From 74f454663255957cb799310e178616205513315e Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Fri, 12 Apr 2013 19:00:14 +0200
Subject: [PATCH] Add 'manage-system' option which defaults to TRUE

This is a per-realm setting, and Join() option which can be used
to make realmd not configure central management aspects when
joining a domain.

https://bugs.freedesktop.org/show_bug.cgi?id=61858
---
 dbus/org.freedesktop.realmd.xml         |  3 +++
 dbus/realm-dbus-constants.h             |  1 +
 doc/manual/realmd-guide-configuring.xml | 19 +++++++++++++++++++
 service/realm-options.c                 | 17 +++++++++++++++++
 service/realm-options.h                 |  3 +++
 service/realm-sssd-ipa.c                |  7 ++++++-
 6 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/dbus/org.freedesktop.realmd.xml b/dbus/org.freedesktop.realmd.xml
index 2615007..bacf42f 100644
--- a/dbus/org.freedesktop.realmd.xml
+++ b/dbus/org.freedesktop.realmd.xml
@@ -619,6 +619,9 @@
 		    <listitem><para><literal>membership-software</literal>: a string
 		      containing the membership software identifier that the returned
 		      realms should match.</para></listitem>
+		    <listitem><para><literal>manage-system</literal>: a boolean
+		      which controls whether this machine should be managed by
+		      the realm or domain or not. Defaults to true.</para></listitem>
 		  </itemizedlist>
 
 		  This method requires authorization for the PolicyKit action
diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
index ff1fa64..8a0220f 100644
--- a/dbus/realm-dbus-constants.h
+++ b/dbus/realm-dbus-constants.h
@@ -64,6 +64,7 @@ G_BEGIN_DECLS
 #define   REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE    "membership-software"
 #define   REALM_DBUS_OPTION_ASSUME_PACKAGES        "assume-packages"
 #define   REALM_DBUS_OPTION_USER_PRINCIPAL         "user-principal"
+#define   REALM_DBUS_OPTION_MANAGE_SYSTEM          "manage-system"
 
 #define   REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY   "active-directory"
 #define   REALM_DBUS_IDENTIFIER_WINBIND            "winbind"
diff --git a/doc/manual/realmd-guide-configuring.xml b/doc/manual/realmd-guide-configuring.xml
index cf62c6f..32c39a4 100644
--- a/doc/manual/realmd-guide-configuring.xml
+++ b/doc/manual/realmd-guide-configuring.xml
@@ -257,5 +257,24 @@ automatic-id-mapping = no
 
 	</section>
 
+	<section>
+
+		<title>manage-system</title>
+
+		<para>This option is on by default. Normally joining a realm
+		affects many aspects of the configuration and management of the
+		system. Turning this off limits the interaction with the realm
+		or domain to authentication and identity.</para>
+
+		<informalexample>
+<programlisting>
+[domain.example.com]
+manage-system = no
+# manage-system = yes
+</programlisting>
+	</informalexample>
+
+	</section>
+
 </section>
 </chapter>
diff --git a/service/realm-options.c b/service/realm-options.c
index 15c1f3d..c576dae 100644
--- a/service/realm-options.c
+++ b/service/realm-options.c
@@ -29,6 +29,23 @@ realm_options_assume_packages (GVariant *options)
 	return assume;
 }
 
+gboolean
+realm_options_manage_system (GVariant *options,
+                             const gchar *realm_name)
+{
+	gboolean manage;
+	gchar *section;
+
+	section = g_utf8_casefold (realm_name, -1);
+	if (realm_settings_value (section, REALM_DBUS_OPTION_MANAGE_SYSTEM))
+		manage = realm_settings_boolean (section, REALM_DBUS_OPTION_MANAGE_SYSTEM, TRUE);
+	else if (!g_variant_lookup (options, REALM_DBUS_OPTION_MANAGE_SYSTEM, "b", &manage))
+		manage = TRUE;
+	g_free (section);
+
+	return manage;
+}
+
 const gchar *
 realm_options_user_principal (GVariant *options,
                               const gchar *realm_name)
diff --git a/service/realm-options.h b/service/realm-options.h
index af4a124..090e477 100644
--- a/service/realm-options.h
+++ b/service/realm-options.h
@@ -21,6 +21,9 @@
 
 G_BEGIN_DECLS
 
+gboolean       realm_options_manage_system            (GVariant *options,
+                                                       const gchar *realm_name);
+
 gboolean       realm_options_assume_packages          (GVariant *options);
 
 const gchar *  realm_options_computer_ou              (GVariant *options,
diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
index cd5fcea..c5cae5c 100644
--- a/service/realm-sssd-ipa.c
+++ b/service/realm-sssd-ipa.c
@@ -327,7 +327,6 @@ realm_sssd_ipa_join_async (RealmKerberosMembership *membership,
 		push_arg (argv, "--realm");
 		push_arg (argv, realm_kerberos_get_realm_name (realm));
 		push_arg (argv, "--mkhomedir");
-		push_arg (argv, "--no-ntp");
 		push_arg (argv, "--enable-dns-updates");
 		push_arg (argv, "--unattended");
 
@@ -356,6 +355,12 @@ realm_sssd_ipa_join_async (RealmKerberosMembership *membership,
 			g_return_if_reached ();
 		}
 
+		if (!realm_options_manage_system (options, domain_name)) {
+			push_arg (argv, "--no-ssh");
+			push_arg (argv, "--no-sshd");
+			push_arg (argv, "--no-ntp");
+		}
+
 		g_ptr_array_add (argv, NULL);
 		enroll->argv = argv;
 
-- 
1.8.1.4