From f49ad6f2c2c5649949d7501c0a0654cc02533cf8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Aug 12 2020 18:24:07 +0000
Subject: Sync with latest upstream patches


---

diff --git a/0001-Fix-for-ini-config-test-issue.patch b/0001-Fix-for-ini-config-test-issue.patch
new file mode 100644
index 0000000..39fb0cf
--- /dev/null
+++ b/0001-Fix-for-ini-config-test-issue.patch
@@ -0,0 +1,32 @@
+From f2162c30155eb0d9f7475f583856a2675ad2c881 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 3 Jul 2020 17:18:13 +0200
+Subject: [PATCH 1/4] Fix for ini-config test issue
+
+Recently I came across some issues with the ini-config tests where the
+test run into a deadlock and didn't finish. It looks it happens
+somewhere in the glib inotify code and might be a timing issues because
+I never saw the issue when running the tests with strace.
+
+To get around the issue I added REALM_INI_NO_WATCH to not use the
+inotify code for testing.
+---
+ tests/test-ini-config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test-ini-config.c b/tests/test-ini-config.c
+index 7799e13..854df88 100644
+--- a/tests/test-ini-config.c
++++ b/tests/test-ini-config.c
+@@ -29,7 +29,7 @@ static void
+ setup (Test *test,
+        gconstpointer unused)
+ {
+-	test->config = realm_ini_config_new (REALM_INI_LINE_CONTINUATIONS);
++	test->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_LINE_CONTINUATIONS);
+ }
+ 
+ static void
+-- 
+2.26.2
+
diff --git a/0002-Use-startTLS-with-FreeIPA.patch b/0002-Use-startTLS-with-FreeIPA.patch
new file mode 100644
index 0000000..77253af
--- /dev/null
+++ b/0002-Use-startTLS-with-FreeIPA.patch
@@ -0,0 +1,74 @@
+From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 3 Jul 2020 17:18:27 +0200
+Subject: [PATCH 2/4] Use startTLS with FreeIPA
+
+FreeIPA is planning to required a minimal security strength factor (ssf)
+in an upcoming version. This basically means that communication should
+be encrypted. The most straight forward way is use TLS by doing a
+StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
+since the initial release we will call StartTLS unconditionally but try
+without if it fails.
+
+Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
+---
+ service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
+ service/realm-ldap.c          |  4 +++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
+index 3100650..7614071 100644
+--- a/service/realm-disco-rootdse.c
++++ b/service/realm-disco-rootdse.c
+@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
+                      LDAP *ldap)
+ {
+ 	const char *attrs[] = { "info", "associatedDomain", NULL };
++	int ret;
++	int ldap_opt_val;
+ 
+ 	clo->request = NULL;
+ 	clo->result = result_domain_info;
+ 
++	/* Trying to setup a TLS tunnel in the case the IPA server requires an
++	 * encrypted connected. Trying without in case of an error. Since we
++	 * most probably do not have the IPA CA certificate we will not check
++	 * the server certificate. */
++	ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
++	ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
++	if (ret != LDAP_OPT_SUCCESS) {
++		g_debug ("Failed to disable certificate checking, trying without");
++	}
++
++	ldap_opt_val = 0;
++	ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
++	if (ret != LDAP_OPT_SUCCESS) {
++		g_debug ("Failed to refresh LDAP context for TLS, trying without");
++	}
++
++	ret = ldap_start_tls_s (ldap, NULL, NULL);
++	if (ret != LDAP_SUCCESS) {
++		g_debug ("Failed to setup TLS tunnel, trying without");
++	}
++
+ 	return search_ldap (task, clo, ldap, clo->default_naming_context,
+ 	                    LDAP_SCOPE_BASE, NULL, attrs);
+ }
+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
+index 59817fb..7831b5b 100644
+--- a/service/realm-ldap.c
++++ b/service/realm-ldap.c
+@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ 		if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
+ 			g_warning ("couldn't set to blocking");
+ 
+-		rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
++		url = g_strdup_printf ("ldap://%s:%d", addrname, port);
++		rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
++		g_free (url);
+ 
+ 		g_free (native);
+ 
+-- 
+2.26.2
+
diff --git a/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch b/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
new file mode 100644
index 0000000..4fb6789
--- /dev/null
+++ b/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
@@ -0,0 +1,32 @@
+From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 11 Aug 2020 11:18:17 +0200
+Subject: [PATCH 3/4] service: use net ads join with -k for user join as well
+
+The NTLM authentication used by 'net ads join' does only support crypto
+algorithms which e.g. are not allowed by FIPS. It would be better to
+tell 'net ads join' to try Kerberos first before falling back to NTLM by
+adding the '-k' option.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
+---
+ service/realm-samba-enroll.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index f5edca3..3f86c51 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -372,7 +372,8 @@ begin_join (GTask *task,
+ 	} else if (join->user_name) {
+ 		begin_net_process (join, join->password_input,
+ 		                   on_join_do_keytab, g_object_ref (task),
+-		                   "-U", join->user_name, "ads", "join", join->disco->domain_name,
++		                   "-U", join->user_name,
++		                   "-k", "ads", "join", join->disco->domain_name,
+ 		                   join->join_args[0], join->join_args[1],
+ 		                   join->join_args[2], join->join_args[3],
+ 		                   join->join_args[4], NULL);
+-- 
+2.26.2
+
diff --git a/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch b/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch
new file mode 100644
index 0000000..d056662
--- /dev/null
+++ b/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch
@@ -0,0 +1,167 @@
+From a49994ab4ac36ff39a1e24a228e57a5269bf8fdf Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 12 Aug 2020 12:58:27 +0200
+Subject: [PATCH 4/4] service: use 'additional dns hostnames' with net ads join
+
+With newer versions of Samba the net ads join does not add services
+principals with the configured host name anymore but added the new
+option 'additional dns hostnames' for this.
+
+realmd will try to figure out a fully-qualified host name and use it
+with the new option if it is from a different domain.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1867912
+---
+ service/realm-disco.c        |  1 +
+ service/realm-disco.h        |  1 +
+ service/realm-samba-enroll.c | 57 +++++++++++++++++++++++++++++++++++-
+ service/realm-samba.c        |  6 ++++
+ 4 files changed, 64 insertions(+), 1 deletion(-)
+
+diff --git a/service/realm-disco.c b/service/realm-disco.c
+index ab06939..a12be50 100644
+--- a/service/realm-disco.c
++++ b/service/realm-disco.c
+@@ -62,6 +62,7 @@ realm_disco_unref (gpointer data)
+ 		g_free (disco->explicit_netbios);
+ 		g_free (disco->kerberos_realm);
+ 		g_free (disco->workgroup);
++		g_free (disco->dns_fqdn);
+ 		if (disco->server_address)
+ 			g_object_unref (disco->server_address);
+ 		g_free (disco);
+diff --git a/service/realm-disco.h b/service/realm-disco.h
+index 5f3e5e9..35532d2 100644
+--- a/service/realm-disco.h
++++ b/service/realm-disco.h
+@@ -30,6 +30,7 @@ typedef struct {
+ 	gchar *explicit_server;
+ 	gchar *explicit_netbios;
+ 	GSocketAddress *server_address;
++	gchar *dns_fqdn;
+ } RealmDisco;
+ 
+ #define        REALM_TYPE_DISCO             (realm_disco_get_type ())
+diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
+index 3f86c51..5624a08 100644
+--- a/service/realm-samba-enroll.c
++++ b/service/realm-samba-enroll.c
+@@ -33,6 +33,9 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <string.h>
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netdb.h>
+ 
+ typedef struct {
+ 	GDBusMethodInvocation *invocation;
+@@ -81,6 +84,44 @@ fallback_workgroup (const gchar *realm)
+ 		return g_utf8_strup (realm, pos - realm);
+ }
+ 
++static char *
++try_to_get_fqdn (void)
++{
++	char hostname[HOST_NAME_MAX + 1];
++	gchar *fqdn = NULL;
++	int ret;
++	struct addrinfo *res;
++	struct addrinfo hints;
++
++	ret = gethostname (hostname, sizeof (hostname));
++	if (ret < 0) {
++		return NULL;
++	}
++
++	if (strchr (hostname, '.') == NULL) {
++		memset (&hints, 0, sizeof (struct addrinfo));
++		hints.ai_socktype = SOCK_DGRAM;
++		hints.ai_flags = AI_CANONNAME;
++
++		ret = getaddrinfo (hostname, NULL, &hints, &res);
++		if (ret != 0) {
++			return NULL;
++		}
++
++		/* Only use a fully-qualified name */
++		if (strchr (res->ai_canonname, '.') != NULL) {
++			fqdn = g_strdup (res->ai_canonname);
++		}
++
++		freeaddrinfo (res);
++
++	} else {
++		fqdn = g_strdup (hostname);
++	}
++
++	return fqdn;
++}
++
+ static JoinClosure *
+ join_closure_init (GTask *task,
+                    RealmDisco *disco,
+@@ -95,6 +136,8 @@ join_closure_init (GTask *task,
+ 	const gchar *explicit_computer_name = NULL;
+ 	const gchar *authid = NULL;
+ 	gchar *name_from_keytab = NULL;
++	gchar *fqdn = NULL;
++	gchar *fqdn_dom = NULL;
+ 
+ 	join = g_new0 (JoinClosure, 1);
+ 	join->disco = realm_disco_ref (disco);
+@@ -124,7 +167,7 @@ join_closure_init (GTask *task,
+ 	                      "netbios name", authid,
+ 	                      NULL);
+ 
+-    /*
++	/*
+ 	 * Samba complains if we don't set a 'workgroup' setting for the realm we're
+ 	 * going to join. If we didn't yet manage to lookup the workgroup, then go ahead
+ 	 * and assume that the first domain component is the workgroup name.
+@@ -144,6 +187,18 @@ join_closure_init (GTask *task,
+ 			g_free (workgroup);
+ 	}
+ 
++	/* Add the fully-qualified DNS hostname as additional name if it is from
++	* a different domain. */
++	fqdn = try_to_get_fqdn ();
++	if (fqdn != NULL && join->disco->domain_name != NULL
++	                 && (fqdn_dom = strchr (fqdn, '.')) != NULL
++	                 && g_ascii_strcasecmp (fqdn_dom + 1, join->disco->domain_name) != 0 ) {
++		disco->dns_fqdn = g_strdup (fqdn);
++		realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
++		                      "additional dns hostnames", disco->dns_fqdn, NULL);
++	}
++	g_free (fqdn);
++
+ 	/* Write out the config file for use by various net commands */
+ 	join->custom_smb_conf = g_build_filename (g_get_tmp_dir (), "realmd-smb-conf.XXXXXX", NULL);
+ 	temp_fd = g_mkstemp_full (join->custom_smb_conf, O_WRONLY, S_IRUSR | S_IWUSR);
+diff --git a/service/realm-samba.c b/service/realm-samba.c
+index 4940b38..fe33600 100644
+--- a/service/realm-samba.c
++++ b/service/realm-samba.c
+@@ -204,6 +204,11 @@ on_join_do_winbind (GObject *source,
+ 		                         NULL);
+ 	}
+ 
++	if (error == NULL && enroll->disco->dns_fqdn != NULL) {
++		realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
++		                         "additional dns hostnames", enroll->disco->dns_fqdn,
++		                         NULL);
++	}
+ 
+ 	if (error == NULL) {
+ 		name = realm_kerberos_get_name (REALM_KERBEROS (self));
+@@ -364,6 +369,7 @@ leave_deconfigure_begin (RealmSamba *self,
+ 	if (!realm_ini_config_change (self->config, REALM_SAMBA_CONFIG_GLOBAL, &error,
+ 	                              "workgroup", NULL,
+ 	                              "realm", NULL,
++	                              "additional dns hostnames", NULL,
+ 	                              "security", "user",
+ 	                              NULL)) {
+ 		g_task_return_error (task, error);
+-- 
+2.26.2
+
diff --git a/realmd.spec b/realmd.spec
index 1a70c3c..2e94203 100644
--- a/realmd.spec
+++ b/realmd.spec
@@ -1,6 +1,6 @@
 Name:		realmd
 Version:	0.16.3
-Release:	25%{?dist}
+Release:	26%{?dist}
 Summary:	Kerberos realm enrollment service
 License:	LGPLv2+
 URL:		https://freedesktop.org/software/realmd/
@@ -46,6 +46,12 @@ Patch27:	0005-doc-add-see-also-to-man-pages.patch
 Patch28:	0006-doc-extend-description-of-config-handling.patch
 Patch29:	0007-service-use-kerberos-method-secrets-and-keytab.patch
 
+# Sync with upstream
+Patch30:	0001-Fix-for-ini-config-test-issue.patch
+Patch31:	0002-Use-startTLS-with-FreeIPA.patch
+Patch32:	0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch
+Patch33:	0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch
+
 BuildRequires:	gcc
 BuildRequires:	automake
 BuildRequires:	autoconf
@@ -113,6 +119,9 @@ make install DESTDIR=%{buildroot}
 %doc ChangeLog
 
 %changelog
+* Wed Aug 12 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-25
+- Sync with latest upstream patches
+
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.3-25
 - Second attempt - Rebuilt for
   https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild