diff --git a/.gitignore b/.gitignore index ac6fbea..e6fcc1d 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,5 @@ /adcli-0.8.2.tar.gz /adcli-0.9.0.tar.gz /adcli-0.9.1.tar.gz +/adcli-0.9.2.tar.gz +/adcli-0.9.3.1.tar.gz diff --git a/0001-build-add-with-vendor-error-message-configure-option.patch b/0001-build-add-with-vendor-error-message-configure-option.patch deleted file mode 100644 index 75235ee..0000000 --- a/0001-build-add-with-vendor-error-message-configure-option.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0353d704879f20983184f8bded4f16538d72f7cc Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 10 Mar 2021 18:12:09 +0100 -Subject: [PATCH] build: add --with-vendor-error-message configure option - -With the new configure option --with-vendor-error-message a packager or -a distribution can add a message if adcli returns with an error. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1889386 ---- - configure.ac | 15 +++++++++++++++ - tools/tools.c | 6 ++++++ - 2 files changed, 21 insertions(+) - -diff --git a/configure.ac b/configure.ac -index baa0d3b..7dfba97 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -123,6 +123,21 @@ if test "$sasl_invalid" = "yes"; then - AC_MSG_ERROR([Couldn't find Cyrus SASL headers]) - fi - -+# -------------------------------------------------------------------- -+# Vendor error message -+ -+AC_ARG_WITH([vendor-error-message], -+ [AS_HELP_STRING([--with-vendor-error-message=ARG], -+ [Add a vendor specific error message shown if a adcli command fails] -+ )], -+ [AS_IF([test "x$withval" != "x"], -+ [AC_DEFINE_UNQUOTED([VENDOR_MSG], -+ ["$withval"], -+ [Vendor specific error message])], -+ [AC_MSG_ERROR([--with-vendor-error-message requires an argument])] -+ )], -+ []) -+ - # -------------------------------------------------------------------- - # Documentation options - -diff --git a/tools/tools.c b/tools/tools.c -index d0dcf98..84bbba9 100644 ---- a/tools/tools.c -+++ b/tools/tools.c -@@ -538,6 +538,12 @@ main (int argc, - - if (conn) - adcli_conn_unref (conn); -+#ifdef VENDOR_MSG -+ if (ret != 0) { -+ fprintf (stderr, VENDOR_MSG"\n"); -+ } -+#endif -+ - return ret; - } - --- -2.30.2 - diff --git a/0001-configure-update-some-macros-for-autoconf-2.71.patch b/0001-configure-update-some-macros-for-autoconf-2.71.patch deleted file mode 100644 index e9f0bc6..0000000 --- a/0001-configure-update-some-macros-for-autoconf-2.71.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a8492d71a6db8565544444eef11de8c733c95ef8 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 6 Apr 2021 19:32:07 +0200 -Subject: [PATCH] configure: update some macros for autoconf-2.71 - ---- - configure.ac | 10 +++++----- - library/Makefile.am | 2 +- - tools/Makefile.am | 2 +- - 3 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 7dfba97..c6ff31d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,4 +1,4 @@ --AC_PREREQ(2.61) -+AC_PREREQ([2.61]) - - AC_INIT([adcli], - [0.9.1], -@@ -33,7 +33,7 @@ LT_INIT([dlopen disable-static]) - AC_PROG_CC - AC_PROG_CPP - AM_PROG_CC_C_O --AM_PROG_LIBTOOL -+LT_INIT - - # ------------------------------------------------------------------- - # Kerberos -@@ -143,7 +143,7 @@ AC_ARG_WITH([vendor-error-message], - - AC_MSG_CHECKING([whether to build documentation]) - AC_ARG_ENABLE(doc, -- AC_HELP_STRING([--enable-doc], -+ AS_HELP_STRING([--enable-doc], - [Disable building documentation]) - ) - -@@ -180,7 +180,7 @@ doc_status=$enable_doc - - AC_MSG_CHECKING([for debug mode]) - AC_ARG_ENABLE(debug, -- AC_HELP_STRING([--enable-debug=no/default/yes], -+ AS_HELP_STRING([--enable-debug=no/default/yes], - [Turn on or off debugging])) - - if test "$enable_debug" != "no"; then -@@ -308,7 +308,7 @@ fi - - AC_MSG_CHECKING([where is Samba's net utility]) - AC_ARG_WITH([samba_data_tool], -- AC_HELP_STRING([--with-samba-data-tool=/path], -+ AS_HELP_STRING([--with-samba-data-tool=/path], - [Path to Samba's net utility]), - [], - [with_samba_data_tool=/usr/bin/net]) -diff --git a/library/Makefile.am b/library/Makefile.am -index 4829555..e046606 100644 ---- a/library/Makefile.am -+++ b/library/Makefile.am -@@ -1,6 +1,6 @@ - include $(top_srcdir)/Makefile.decl - --INCLUDES = \ -+AM_CPPFLAGS = \ - -I$(top_srcdir) \ - -DADCLI_UNSTABLE_API \ - -DHOST_TRIPLET=\"$(host_triplet)\" \ -diff --git a/tools/Makefile.am b/tools/Makefile.am -index 1cdf451..71ec14d 100644 ---- a/tools/Makefile.am -+++ b/tools/Makefile.am -@@ -1,6 +1,6 @@ - include $(top_srcdir)/Makefile.decl - --INCLUDES = \ -+AM_CPPFLAGS = \ - -I$(top_srcdir) \ - -I$(top_srcdir)/library \ - -DKRB5_CONFIG=\""$(sysconfdir)/krb5.conf"\" \ --- -2.30.2 - diff --git a/0001-enroll-fix-issues-if-default-keytab-is-used.patch b/0001-enroll-fix-issues-if-default-keytab-is-used.patch new file mode 100644 index 0000000..953b97a --- /dev/null +++ b/0001-enroll-fix-issues-if-default-keytab-is-used.patch @@ -0,0 +1,117 @@ +From 9c31bb06590f2d96a2d6d8ce87dc3273c283a671 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 19 Dec 2025 14:48:13 +0100 +Subject: [PATCH] enroll: fix issues if default keytab is used + +librkb5 returns the default keytab with a 'FILE:' prefix which must be +removed before calling libselinux functions to operate on the keytab +file. + +Resolves: https://issues.redhat.com/browse/RHEL-78631 +--- + library/adenroll.c | 32 ++++++++++++++++++++------------ + library/adenroll.h | 3 +-- + tools/computer.c | 6 +++--- + 3 files changed, 24 insertions(+), 17 deletions(-) + +diff --git a/library/adenroll.c b/library/adenroll.c +index 20ad198..9484cbf 100644 +--- a/library/adenroll.c ++++ b/library/adenroll.c +@@ -2116,30 +2116,38 @@ ensure_host_keytab (adcli_result res, + return ADCLI_SUCCESS; + } + +-adcli_result +-ensure_host_keytab_selinux_context (adcli_result res, +- adcli_enroll *enroll) ++void ++restore_host_keytab_selinux_context (adcli_enroll *enroll) + { + #ifdef BUILD_SELINUX_POLICY + int ret; +- +- if (res != ADCLI_SUCCESS) +- return res; ++ krb5_context k5; ++ const char *name_start; + + if (enroll->keytab_name == NULL) { + _adcli_info ("No keytab name available, skipping SELinux restorecon."); +- return ADCLI_SUCCESS; ++ return; ++ } ++ ++ name_start = enroll->keytab_name; ++ if (strncmp (name_start, "FILE:", 5) == 0) { ++ name_start = enroll->keytab_name + 5; + } + +- ret = selinux_restorecon (adcli_enroll_get_keytab_name (enroll), 0); ++ if (enroll->keytab != NULL) { ++ k5 = adcli_conn_get_krb5_context (enroll->conn); ++ krb5_kt_close (k5, enroll->keytab); ++ enroll->keytab = NULL; ++ } ++ ++ ret = selinux_restorecon (name_start, 0); + if (ret != 0) { +- _adcli_err ("Failed to set SELinux context for %s with error %d: %s", +- enroll->keytab_name, ret, strerror (ret)); +- return ADCLI_ERR_FAIL; ++ _adcli_err ("Failed to set SELinux context for %s with error %d: %s, ignored", ++ name_start, ret, strerror (errno)); + } + #endif + +- return ADCLI_SUCCESS; ++ return; + } + + +diff --git a/library/adenroll.h b/library/adenroll.h +index 79eb7a8..5aba81b 100644 +--- a/library/adenroll.h ++++ b/library/adenroll.h +@@ -192,6 +192,5 @@ void adcli_enroll_set_samba_data_tool (adcli_enroll *enroll, + + const char * adcli_enroll_get_samba_data_tool (adcli_enroll *enroll); + +-adcli_result ensure_host_keytab_selinux_context (adcli_result res, +- adcli_enroll *enroll); ++void restore_host_keytab_selinux_context (adcli_enroll *enroll); + #endif /* ADENROLL_H_ */ +diff --git a/tools/computer.c b/tools/computer.c +index ee027dc..f056366 100644 +--- a/tools/computer.c ++++ b/tools/computer.c +@@ -520,7 +520,7 @@ adcli_tool_computer_join (adcli_conn *conn, + else if (show_password) + dump_password (conn, enroll); + +- ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll); ++ restore_host_keytab_selinux_context (enroll); + + adcli_enroll_unref (enroll); + +@@ -655,7 +655,7 @@ adcli_tool_computer_update (adcli_conn *conn, + else if (show_password) + dump_password (conn, enroll); + +- ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll); ++ restore_host_keytab_selinux_context (enroll); + + adcli_enroll_unref (enroll); + +@@ -1275,7 +1275,7 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn, + else if (show_password) + dump_password (conn, enroll); + +- ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll); ++ restore_host_keytab_selinux_context (enroll); + + adcli_enroll_unref (enroll); + +-- +2.52.0 + diff --git a/adcli.spec b/adcli.spec index 34419c2..2d022ff 100644 --- a/adcli.spec +++ b/adcli.spec @@ -1,13 +1,16 @@ +%global with_selinux 1 +%global selinuxtype targeted +%global modulename adcli + Name: adcli -Version: 0.9.1 +Version: 0.9.3.1 Release: 4%{?dist} Summary: Active Directory enrollment -License: LGPLv2+ +License: LGPL-2.1-or-later URL: https://gitlab.freedesktop.org/realmd/adcli -Source0: https://gitlab.freedesktop.org/sbose/adcli/uploads/30880d967e79cee789194435e70fbf30/adcli-%{version}.tar.gz +Source0: https://gitlab.freedesktop.org/-/project/1196/uploads/5a1c55410c0965835b81fbd28d820d46/adcli-%{version}.tar.gz -Patch1: 0001-build-add-with-vendor-error-message-configure-option.patch -Patch2: 0001-configure-update-some-macros-for-autoconf-2.71.patch +Patch1: 0001-enroll-fix-issues-if-default-keytab-is-used.patch BuildRequires: gcc BuildRequires: intltool pkgconfig @@ -18,6 +21,13 @@ BuildRequires: openldap-devel BuildRequires: libxslt BuildRequires: xmlto BuildRequires: make +BuildRequires: libnetapi-devel + +# Build dependencies for SELinux policy +%if %{with selinux} +BuildRequires: libselinux-devel +BuildRequires: selinux-policy-devel +%endif Requires: cyrus-sasl-gssapi Conflicts: adcli-doc < %{version}-%{release} @@ -26,10 +36,31 @@ Conflicts: adcli-doc < %{version}-%{release} # the adcli tool itself is to be used by callers Obsoletes: adcli-devel < 0.5 +%if %{with selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + %description adcli is a tool for joining an Active Directory domain using standard LDAP and Kerberos calls. +%if %{with selinux} +# SELinux subpackage +%package selinux +Summary: The adcli SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires_min} + +%description selinux +Custom SELinux policy module for adcli to make sure generated Kerberos keytab +files have the right SELinux context. +%endif + %define _hardened_build 1 %prep @@ -42,24 +73,43 @@ autoreconf --force --install --verbose --with-vendor-error-message='Please check\n https://red.ht/support_rhel_ad \nto get help for common issues.' \ %endif %{nil} -make %{?_smp_mflags} +%make_build %check make check %install -make install DESTDIR=%{buildroot} +%make_install find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %ldconfig_scriptlets +%if %{with selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%endif + %files %{_sbindir}/adcli %doc AUTHORS COPYING ChangeLog NEWS README %doc %{_mandir}/*/* %package doc -Summary: adcli documentation +Summary: The adcli documentation package BuildArch: noarch Conflicts: adcli < %{version}-%{release} @@ -71,7 +121,79 @@ documentation. %files doc %doc %{_datadir}/doc/adcli/* +%if %{with selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + %changelog +* Fri Jan 16 2026 Fedora Release Engineering - 0.9.3.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild + +* Fri Dec 19 2025 Sumit Bose - 0.9.3.1-3 +- Fix issue with restoring SELinux file label + +* Tue Dec 16 2025 Sumit Bose - 0.9.3.1-2 +- Use selinux_requires_min to avoid policycoreutils-python-utils dependency + Resolves: rhbz#2422451 + +* Tue Dec 09 2025 Sumit Bose - 0.9.3.1-1 +- Rebase to latest upstream version + +* Wed Jul 23 2025 Fedora Release Engineering - 0.9.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Thu Jan 16 2025 Fedora Release Engineering - 0.9.2-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Wed Nov 20 2024 Sumit Bose - 0.9.2-8 +- support for Samba's offline join and static analyser fixes + +* Wed Jul 17 2024 Fedora Release Engineering - 0.9.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 0.9.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 0.9.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Oct 18 2023 Sumit Bose - 0.9.2-4 +- migrated to SPDX license + +* Wed Jul 19 2023 Fedora Release Engineering - 0.9.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jan 18 2023 Fedora Release Engineering - 0.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Sep 29 2022 Sumit Bose - 0.9.2-1 +- Update to upstream release 0.9.2 + +* Wed Jul 20 2022 Fedora Release Engineering - 0.9.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jan 19 2022 Fedora Release Engineering - 0.9.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jul 28 2021 Sumit Bose - 0.9.1-9 +- Add ns_get16() and ns_get32() to configure check + Resolves: rhbz#1984891 + +* Wed Jul 21 2021 Fedora Release Engineering - 0.9.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Jun 28 2021 Sumit Bose - 0.9.1-7 +- Add user-passwd sub-command +- Add setattr/delattr option + +* Thu Jun 03 2021 Sumit Bose - 0.9.1-6 +- Add fix for dont-expire-password option + +* Wed Jun 02 2021 Sumit Bose - 0.9.1-5 +- Add dont-expire-password option and coverity fixes + * Wed Apr 07 2021 Sumit Bose - 0.9.1-4 - Add macro updates for autoconf-2.71 and downstream gating diff --git a/sources b/sources index d958e5d..aa241fa 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (adcli-0.9.1.tar.gz) = 60562720bf28f2dec06f272bdb875e3486f223e77f8a9e96b3468d17dbebdf9ddabd147d7e65c5de9ba7d4e8c033ad6d28a4012d03297c7de25b78ef4890746d +SHA512 (adcli-0.9.3.1.tar.gz) = 3f501173b5344b38f33a3f65faec9e894da81b44b37bb161da103d8a29459d8807dfe566a5dd0a8c7eec466567b6cca4331c81dd70158b5478a61b03be37355d