From 74f454663255957cb799310e178616205513315e Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 12 Apr 2013 19:00:14 +0200 Subject: [PATCH] Add 'manage-system' option which defaults to TRUE This is a per-realm setting, and Join() option which can be used to make realmd not configure central management aspects when joining a domain. https://bugs.freedesktop.org/show_bug.cgi?id=61858 --- dbus/org.freedesktop.realmd.xml | 3 +++ dbus/realm-dbus-constants.h | 1 + doc/manual/realmd-guide-configuring.xml | 19 +++++++++++++++++++ service/realm-options.c | 17 +++++++++++++++++ service/realm-options.h | 3 +++ service/realm-sssd-ipa.c | 7 ++++++- 6 files changed, 49 insertions(+), 1 deletion(-) diff --git a/dbus/org.freedesktop.realmd.xml b/dbus/org.freedesktop.realmd.xml index 2615007..bacf42f 100644 --- a/dbus/org.freedesktop.realmd.xml +++ b/dbus/org.freedesktop.realmd.xml @@ -619,6 +619,9 @@ membership-software: a string containing the membership software identifier that the returned realms should match. + manage-system: a boolean + which controls whether this machine should be managed by + the realm or domain or not. Defaults to true. This method requires authorization for the PolicyKit action diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h index ff1fa64..8a0220f 100644 --- a/dbus/realm-dbus-constants.h +++ b/dbus/realm-dbus-constants.h @@ -64,6 +64,7 @@ G_BEGIN_DECLS #define REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE "membership-software" #define REALM_DBUS_OPTION_ASSUME_PACKAGES "assume-packages" #define REALM_DBUS_OPTION_USER_PRINCIPAL "user-principal" +#define REALM_DBUS_OPTION_MANAGE_SYSTEM "manage-system" #define REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY "active-directory" #define REALM_DBUS_IDENTIFIER_WINBIND "winbind" diff --git a/doc/manual/realmd-guide-configuring.xml b/doc/manual/realmd-guide-configuring.xml index cf62c6f..32c39a4 100644 --- a/doc/manual/realmd-guide-configuring.xml +++ b/doc/manual/realmd-guide-configuring.xml @@ -257,5 +257,24 @@ automatic-id-mapping = no +
+ + manage-system + + This option is on by default. Normally joining a realm + affects many aspects of the configuration and management of the + system. Turning this off limits the interaction with the realm + or domain to authentication and identity. + + + +[domain.example.com] +manage-system = no +# manage-system = yes + + + +
+ diff --git a/service/realm-options.c b/service/realm-options.c index 15c1f3d..c576dae 100644 --- a/service/realm-options.c +++ b/service/realm-options.c @@ -29,6 +29,23 @@ realm_options_assume_packages (GVariant *options) return assume; } +gboolean +realm_options_manage_system (GVariant *options, + const gchar *realm_name) +{ + gboolean manage; + gchar *section; + + section = g_utf8_casefold (realm_name, -1); + if (realm_settings_value (section, REALM_DBUS_OPTION_MANAGE_SYSTEM)) + manage = realm_settings_boolean (section, REALM_DBUS_OPTION_MANAGE_SYSTEM, TRUE); + else if (!g_variant_lookup (options, REALM_DBUS_OPTION_MANAGE_SYSTEM, "b", &manage)) + manage = TRUE; + g_free (section); + + return manage; +} + const gchar * realm_options_user_principal (GVariant *options, const gchar *realm_name) diff --git a/service/realm-options.h b/service/realm-options.h index af4a124..090e477 100644 --- a/service/realm-options.h +++ b/service/realm-options.h @@ -21,6 +21,9 @@ G_BEGIN_DECLS +gboolean realm_options_manage_system (GVariant *options, + const gchar *realm_name); + gboolean realm_options_assume_packages (GVariant *options); const gchar * realm_options_computer_ou (GVariant *options, diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c index cd5fcea..c5cae5c 100644 --- a/service/realm-sssd-ipa.c +++ b/service/realm-sssd-ipa.c @@ -327,7 +327,6 @@ realm_sssd_ipa_join_async (RealmKerberosMembership *membership, push_arg (argv, "--realm"); push_arg (argv, realm_kerberos_get_realm_name (realm)); push_arg (argv, "--mkhomedir"); - push_arg (argv, "--no-ntp"); push_arg (argv, "--enable-dns-updates"); push_arg (argv, "--unattended"); @@ -356,6 +355,12 @@ realm_sssd_ipa_join_async (RealmKerberosMembership *membership, g_return_if_reached (); } + if (!realm_options_manage_system (options, domain_name)) { + push_arg (argv, "--no-ssh"); + push_arg (argv, "--no-sshd"); + push_arg (argv, "--no-ntp"); + } + g_ptr_array_add (argv, NULL); enroll->argv = argv; -- 1.8.1.4