Ubuntu
realmd package

Merge ~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge into ubuntu/+source/realmd:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/realmd
  3. jammy-realmd-merge
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Andreas Hasenack
Merged at revision: 22c110ec75fa0f9069b1782a629c8755c50b53cd
Proposed branch: ~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge
Merge into: ubuntu/+source/realmd:debian/sid
Diff against target: 353 lines (+301/-1)
6 files modified
debian/changelog (+139/-0)
debian/control (+2/-1)
debian/patches/03_ldap-discovery-socket-timeout.patch (+76/-0)
debian/patches/04_add-computer-name-to-manpage.patch (+32/-0)
debian/patches/05_dont-add-services-line.patch (+49/-0)
debian/patches/series (+3/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
Canonical Server Core Reviewers Pending
Review via email: mp+413763@code.launchpad.net

This proposal supersedes a proposal from 2022-01-06.

Description of the change

Merge from debian, which updated to the latest upstream release. Upstream has all the patches but one that is ubuntu/debian specific. I'll try to send that to debian again after this.

I also grabbed two more simple fixes from upstream's git repo which I thought were useful. I'll also submit them to debian, but they will be in the next upstream release anyway, so this added delta is not indefinite anyway.

Testing. Well, that requires an AD server. I'm working on getting one up and running again in a VM, but that will take a bit of time. But will be useful for another realmd bug I plan to tackle next, #1905000.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

While testing, I found a cyrus-sasl2 bug (#1956833), for which I have an MP up as well.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello,

I'll take a stab at this.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Looks good, thank you, Andreas. Few pointers though:

-> You could use `quilt refresh` after applying the patch, that'll remove unnecessary details. Completely optional but we generally want to do that, I think.

-> I think we can really make this a sync at some point and that'd be great! The two newly added changes will already be merged in Debian so I don't think you need to send that but brownie points if you do. As for the Debian/Ubuntu specific one, I think we should so the next merge can be a sync. I know it's already on your radar to send this (as noted in the description) but I feel if you can do this before uploading, then you can also add those DEP3 headers (Forwarded one) and also add a link to the MR in the git commit but I know you have this thought out.

-> Since all of them are minor, I am approving this with two additional comments below. \o/

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm recently taking the approach of only submitting to debian after it passed our review, to avoid going back and forth with updates here in LP and also in salsa or the debian bug. And then when debian makes comments, I have to update the MP here in LP with them. Keeping both proposals up at the same time can be difficult because of that.

Revision history for this message
Andreas Hasenack (ahasenack) :
~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge updated
b85f911... by Andreas Hasenack

DEP3 update for dont-add-services-line.patch

Revision history for this message
Andreas Hasenack (ahasenack) :
~ahasenack/ubuntu/+source/realmd:jammy-realmd-merge updated
5858754... by Andreas Hasenack

Drop "ubuntu specific" comment from d/p/series

7222508... by Andreas Hasenack

Rename the patch to follow the pattern

22c110e... by Andreas Hasenack

Changelog update about the patch rename

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The other two new added patches I submitted to debian via salsa PRs:

https://salsa.debian.org/utopia-team/realmd/-/merge_requests/2

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

On Wed, Jan 12, 2022 at 1:27 PM Utkarsh Gupta
<email address hidden> wrote:
>
> -> You could use `quilt refresh` after applying the patch, that'll remove unnecessary details. Completely optional but we generally want to do that, I think.

Umm, IIRC in case a patch from a remote source applies as-is we
usually do not refresh it so everyone can easily spot it is "the same"
(other than adding headers).
If we touch it anyway, then yes refreshing to the common format is helpful.
But anyway - all of that is somewhat soft and not a hard rule either way.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hello,

This looks good, thanks, Andreas.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded (after another quick test of this, to avoid a brown paper bag bug ;).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index c8e4a0a..b775d0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,73 @@
1realmd (0.17.0-1ubuntu1) jammy; urgency=medium
2
3 * Merge with Debian unstable (LP: #1946896). Remaining changes:
4 - d/p/dont-add-services-line.patch: in Ubuntu and Debian, the sssd_*
5 services are socket activated and don't need a "services" line in
6 sssd.conf (LP #1880157)
7 * Dropped (all applied upstream):
8 - d/p/0001-LDAP-don-t-close-LDAP-socket-twice.patch: don't close LDAP
9 socket twice.
10 - d/p/0001-Fix-man-page-reference-in-systemd-service-file.patch: the
11 manpage is realm(8), not realmd(8)
12 - d/p/0001-Use-current-idmap-options-for-smb.conf.patch: use the
13 idmap options in smb.conf for modern versions of samba (LP #1894153)
14 - d/p/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch: find
15 NetBIOS name in keytab while leaving the domain (LP #1894340)
16 - d/p/0001-Fix-issues-found-by-Coverity.patch: fix issues found by
17 Coverity
18 - d/p/0002-Change-qualified-names-default-for-IPA.patch: change
19 qualified names default for IPA
20 - d/p/0003-discover-try-to-get-domain-name-from-hostname.patch: if
21 there is no domain name returned by DHCP check if the hostname
22 contains a domain part and use this to discover a realm.
23 - d/p/0001-IPA-do-not-call-sssd-enable-logins.patch: IPA: do not call
24 sssd-enable-logins
25 - d/p/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch:
26 install the latest version of a package when resolving packages with
27 PackageKit
28 - d/p/0001-doc-make-sure-cross-reference-ids-are-predictable.patch: make
29 sure cross-reference ids are predictable
30 - d/p/0002-tools-remove-duplicated-va_start.patch: remove duplicated
31 va_start()
32 - d/p/0003-service-remove-dead-code.patch: remove unused code
33 - d/p/0004-service-check-return-value-of-fcntl.patch: check return
34 value of fcntl()
35 - d/p/0005-service-avoid-dereference-of-a-null-pointer.patch: avoid
36 dereference of a null pointer
37 - d/p/0006-service-avoid-dereferencing-a-NULL-pointer.patch: avoid
38 dereferencing a NULL pointer
39 - d/p/0001-Add-missing-xsl-file-to-Makefile.am.patch: add missing xsl
40 file to Makefile.am
41 - d/p/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch:
42 do not inherit DISTRO from the environment
43 - d/p/0003-doc-extend-user-principal-section.patch: doc: extend
44 user-principal section
45 - d/p/0004-doc-fix-discover-name-only.patch: doc: fix discover
46 name-only parameter
47 - d/p/0005-doc-add-see-also-to-man-pages.patch: doc: add see also to
48 man pages
49 - d/p/0006-doc-extend-description-of-config-handling.patch: doc: extend
50 description of config handling
51 - d/p/0007-service-use-kerberos-method-secrets-and-keytab.patch: when
52 using Samba with Winbind, set "kerberos method" to "secrets and keytab"
53 - d/p/install-libnss-winbind.patch: install libnss-winbind when needed
54 (LP #1894150)
55 - d/p/0002-Use-startTLS-with-FreeIPA.patch: attempt StartTLS first
56 when talking to FreeIPA
57 - d/p/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch:
58 when using samba to join a domain, and the client is from a different
59 domain, also set "additional dns hostnames"
60 - d/p/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch:
61 when joining using samba, try kerberos auth first and fallback to
62 ntlm as before
63 * Added changes:
64 - d/p/03_ldap-discovery-socket-timeout.patch: use a shorter timeout
65 for the unbind request sent when finishing up the discovery phase
66 - d/p/04_add-computer-name-to-manpage.patch: document the existing
67 --computer-name command line option
68
69 -- Andreas Hasenack <andreas@canonical.com> Thu, 06 Jan 2022 17:39:36 +0000
70
1realmd (0.17.0-1) unstable; urgency=medium71realmd (0.17.0-1) unstable; urgency=medium
272
3 * debian/watch: Update the URL and point to the git releases73 * debian/watch: Update the URL and point to the git releases
@@ -8,6 +78,75 @@ realmd (0.17.0-1) unstable; urgency=medium
878
9 -- Laurent Bigonville <bigon@debian.org> Mon, 16 Aug 2021 15:35:48 +020079 -- Laurent Bigonville <bigon@debian.org> Mon, 16 Aug 2021 15:35:48 +0200
1080
81realmd (0.16.3-3ubuntu2) impish; urgency=medium
82
83 * No-change rebuild due to OpenLDAP soname bump.
84
85 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:08:26 -0400
86
87realmd (0.16.3-3ubuntu1) groovy; urgency=medium
88
89 * d/p/0001-LDAP-don-t-close-LDAP-socket-twice.patch: don't close LDAP
90 socket twice.
91 * d/p/0001-Fix-man-page-reference-in-systemd-service-file.patch: the
92 manpage is realm(8), not realmd(8)
93 * d/p/0001-Use-current-idmap-options-for-smb.conf.patch: use the
94 idmap options in smb.conf for modern versions of samba (LP: #1894153)
95 * d/p/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch: find
96 NetBIOS name in keytab while leaving the domain (LP: #1894340)
97 * d/p/0001-Fix-issues-found-by-Coverity.patch: fix issues found by
98 Coverity
99 * d/p/0002-Change-qualified-names-default-for-IPA.patch: change
100 qualified names default for IPA
101 * d/p/0003-discover-try-to-get-domain-name-from-hostname.patch: if
102 there is no domain name returned by DHCP check if the hostname
103 contains a domain part and use this to discover a realm.
104 * d/p/0001-IPA-do-not-call-sssd-enable-logins.patch: IPA: do not call
105 sssd-enable-logins
106 * d/p/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch:
107 install the latest version of a package when resolving packages with
108 PackageKit
109 * d/p/0001-doc-make-sure-cross-reference-ids-are-predictable.patch: make
110 sure cross-reference ids are predictable
111 * d/p/0002-tools-remove-duplicated-va_start.patch: remove duplicated
112 va_start()
113 * d/p/0003-service-remove-dead-code.patch: remove unused code
114 * d/p/0004-service-check-return-value-of-fcntl.patch: check return
115 value of fcntl()
116 * d/p/0005-service-avoid-dereference-of-a-null-pointer.patch: avoid
117 dereference of a null pointer
118 * d/p/0006-service-avoid-dereferencing-a-NULL-pointer.patch: avoid
119 dereferencing a NULL pointer
120 * d/p/0001-Add-missing-xsl-file-to-Makefile.am.patch: add missing xsl
121 file to Makefile.am
122 * d/p/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch:
123 do not inherit DISTRO from the environment
124 * d/p/0003-doc-extend-user-principal-section.patch: doc: extend
125 user-principal section
126 * d/p/0004-doc-fix-discover-name-only.patch: doc: fix discover
127 name-only parameter
128 * d/p/0005-doc-add-see-also-to-man-pages.patch: doc: add see also to
129 man pages
130 * d/p/0006-doc-extend-description-of-config-handling.patch: doc: extend
131 description of config handling
132 * d/p/0007-service-use-kerberos-method-secrets-and-keytab.patch: when
133 using Samba with Winbind, set "kerberos method" to "secrets and keytab"
134 * d/p/install-libnss-winbind.patch: install libnss-winbind when needed
135 (LP: #1894150)
136 * d/p/05_dont-add-services-line.patch: in Ubuntu and Debian, the sssd_*
137 services are socket activated and don't need a "services" line in
138 sssd.conf (LP: #1880157)
139 * d/p/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch:
140 when using samba to join a domain, and the client is from a different
141 domain, also set "additional dns hostnames"
142 * d/p/0002-Use-startTLS-with-FreeIPA.patch: attempt StartTLS first
143 when talking to FreeIPA
144 * d/p/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch:
145 when joining using samba, try kerberos auth first and fallback to
146 ntlm as before
147
148 -- Andreas Hasenack <andreas@canonical.com> Tue, 08 Sep 2020 15:15:12 -0300
149
11realmd (0.16.3-3) unstable; urgency=medium150realmd (0.16.3-3) unstable; urgency=medium
12151
13 [ Andreas Henriksson ]152 [ Andreas Henriksson ]
diff --git a/debian/control b/debian/control
index a2446b1..6d16592 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: realmd1Source: realmd
2Section: admin2Section: admin
3Priority: optional3Priority: optional
4Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
5Uploaders: Laurent Bigonville <bigon@debian.org>6Uploaders: Laurent Bigonville <bigon@debian.org>
6Build-Depends: debhelper (>= 12),7Build-Depends: debhelper (>= 12),
7 intltool (>= 0.35.0),8 intltool (>= 0.35.0),
diff --git a/debian/patches/03_ldap-discovery-socket-timeout.patch b/debian/patches/03_ldap-discovery-socket-timeout.patch
8new file mode 1006449new file mode 100644
index 0000000..aec5668
--- /dev/null
+++ b/debian/patches/03_ldap-discovery-socket-timeout.patch
@@ -0,0 +1,76 @@
1commit 370bf84857d5674a092f46fa5932a0c92ad5bbf5
2Author: Sumit Bose <sbose@redhat.com>
3Date: Wed Nov 24 17:25:18 2021 +0100
4
5 ldap: add socket timeout
6
7 During the discovery phase realmd tries to open LDAP connections to
8 multiple DC addresses returned by DNS. When cleaning up we have to call
9 ldap_destroy() to release the resources allocated for the LDAP context.
10 ldap_destroy() tries to send a LDAP unbind request independent of the
11 connection state. If the related address is block by a firewall or a not
12 properly routed IPv6 address there might be no reply on the TCP level
13 and the request might be stuck for quite some tome in the kernel.
14
15 To avoid the unexpected long delays will block realmd this patch lowers
16 the timeout considerably to 5s. As multiple other timeouts this value is
17 currently hardcoded.
18
19 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
20
21Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
22Origin: upstream, https://gitlab.freedesktop.org/realmd/realmd/-/commit/370bf84857d5674a092f46fa5932a0c92ad5bbf5
23Last-Update: 2022-01-06
24diff --git a/service/realm-ldap.c b/service/realm-ldap.c
25index bdfb96c..f7b6d13 100644
26--- a/service/realm-ldap.c
27+++ b/service/realm-ldap.c
28@@ -22,6 +22,7 @@
29 #include <sys/types.h>
30 #include <sys/socket.h>
31 #include <netinet/in.h>
32+#include <netinet/tcp.h>
33
34 #include <errno.h>
35
36@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
37
38 /* Not included in ldap.h but documented */
39 int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
40+#define LDAP_SOCKET_TIMEOUT 5
41
42 GSource *
43 realm_ldap_connect_anonymous (GSocketAddress *address,
44@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
45 int opt_rc;
46 int ldap_opt_val;
47 const char *errmsg = NULL;
48+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
49+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
50
51 g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
52
53@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
54 if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
55 g_warning ("couldn't set to blocking");
56
57+ /* Lower the kernel defaults which might be minutes to hours */
58+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
59+ &tv, sizeof (tv));
60+ if (rc != 0) {
61+ g_warning ("couldn't set SO_RCVTIMEO");
62+ }
63+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
64+ &tv, sizeof (tv));
65+ if (rc != 0) {
66+ g_warning ("couldn't set SO_SNDTIMEO");
67+ }
68+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
69+ &milli, sizeof (milli));
70+ if (rc != 0) {
71+ g_warning ("couldn't set TCP_USER_TIMEOUT");
72+ }
73+
74 if (family == G_SOCKET_FAMILY_IPV4) {
75 url = g_strdup_printf ("%s://%s:%d",
76 use_ldaps ? "ldaps" : "ldap",
diff --git a/debian/patches/04_add-computer-name-to-manpage.patch b/debian/patches/04_add-computer-name-to-manpage.patch
0new file mode 10064477new file mode 100644
index 0000000..539cb32
--- /dev/null
+++ b/debian/patches/04_add-computer-name-to-manpage.patch
@@ -0,0 +1,32 @@
1commit 05100771ea6bd775caae705bb53f76a0816f3b81
2Author: Sumit Bose <sbose@redhat.com>
3Date: Tue May 11 11:13:06 2021 +0200
4
5 doc: add computer-name to realm man page
6
7Origin: upstream, https://gitlab.freedesktop.org/realmd/realmd/-/commit/05100771ea6bd775caae705bb53f76a0816f3b81
8Last-Update: 2022-01-06
9diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
10index 9160a8a..b4dc27c 100644
11--- a/doc/manual/realm.xml
12+++ b/doc/manual/realm.xml
13@@ -222,6 +222,19 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
14 supported for all realms. By default the membership software
15 is automatically selected.</para></listitem>
16 </varlistentry>
17+ <varlistentry>
18+ <term><option>--computer-name=xxx</option></term>
19+ <listitem>
20+ <para>This option only applies to Active
21+ Directory realms. Specify this option to
22+ override the default name used when creating
23+ the computer account. The system's FQDN will
24+ still be saved in the dNSHostName attribute.</para>
25+ <para>Specify the name as a string of 15 or
26+ fewer characters that is a valid NetBIOS
27+ computer name.</para>
28+ </listitem>
29+ </varlistentry>
30 <varlistentry>
31 <term><option>--no-password</option></term>
32 <listitem><para>Perform the join automatically without
diff --git a/debian/patches/05_dont-add-services-line.patch b/debian/patches/05_dont-add-services-line.patch
0new file mode 10064433new file mode 100644
index 0000000..2cdc1a5
--- /dev/null
+++ b/debian/patches/05_dont-add-services-line.patch
@@ -0,0 +1,49 @@
1Description: Don't add the services line to sssd.conf
2 In Ubuntu and Debian, the sssd services (like nss, pam, pac, etc) are socket
3 activated and should not be listed in the services line, as they will be
4 started on demand by systemd.
5Author: Andreas Hasenack <andreas@canonical.com>
6Bug-Ubuntu: https://bugs.launchpad.net/bugs/1880157
7Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003620
8Forwarded: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/JC3N3DBSMHZSA66IPLGAMBSXLCTYXWJR/
9Last-Update: 2022-01-12
10---
11This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
12--- a/service/realm-sssd-config.c
13+++ b/service/realm-sssd-config.c
14@@ -130,7 +130,6 @@
15 gchar **already;
16 gboolean ret;
17 gchar *section;
18- const gchar *services[] = { "nss", "pam", NULL };
19 va_list va;
20 gint i;
21
22@@ -155,7 +154,6 @@
23 g_strfreev (already);
24
25 /* Setup a default sssd section */
26- realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
27 if (!realm_ini_config_have (config, "sssd", "config_file_version"))
28 realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
29
30--- a/tests/test-sssd-config.c
31+++ b/tests/test-sssd-config.c
32@@ -90,7 +90,7 @@
33 gconstpointer unused)
34 {
35 const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
36- const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
37+ const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
38 GError *error = NULL;
39 gchar *output;
40 gboolean ret;
41@@ -140,7 +140,7 @@
42 test_add_domain_only (Test *test,
43 gconstpointer unused)
44 {
45- const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
46+ const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
47 GError *error = NULL;
48 gchar *output;
49 gboolean ret;
diff --git a/debian/patches/series b/debian/patches/series
index 00e862d..ee5278d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,5 @@
101_freeipa_section.patch101_freeipa_section.patch
202_cross.patch202_cross.patch
303_ldap-discovery-socket-timeout.patch
404_add-computer-name-to-manpage.patch
505_dont-add-services-line.patch

Subscribers

People subscribed via source and target branches