level
187+ and the request might be stuck for quite some tome in the kernel.
188+
189+ To avoid the unexpected long delays will block realmd this patch lowers
190+ the timeout considerably to 5s. As multiple other timeouts this value is
191+ currently hardcoded.
192+
193+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
194+
195+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
196+Origin: upstream, https://gitlab.freedesktop.org/realmd/realmd/-/commit/370bf84857d5674a092f46fa5932a0c92ad5bbf5
197+Last-Update: 2022-01-06
198+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
199+index bdfb96c..f7b6d13 100644
200+--- a/service/realm-ldap.c
201++++ b/service/realm-ldap.c
202+@@ -22,6 +22,7 @@
203+ #include <sys/types.h>
204+ #include <sys/socket.h>
205+ #include <netinet/in.h>
206++#include <netinet/tcp.h>
207+
208+ #include <errno.h>
209+
210+@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
211+
212+ /* Not included in ldap.h but documented */
213+ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
214++#define LDAP_SOCKET_TIMEOUT 5
215+
216+ GSource *
217+ realm_ldap_connect_anonymous (GSocketAddress *address,
218+@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
219+ int opt_rc;
220+ int ldap_opt_val;
221+ const char *errmsg = NULL;
222++ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
223++ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
224+
225+ g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
226+
227+@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
228+ if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
229+ g_warning ("couldn't set to blocking");
230+
231++ /* Lower the kernel defaults which might be minutes to hours */
232++ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
233++ &tv, sizeof (tv));
234++ if (rc != 0) {
235++ g_warning ("couldn't set SO_RCVTIMEO");
236++ }
237++ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
238++ &tv, sizeof (tv));
239++ if (rc != 0) {
240++ g_warning ("couldn't set SO_SNDTIMEO");
241++ }
242++ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
243++ &milli, sizeof (milli));
244++ if (rc != 0) {
245++ g_warning ("couldn't set TCP_USER_TIMEOUT");
246++ }
247++
248+ if (family == G_SOCKET_FAMILY_IPV4) {
249+ url = g_strdup_printf ("%s://%s:%d",
250+ use_ldaps ? "ldaps" : "ldap",
251diff --git a/debian/patches/04_add-computer-name-to-manpage.patch b/debian/patches/04_add-computer-name-to-manpage.patch
252new file mode 100644
253index 0000000..539cb32
254--- /dev/null
255+++ b/debian/patches/04_add-computer-name-to-manpage.patch
256@@ -0,0 +1,32 @@
257+commit 05100771ea6bd775caae705bb53f76a0816f3b81
258+Author: Sumit Bose <sbose@redhat.com>
259+Date: Tue May 11 11:13:06 2021 +0200
260+
261+ doc: add computer-name to realm man page
262+
263+Origin: upstream, https://gitlab.freedesktop.org/realmd/realmd/-/commit/05100771ea6bd775caae705bb53f76a0816f3b81
264+Last-Update: 2022-01-06
265+diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
266+index 9160a8a..b4dc27c 100644
267+--- a/doc/manual/realm.xml
268++++ b/doc/manual/realm.xml
269+@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
270+ supported for all realms. By default the membership software
271+ is automatically selected.</para></listitem>
272+ </varlistentry>
273++ <varlistentry>
274++ <term><option>--computer-name=xxx</option></term>
275++ <listitem>
276++ <para>This option only applies to Active
277++ Directory realms. Specify this option to
278++ override the default name used when creating
279++ the computer account. The system's FQDN will
280++ still be saved in the dNSHostName attribute.</para>
281++ <para>Specify the name as a string of 15 or
282++ fewer characters that is a valid NetBIOS
283++ computer name.</para>
284++ </listitem>
285++ </varlistentry>
286+ <varlistentry>
287+ <term><option>--no-password</option></term>
288+ <listitem><para>Perform the join automatically without
289diff --git a/debian/patches/05_dont-add-services-line.patch b/debian/patches/05_dont-add-services-line.patch
290new file mode 100644
291index 0000000..2cdc1a5
292--- /dev/null
293+++ b/debian/patches/05_dont-add-services-line.patch
294@@ -0,0 +1,49 @@
295+Description: Don't add the services line to sssd.conf
296+ In Ubuntu and Debian, the sssd services (like nss, pam, pac, etc) are socket
297+ activated and should not be listed in the services line, as they will be
298+ started on demand by systemd.
299+Author: Andreas Hasenack <andreas@canonical.com>
300+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1880157
301+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003620
302+Forwarded: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/JC3N3DBSMHZSA66IPLGAMBSXLCTYXWJR/
303+Last-Update: 2022-01-12
304+---
305+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
306+--- a/service/realm-sssd-config.c
307++++ b/service/realm-sssd-config.c
308+@@ -130,7 +130,6 @@
309+ gchar **already;
310+ gboolean ret;
311+ gchar *section;
312+- const gchar *services[] = { "nss", "pam", NULL };
313+ va_list va;
314+ gint i;
315+
316+@@ -155,7 +154,6 @@
317+ g_strfreev (already);
318+
319+ /* Setup a default sssd section */
320+- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
321+ if (!realm_ini_config_have (config, "sssd", "config_file_version"))
322+ realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
323+
324+--- a/tests/test-sssd-config.c
325++++ b/tests/test-sssd-config.c
326+@@ -90,7 +90,7 @@
327+ gconstpointer unused)
328+ {
329+ const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
330+- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
331++ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
332+ GError *error = NULL;
333+ gchar *output;
334+ gboolean ret;
335+@@ -140,7 +140,7 @@
336+ test_add_domain_only (Test *test,
337+ gconstpointer unused)
338+ {
339+- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
340++ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
341+ GError *error = NULL;
342+ gchar *output;
343+ gboolean ret;
344diff --git a/debian/patches/series b/debian/patches/series
345index 00e862d..ee5278d 100644
346--- a/debian/patches/series
347+++ b/debian/patches/series
348@@ -1,2 +1,5 @@
349 01_freeipa_section.patch
350 02_cross.patch
351+03_ldap-discovery-socket-timeout.patch
352+04_add-computer-name-to-manpage.patch
353+05_dont-add-services-line.patch

Subscribers

People subscribed via source and target branches