Bug 967033

Summary: Only allow joining one 'manage-system' realm
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED CURRENTRELEASE QA Contact: David Spurek <dspurek>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dspurek, ebenes
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: realmd-0.14.2-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 966650 Environment:
Last Closed: 2014-06-13 12:23:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 966650    
Bug Blocks:    

Description Patrik Kis 2013-05-24 14:39:49 UTC 
+++ This bug was initially created as a clone of Bug #966650 +++

When a realm is joined using the default 'manage-system=true' Join() option, realmd configures the machine to receive and enforce domain policy.

realmd should only allow joining one domain with 'manage-system=true' Join() option.

An example of a Join() where 'manage-system=false' is from gnome-control-center.

--- Additional comment from Stef Walter on 2013-05-23 11:39:23 EDT ---

Patrik from QE has highlighted this as something we should implement now, rather than later, so that there's not a regression for users who come to depend on the current (broken) behavior.

--- Additional comment from Stef Walter on 2013-05-23 11:40:46 EDT ---

Related: https://bugs.freedesktop.org/show_bug.cgi?id=61858

--- Additional comment from Stef Walter on 2013-05-24 04:57:28 EDT ---

Patch pushed to git master upstream.
Comment 1 David Spurek 2013-08-30 07:14:36 UTC 
realmd-0.13.3-2.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test repeated join with with default manage-system = yes
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'realmd_command --passwd=Pass2012! realm -v join --user=Amy-admin security.baseos.qe' (Expected 0, got 0)
:: [   PASS   ] :: Clear sssd cache (Expected 0-255, got 2)
:: [   PASS   ] :: Running 'realm list &>/tmp/tmp.s5hnpvk3Nj/out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.s5hnpvk3Nj/out' should contain 'domain-name: security.baseos.qe' 
:: [   PASS   ] :: File '/tmp/tmp.s5hnpvk3Nj/out' should contain 'configured: kerberos-member' 
:: [   FAIL   ] :: Running 'getent passwd Amy.qe' (Expected 0, got 2)
:: [   FAIL   ] :: Running 'getent passwd Amy@SECURITY' (Expected 0, got 2)
:: [   PASS   ] :: Running 'getent passwd SECURITY\\Amy' (Expected 0, got 0)
:: [   FAIL   ] :: Running 'getent passwd SECURITY.BASEOS.QE\\Amy' (Expected 0, got 2)
:: [   PASS   ] :: Running 'klist -k &>/tmp/tmp.s5hnpvk3Nj/out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.s5hnpvk3Nj/out' should contain 'CLIENT$@SECURITY.BASEOS.QE' 
:: [   PASS   ] :: Check keytab usage (Expected 0, got 0)
:: [   PASS   ] :: Running 'klist' (Expected 0, got 0)
:: [   FAIL   ] :: Check realm join (Expected 0, got 240)
:: [   FAIL   ] :: Running 'realmd_command --passwd=Pass2012! realm -v join --user=Amy-admin ad.baseos.qe' (Expected 1, got 0)
:: [   PASS   ] :: Running 'realm -v leave' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 11 good, 5 bad
:: [   FAIL   ] :: RESULT: Test repeated join with with default manage-system = yes


realmd-0.14.5-1.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test repeated join with with default manage-system = yes
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'realmd_command --passwd=Pass2012! realm -v join --user=Amy-admin security.baseos.qe' (Expected 0, got 0)
:: [   PASS   ] :: Clear sssd cache (Expected 0-255, got 0)
:: [   PASS   ] :: Running 'realm list &>/tmp/tmp.P9Xv2axD9F/out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.P9Xv2axD9F/out' should contain 'domain-name: security.baseos.qe' 
:: [   PASS   ] :: File '/tmp/tmp.P9Xv2axD9F/out' should contain 'configured: kerberos-member' 
:: [   PASS   ] :: Running 'getent passwd Amy.qe' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent passwd Amy@SECURITY' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent passwd SECURITY\\Amy' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent passwd SECURITY.BASEOS.QE\\Amy' (Expected 0, got 0)
:: [   PASS   ] :: Running 'klist -k &>/tmp/tmp.P9Xv2axD9F/out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.P9Xv2axD9F/out' should contain 'CLIENT$@SECURITY.BASEOS.QE' 
:: [   PASS   ] :: Check keytab usage (Expected 0, got 0)
:: [   PASS   ] :: Running 'klist' (Expected 0, got 0)
:: [   PASS   ] :: Check realm join (Expected 0, got 0)
:: [   PASS   ] :: Running 'realmd_command --passwd=Pass2012! realm -v join --user=Amy-admin ad.baseos.qe' (Expected 1, got 1)
:: [   PASS   ] :: Running 'realm -v leave' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 16 good, 0 bad
:: [   PASS   ] :: RESULT: Test repeated join with with default manage-system = yes
Comment 2 Ludek Smid 2014-06-13 12:23:22 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.