You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1839 lines
72 KiB
1839 lines
72 KiB
From 54b207649979475ea7f1fa5eaaea94be31d20935 Mon Sep 17 00:00:00 2001 |
|
From: Ray Strode <rstrode@redhat.com> |
|
Date: Fri, 13 Dec 2019 15:16:06 -0500 |
|
Subject: [PATCH] daemon: if no local users, check if machine is enrolled in |
|
network |
|
|
|
GDM will show gnome initial-setup if a machine has no local users. |
|
But it's totally possible that a machine has only remote users, |
|
and shouldn't have a local user. |
|
|
|
This commit detects that case, and avoids setting the HasNoUsers |
|
property. |
|
--- |
|
data/org.freedesktop.realmd.xml | 730 ++++++++++++++++++++++++++++++++ |
|
src/daemon.c | 63 ++- |
|
src/meson.build | 1 + |
|
src/org.freedesktop.realmd.xml | 730 ++++++++++++++++++++++++++++++++ |
|
4 files changed, 1520 insertions(+), 4 deletions(-) |
|
create mode 100644 data/org.freedesktop.realmd.xml |
|
create mode 100644 src/org.freedesktop.realmd.xml |
|
|
|
diff --git a/data/org.freedesktop.realmd.xml b/data/org.freedesktop.realmd.xml |
|
new file mode 100644 |
|
index 0000000..c34a47a |
|
--- /dev/null |
|
+++ b/data/org.freedesktop.realmd.xml |
|
@@ -0,0 +1,730 @@ |
|
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN" |
|
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd"> |
|
+<node name="/"> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Provider: |
|
+ @short_description: a realm provider |
|
+ |
|
+ Various realm providers represent different software implementations |
|
+ that provide access to realms or domains. |
|
+ |
|
+ This interface is implemented by individual providers, but is |
|
+ aggregated globally at the system bus name |
|
+ <literal>org.freedesktop.realmd</literal> |
|
+ with the object path <literal>/org/freedesktop/realmd</literal> |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Provider"> |
|
+ |
|
+ <!-- |
|
+ Name: the name of the provider |
|
+ |
|
+ The name of the provider. This is not normally displayed |
|
+ to the user, but may be useful for diagnostics or debugging. |
|
+ --> |
|
+ <property name="Name" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Version: the version of the provider |
|
+ |
|
+ The version of the provider. This is not normally used in |
|
+ logic, but may be useful for diagnostics or debugging. |
|
+ --> |
|
+ <property name="Version" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Realms: a list of realms |
|
+ |
|
+ A list of known, enrolled or discovered realms. All realms |
|
+ that this provider knows about are listed here. As realms |
|
+ are discovered they are added to this list. |
|
+ |
|
+ Each realm is represented by the DBus object path of the |
|
+ realm object. |
|
+ --> |
|
+ <property name="Realms" type="ao" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Discover: |
|
+ @string: an input string to discover realms for |
|
+ @options: options for the discovery operation |
|
+ @relevance: the relevance of the returned results |
|
+ @realm: a list of realms discovered |
|
+ |
|
+ Discover realms for the given string. The input @string is |
|
+ usually a domain or realm name, perhaps typed by a user. If |
|
+ an empty string is provided, the realm provider should try to |
|
+ discover a default realm, if possible (e.g. from DHCP). |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ <listitem><para><literal>client-software</literal>: a string |
|
+ containing the client software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ <listitem><para><literal>server-software</literal>: a string |
|
+ containing the client software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ <listitem><para><literal>membership-software</literal>: a string |
|
+ containing the membership software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ The @relevance returned can be used to rank results from |
|
+ different discover calls to different providers. Implementors |
|
+ should return a positive number if the provider highly |
|
+ recommends that the realms be handled by this provider, |
|
+ or a zero if it can possibly handle the realms. Negative numbers |
|
+ should be returned if no realms are found. |
|
+ |
|
+ This method does not return an error when no realms are |
|
+ discovered. It simply returns an empty @realm list. |
|
+ |
|
+ To see diagnostic information about the discovery process, |
|
+ connect to the org.freedesktop.realmd.Service::Diagnostics |
|
+ signal. |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.discover-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may |
|
+ return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the discovery could not be run for some reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to perform a discovery |
|
+ operation.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Discover"> |
|
+ <arg name="string" type="s" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ <arg name="relevance" type="i" direction="out"/> |
|
+ <arg name="realm" type="ao" direction="out"/> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Service: |
|
+ @short_description: the realmd service |
|
+ |
|
+ Global calls for managing the realmd service. Usually you'll want |
|
+ to use #org.freedesktop.realmd.Provider instead. |
|
+ |
|
+ This interface is implemented by the realmd service, and is always |
|
+ available at the object path <literal>/org/freedesktop/realmd</literal> |
|
+ |
|
+ The service also implements the |
|
+ <literal>org.freedesktop.DBus.ObjectManager</literal> interface which |
|
+ makes it easy to retrieve all realmd objects and properties in one go. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Service"> |
|
+ |
|
+ <!-- |
|
+ Cancel: |
|
+ @operation: the operation to cancel |
|
+ |
|
+ Cancel a realmd operation. To be able to cancel an operation, |
|
+ pass a uniquely chosen <literal>operation</literal> string |
|
+ identifier as an option in the method's <literal>options</literal> |
|
+ argument. |
|
+ |
|
+ These operation string identifiers should be unique per client |
|
+ calling the realmd service. |
|
+ |
|
+ It is not guaranteed that the service can or will cancel the |
|
+ operation. For example, the operation may have already completed |
|
+ by the time this method is handled. The caller of the operation |
|
+ method will receive a |
|
+ <literal>org.freedesktop.realmd.Error.Cancelled</literal> |
|
+ if the operation was cancelled. |
|
+ --> |
|
+ <method name="Cancel"> |
|
+ <arg name="operation" type="s" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ SetLocale: |
|
+ @locale: the locale for the client |
|
+ |
|
+ Set the language @locale for the client. This locale is used |
|
+ for error messages. The locale is used until the next time |
|
+ this method is called, the client disconnects, or the client |
|
+ calls #org.freedesktop.realmd.Service.Release(). |
|
+ --> |
|
+ <method name="SetLocale"> |
|
+ <arg name="locale" type="s" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ Diagnostics: |
|
+ @data: diagnostic data |
|
+ @operation: the operation this data resulted from |
|
+ |
|
+ This signal is fired when diagnostics result from an operation |
|
+ in the provider or one of its realms. |
|
+ |
|
+ It is not guaranteed that this signal is emitted once per line. |
|
+ More than one line may be contained in @data, or a partial |
|
+ line. New line characters are embedded in @data. |
|
+ |
|
+ This signal is sent explicitly to the client which invoked an |
|
+ operation method. In order to tell which operation this |
|
+ diagnostic data results from, pass a unique |
|
+ <literal>operation</literal> string identifier in the |
|
+ <literal>options</literal> argument of the operation method. |
|
+ That same identifier will be passed back via the @operation |
|
+ argument of this signal. |
|
+ --> |
|
+ <signal name="Diagnostics"> |
|
+ <arg name="data" type="s"/> |
|
+ <arg name="operation" type="s"/> |
|
+ </signal> |
|
+ |
|
+ <!-- |
|
+ Release: |
|
+ |
|
+ Normally, realmd waits until all clients have disconnected |
|
+ before exiting itself sometime later. Long lived clients |
|
+ can call this method to allow the realmd service to quit. |
|
+ This is an optimization. The daemon will not exit immediately. |
|
+ It is safe to call this multiple times. |
|
+ --> |
|
+ <method name="Release"> |
|
+ <!-- no arguments --> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Realm: |
|
+ @short_description: a realm |
|
+ |
|
+ Represents one realm. |
|
+ |
|
+ Contains generic information about a realm, and useful properties for |
|
+ introspecting what kind of realm this is and how to work with |
|
+ the realm. |
|
+ |
|
+ Use #org.freedesktop.realmd.Provider:Realms or |
|
+ #org.freedesktop.realmd.Provider.Discover() to get access to some |
|
+ kerberos realm objects. |
|
+ |
|
+ Realms will always implement additional interfaces, such as |
|
+ #org.freedesktop.realmd.Kerberos. Do not assume that all realms |
|
+ implement that kerberos interface. Use the |
|
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property to see |
|
+ which interfaces are supported. |
|
+ |
|
+ Different realms support various ways to configure them on the |
|
+ system. Use the #org.freedesktop.realmd.Realm:Configured property |
|
+ to determine if a realm is configured. If it is configured, the |
|
+ property will be set to the interface of the mechanism that was |
|
+ used to configure it. |
|
+ |
|
+ To configure a realm, look in the |
|
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property for a |
|
+ recognized purpose-specific interface that can be used for |
|
+ configuration, such as the |
|
+ #org.freedesktop.realmd.KerberosMembership interface and its |
|
+ #org.freedesktop.realmd.KerberosMembership.Join() method. |
|
+ |
|
+ To deconfigure a realm from the current system, you can use the |
|
+ #org.freedesktop.realmd.Realm.Deconfigure() method. In addition, some |
|
+ of the configuration specific interfaces provide methods to |
|
+ deconfigure a realm in a specific way, such as the |
|
+ #org.freedesktop.realmd.KerberosMembership.Leave() method. |
|
+ |
|
+ The various properties are guaranteed to have been updated before |
|
+ the operation methods return, if they change state. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Realm"> |
|
+ |
|
+ <!-- |
|
+ Name: the realm name |
|
+ |
|
+ This is the name of the realm, appropriate for display to |
|
+ end users where necessary. |
|
+ --> |
|
+ <property name="Name" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Configured: whether this domain is configured and how |
|
+ |
|
+ If this property is an empty string, then the realm is not |
|
+ configured. Otherwise the realm is configured, and contains |
|
+ a string which is the interface that represents how it was |
|
+ configured, for example #org.freedesktop.realmd.KerberosMembership. |
|
+ --> |
|
+ <property name="Configured" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Deconfigure: deconfigure this realm |
|
+ |
|
+ Deconfigure this realm from the local machine with standard |
|
+ default behavior. |
|
+ |
|
+ The behavior of this method depends on the which configuration |
|
+ interface is present in the |
|
+ #org.freedesktop.realmd.Realm.Configured property. It does not |
|
+ always delete membership accounts in the realm, but just |
|
+ reconfigures the local machine so it no longer is configured |
|
+ for the given realm. In some cases the implementation may try |
|
+ to update membership accounts, but this is not guaranteed. |
|
+ |
|
+ Various configuration interfaces may support more specific ways |
|
+ to deconfigure a realm in a specific way, such as the |
|
+ #org.freedesktop.realmd.KerberosMembership.Leave() method. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the deconfigure failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to deconfigure a |
|
+ realm.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>: |
|
+ returned if this realm is not configured on the machine.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Deconfigure"> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ SupportedInterfaces: |
|
+ |
|
+ Additional supported interfaces of this realm. This includes |
|
+ interfaces that contain more information about the realm, |
|
+ such as #org.freedesktop.realmd.Kerberos and interfaces |
|
+ which contain methods for configuring a realm, such as |
|
+ #org.freedesktop.realmd.KerberosMembership. |
|
+ --> |
|
+ <property name="SupportedInterfaces" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Details: informational details about the realm |
|
+ |
|
+ Informational details about the realm. The following values |
|
+ should be present: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>server-software</literal>: |
|
+ identifier of the software running on the server (e.g. |
|
+ <literal>active-directory</literal>).</para></listitem> |
|
+ <listitem><para><literal>client-software</literal>: |
|
+ identifier of the software running on the client (e.g. |
|
+ <literal>sssd</literal>).</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <property name="Details" type="a(ss)" access="read"/> |
|
+ |
|
+ <!-- |
|
+ RequiredPackages: prerequisite software |
|
+ |
|
+ Software packages that are required in order for a join to |
|
+ succeed. These are either simple strings like <literal>sssd</literal>, |
|
+ or strings with an operator and version number like |
|
+ <literal>sssd >= 1.9.0</literal> |
|
+ |
|
+ These values are specific to the packaging system that is |
|
+ being run. |
|
+ --> |
|
+ <property name="RequiredPackages" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ LoginFormats: supported formats for login names |
|
+ |
|
+ Supported formats for login to this realm. This is only |
|
+ relevant once the realm has been enrolled. The formats |
|
+ will contain a <literal>%U</literal> in the string, which |
|
+ indicate where the user name should be placed. The formats |
|
+ may contain a <literal>%D</literal> in the string which |
|
+ indicate where a domain name should be placed. |
|
+ |
|
+ The first format in the list is the preferred format for |
|
+ login names. |
|
+ --> |
|
+ <property name="LoginFormats" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ LoginPolicy: the policy for logins using this realm |
|
+ |
|
+ The policy for logging into this computer using this realm. |
|
+ |
|
+ The policy can be changed using the |
|
+ #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method. |
|
+ |
|
+ The following policies are predefined. Not all providers |
|
+ support all these policies and there may be provider specific |
|
+ policies or multiple policies represented in the string: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>allow-any-login</literal>: allow |
|
+ login by any authenticated user present in this |
|
+ realm.</para></listitem> |
|
+ <listitem><para><literal>allow-realm-logins</literal>: allow |
|
+ logins according to the realm or domain policy for logins |
|
+ on this machine. This usually defaults to allowing any realm |
|
+ user to log in.</para></listitem> |
|
+ <listitem><para><literal>allow-permitted-logins</literal>: |
|
+ only allow the logins permitted in the |
|
+ #org.freedesktop.realmd.Realm:PermittedLogins |
|
+ property.</para></listitem> |
|
+ <listitem><para><literal>deny-any-login</literal>: |
|
+ don't allow any logins via authenticated users of this |
|
+ realm.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <property name="LoginPolicy" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ PermittedLogins: the permitted login names |
|
+ |
|
+ The list of permitted authenticated users allowed to login |
|
+ into this computer. This is only relevant if the |
|
+ #org.freedesktop.realmd.Realm:LoginPolicy property |
|
+ contains the <literal>allow-permitted-logins</literal> |
|
+ string. |
|
+ --> |
|
+ <property name="PermittedLogins" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ PermittedGroups: the permitted group names |
|
+ |
|
+ The list of groups which users need to be in to be allowed |
|
+ to log into this computer. This is only relevant if the |
|
+ #org.freedesktop.realmd.Realm:LoginPolicy property |
|
+ contains the <literal>allow-permitted-logins</literal> |
|
+ string. |
|
+ --> |
|
+ <property name="PermittedGroups" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ ChangeLoginPolicy: |
|
+ @login_policy: the new login policy, or an empty string |
|
+ @permitted_add: a list of logins to permit |
|
+ @permitted_remove: a list of logins to not permit |
|
+ @options: options for this operation |
|
+ |
|
+ Change the login policy and/or permitted logins for this realm. |
|
+ |
|
+ Not all realms support all the various login policies. An |
|
+ error will be returned if the new login policy is not supported. |
|
+ You may specify an empty string for the @login_policy argument |
|
+ which will cause no change in the policy itself. If the policy |
|
+ is changed, it will be reflected in the |
|
+ #org.freedesktop.realmd.Realm:LoginPolicy property. |
|
+ |
|
+ The @permitted_add and @permitted_remove arguments represent |
|
+ lists of login names that should be added and removed from |
|
+ the #org.freedesktop.realmd.Kerberos:PermittedLogins property. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ <listitem><para><literal>groups</literal>: boolean which if |
|
+ set to <literal>TRUE</literal> means that the names in |
|
+ @permitted_add and @permitted_remove are group names instead |
|
+ of login names.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.login-policy</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the policy change failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to change login policy |
|
+ operation.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>: |
|
+ returned if the realm is not configured.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="ChangeLoginPolicy"> |
|
+ <arg name="login_policy" type="s" direction="in"/> |
|
+ <arg name="permitted_add" type="as" direction="in"/> |
|
+ <arg name="permitted_remove" type="as" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Kerberos: |
|
+ @short_description: a kerberos realm |
|
+ |
|
+ An interface that describes a kerberos realm in more detail. This |
|
+ is always implemented on an DBus object path that also implements |
|
+ the #org.freedesktop.realmd.Realm interface. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Kerberos"> |
|
+ |
|
+ <!-- |
|
+ RealmName: the kerberos realm name |
|
+ |
|
+ The kerberos name for this realm. This is usually in upper |
|
+ case. |
|
+ --> |
|
+ <property name="RealmName" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ DomainName: the DNS domain name |
|
+ |
|
+ The DNS domain name for this realm. |
|
+ --> |
|
+ <property name="DomainName" type="s" access="read"/> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.KerberosMembership: |
|
+ |
|
+ An interface used to configure this machine by joining a realm. |
|
+ |
|
+ It sets up a computer/host account in the realm for this machine |
|
+ and a keytab to track the credentials for that account. |
|
+ |
|
+ The various properties are guaranteed to have been updated before |
|
+ the operation methods return, if they change state. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.KerberosMembership"> |
|
+ |
|
+ <!-- |
|
+ SuggestedAdministrator: common administrator name |
|
+ |
|
+ The common administrator name for this type of realm. This |
|
+ can be used by clients as a hint when prompting the user for |
|
+ administrative authentication. |
|
+ --> |
|
+ <property name="SuggestedAdministrator" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ SupportedJoinCredentials: credentials supported for joining |
|
+ |
|
+ Various kinds of credentials that are supported when calling the |
|
+ #org.freedesktop.realmd.Kerberos.Join() method. |
|
+ |
|
+ Each credential is represented by a type and an owner. The type |
|
+ denotes which kind of credential is passed to the method. The |
|
+ owner indicates to the client how to prompt the user or obtain |
|
+ the credential, and to the service how to use the credential. |
|
+ |
|
+ The various types are: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>ccache</literal>: |
|
+ the credentials should contain an array of bytes as a |
|
+ <literal>ay</literal> containing the data from a kerberos |
|
+ credential cache file.</para></listitem> |
|
+ <listitem><para><literal>password</literal>: |
|
+ the credentials should contain a pair of strings as a |
|
+ <literal>(ss)</literal> representing a name and |
|
+ password. The name may contain a realm in the standard |
|
+ kerberos format. If a realm is missing, it will default |
|
+ to this realm. </para></listitem> |
|
+ <listitem><para><literal>secret</literal>: |
|
+ the credentials should contain a string secret as an |
|
+ <literal>ay</literal> array of bytes. This is usually used |
|
+ for one time passwords. To pass a string here, encode it |
|
+ in UTF-8, and place the resulting bytes in the |
|
+ value.</para></listitem> |
|
+ <listitem><para><literal>automatic</literal>: |
|
+ the credentials should contain an empty string as a |
|
+ <literal>s</literal>. Using <literal>automatic</literal> |
|
+ indicates that default or system credentials are to be |
|
+ used.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ The various owners are: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>administrator</literal>: |
|
+ the credentials belong to a kerberos administrator principal. |
|
+ The caller may use this as a hint to prompt the user |
|
+ for administrative credentials.</para></listitem> |
|
+ <listitem><para><literal>user</literal>: |
|
+ the credentials belong to a kerberos user principal. |
|
+ The caller may use this as a hint to prompt the user |
|
+ for his (possibly non-administrative) |
|
+ credentials.</para></listitem> |
|
+ <listitem><para><literal>computer</literal>: |
|
+ the credentials belong to a computer account.</para></listitem> |
|
+ <listitem><para><literal>none</literal>: |
|
+ the credentials have an unspecified owner, such as a one |
|
+ time password.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <property name="SupportedJoinCredentials" type="a(ss)" access="read"/> |
|
+ |
|
+ <!-- |
|
+ SupportedLeaveCredentials: credentials supported for leaving |
|
+ |
|
+ Various kinds of credentials that are supported when calling the |
|
+ #org.freedesktop.realmd.Kerberos.Leave() method. |
|
+ |
|
+ See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for |
|
+ a discussion of what the values represent. |
|
+ --> |
|
+ <property name="SupportedLeaveCredentials" type="a(ss)" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Join: |
|
+ |
|
+ Join this machine to the realm and enroll the machine. |
|
+ |
|
+ If this method returns successfully, then the machine will be |
|
+ joined to the realm. It is not necessary to restart services or the |
|
+ machine afterward. Relevant properties on the realm will be updated |
|
+ before the method returns. |
|
+ |
|
+ The @credentials should be set according to one of the |
|
+ supported credentials returned by |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials. |
|
+ The first string in the tuple is the type, the second string |
|
+ is the owner, and the variant contains the credential contents |
|
+ See the discussion at |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials |
|
+ for more information. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>automatic-id-mapping</literal>: a boolean |
|
+ value whether to turn on automatic UID/GID mapping. If not |
|
+ specified the default will come from realmd.conf |
|
+ configuration.</para></listitem> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ <listitem><para><literal>computer-ou</literal>: a string |
|
+ containing an LDAP DN for an organizational unit where the |
|
+ computer account should be created</para></listitem> |
|
+ <listitem><para><literal>user-principal</literal>: a string |
|
+ containing an kerberos user principal name to be set on the |
|
+ computer account</para></listitem> |
|
+ <listitem><para><literal>membership-software</literal>: a string |
|
+ containing the membership software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ <listitem><para><literal>manage-system</literal>: a boolean |
|
+ which controls whether this machine should be managed by |
|
+ the realm or domain or not. Defaults to true.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.configure-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the join failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to perform a join |
|
+ operation.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>: |
|
+ returned if the credentials passed did not authenticate against the realm |
|
+ correctly. It is appropriate to prompt the user again.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>: |
|
+ returned if already enrolled in this realm, or if already enrolled in another realm |
|
+ (if enrolling in multiple realms is not supported).</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.BadHostname</literal>: |
|
+ returned if the machine has a hostname that is not usable for a join |
|
+ or is in conflict with those in the domain.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Join"> |
|
+ <arg name="credentials" type="(ssv)" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ Leave: |
|
+ |
|
+ Leave the realm and unenroll the machine. |
|
+ |
|
+ If this method returns successfully, then the machine will have |
|
+ left the domain and been unenrolled. It is not necessary to restart |
|
+ services or the machine afterward. Relevant properties on the realm |
|
+ will be updated before the method returns. |
|
+ |
|
+ The @credentials should be set according to one of the |
|
+ supported credentials returned by |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials. |
|
+ The first string in the tuple is the type, the second string |
|
+ is the owner, and the variant contains the credential contents |
|
+ See the discussion at |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials |
|
+ for more information. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the unenroll failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to perform an unenroll |
|
+ operation.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>: |
|
+ returned if the credentials passed did not authenticate against the realm |
|
+ correctly. It is appropriate to prompt the user again.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>: |
|
+ returned if not enrolled in this realm.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Leave"> |
|
+ <arg name="credentials" type="(ssv)" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+</node> |
|
diff --git a/src/daemon.c b/src/daemon.c |
|
index c52bda3..5ce0216 100644 |
|
--- a/src/daemon.c |
|
+++ b/src/daemon.c |
|
@@ -20,60 +20,61 @@ |
|
* Written by: Matthias Clasen <mclasen@redhat.com> |
|
*/ |
|
|
|
#include "config.h" |
|
|
|
#include <stdlib.h> |
|
#include <stdio.h> |
|
#include <sys/types.h> |
|
#include <sys/stat.h> |
|
#include <fcntl.h> |
|
#include <sys/wait.h> |
|
#include <pwd.h> |
|
#ifdef HAVE_SHADOW_H |
|
#include <shadow.h> |
|
#endif |
|
#include <unistd.h> |
|
#include <errno.h> |
|
#include <sys/types.h> |
|
|
|
#include <glib.h> |
|
#include <glib/gi18n.h> |
|
#include <glib-object.h> |
|
#include <glib/gstdio.h> |
|
#include <gio/gio.h> |
|
#include <polkit/polkit.h> |
|
|
|
#include "user-classify.h" |
|
#include "wtmp-helper.h" |
|
#include "daemon.h" |
|
#include "util.h" |
|
+#include "realmd-generated.h" |
|
|
|
#define PATH_PASSWD "/etc/passwd" |
|
#define PATH_SHADOW "/etc/shadow" |
|
#define PATH_GROUP "/etc/group" |
|
|
|
enum { |
|
PROP_0, |
|
PROP_DAEMON_VERSION |
|
}; |
|
|
|
typedef struct { |
|
GDBusConnection *bus_connection; |
|
|
|
GHashTable *users; |
|
gsize number_of_normal_users; |
|
GList *explicitly_requested_users; |
|
|
|
User *autologin; |
|
|
|
GFileMonitor *passwd_monitor; |
|
GFileMonitor *shadow_monitor; |
|
GFileMonitor *group_monitor; |
|
GFileMonitor *gdm_monitor; |
|
GFileMonitor *wtmp_monitor; |
|
|
|
GQueue *pending_list_cached_users; |
|
|
|
guint reload_id; |
|
guint autologin_id; |
|
|
|
@@ -425,110 +426,167 @@ load_entries (Daemon *daemon, |
|
} else { |
|
g_object_ref (user); |
|
} |
|
|
|
/* freeze & update users not already in the new list */ |
|
g_object_freeze_notify (G_OBJECT (user)); |
|
user_update_from_pwent (user, pwent, spent); |
|
|
|
g_hash_table_insert (users, g_strdup (user_get_user_name (user)), user); |
|
g_debug ("loaded user: %s", user_get_user_name (user)); |
|
} |
|
|
|
if (!explicitly_requested) { |
|
user_set_cached (user, TRUE); |
|
} |
|
} |
|
|
|
/* Generator should have cleaned up */ |
|
g_assert (generator_state == NULL); |
|
} |
|
|
|
static GHashTable * |
|
create_users_hash_table (void) |
|
{ |
|
return g_hash_table_new_full (g_str_hash, |
|
g_str_equal, |
|
g_free, |
|
g_object_unref); |
|
} |
|
|
|
+static gboolean |
|
+ensure_bus_connection (Daemon *daemon) |
|
+{ |
|
+ DaemonPrivate *priv = daemon_get_instance_private (daemon); |
|
+ g_autoptr (GError) error = NULL; |
|
+ |
|
+ if (priv->bus_connection != NULL) |
|
+ return TRUE; |
|
+ |
|
+ priv->bus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error); |
|
+ if (priv->bus_connection == NULL) { |
|
+ if (error != NULL) |
|
+ g_critical ("error getting system bus: %s", error->message); |
|
+ return FALSE; |
|
+ } |
|
+ |
|
+ return TRUE; |
|
+} |
|
+ |
|
+static gboolean |
|
+has_network_realms (Daemon *daemon) |
|
+{ |
|
+ DaemonPrivate *priv = daemon_get_instance_private (daemon); |
|
+ g_autoptr (AccountsRealmdProvider) realmd_provider = NULL; |
|
+ g_autoptr (GError) error = NULL; |
|
+ const char *const *realms = NULL; |
|
+ |
|
+ if (!ensure_bus_connection (daemon)) { |
|
+ return FALSE; |
|
+ } |
|
+ |
|
+ realmd_provider = accounts_realmd_provider_proxy_new_sync (priv->bus_connection, |
|
+ G_DBUS_PROXY_FLAGS_NONE, |
|
+ "org.freedesktop.realmd", |
|
+ "/org/freedesktop/realmd", |
|
+ NULL, |
|
+ &error); |
|
+ if (realmd_provider == NULL) { |
|
+ g_debug ("failed to contact realmd: %s", error->message); |
|
+ return FALSE; |
|
+ } |
|
+ |
|
+ realms = accounts_realmd_provider_get_realms (realmd_provider); |
|
+ |
|
+ if (!realms) { |
|
+ g_debug("realmd provider 'Realms' property is unset"); |
|
+ return FALSE; |
|
+ } |
|
+ |
|
+ return realms[0] != NULL; |
|
+} |
|
+ |
|
static void |
|
reload_users (Daemon *daemon) |
|
{ |
|
DaemonPrivate *priv = daemon_get_instance_private (daemon); |
|
AccountsAccounts *accounts = ACCOUNTS_ACCOUNTS (daemon); |
|
gboolean had_no_users, has_no_users, had_multiple_users, has_multiple_users; |
|
GHashTable *users; |
|
GHashTable *old_users; |
|
GHashTable *local; |
|
GHashTableIter iter; |
|
gsize number_of_normal_users = 0; |
|
gpointer name, value; |
|
|
|
/* Track the users that we saw during our (re)load */ |
|
users = create_users_hash_table (); |
|
|
|
/* |
|
* NOTE: As we load data from all the sources, notifies are |
|
* frozen in load_entries() and then thawed as we process |
|
* them below. |
|
*/ |
|
|
|
/* Load the local users into our hash table */ |
|
load_entries (daemon, users, FALSE, entry_generator_fgetpwent); |
|
local = g_hash_table_new (g_str_hash, g_str_equal); |
|
g_hash_table_iter_init (&iter, users); |
|
while (g_hash_table_iter_next (&iter, &name, NULL)) |
|
g_hash_table_add (local, name); |
|
|
|
/* and add users to hash table that were explicitly requested */ |
|
load_entries (daemon, users, TRUE, entry_generator_requested_users); |
|
|
|
/* Now add/update users from other sources, possibly non-local */ |
|
load_entries (daemon, users, FALSE, entry_generator_cachedir); |
|
|
|
wtmp_helper_update_login_frequencies (users); |
|
|
|
/* Count the non-system users. Mark which users are local, which are not. */ |
|
g_hash_table_iter_init (&iter, users); |
|
while (g_hash_table_iter_next (&iter, &name, &value)) { |
|
User *user = value; |
|
if (!user_get_system_account (user)) |
|
number_of_normal_users++; |
|
user_update_local_account_property (user, g_hash_table_lookup (local, name) != NULL); |
|
} |
|
g_hash_table_destroy (local); |
|
|
|
had_no_users = accounts_accounts_get_has_no_users (accounts); |
|
has_no_users = number_of_normal_users == 0; |
|
|
|
+ if (has_no_users && has_network_realms (daemon)) { |
|
+ g_debug ("No local users, but network realms detected, presuming there are remote users"); |
|
+ has_no_users = FALSE; |
|
+ } |
|
+ |
|
if (had_no_users != has_no_users) |
|
accounts_accounts_set_has_no_users (accounts, has_no_users); |
|
|
|
had_multiple_users = accounts_accounts_get_has_multiple_users (accounts); |
|
has_multiple_users = number_of_normal_users > 1; |
|
|
|
if (had_multiple_users != has_multiple_users) |
|
accounts_accounts_set_has_multiple_users (accounts, has_multiple_users); |
|
|
|
/* Swap out the users */ |
|
old_users = priv->users; |
|
priv->users = users; |
|
|
|
/* Remove all the old users */ |
|
g_hash_table_iter_init (&iter, old_users); |
|
while (g_hash_table_iter_next (&iter, &name, &value)) { |
|
User *user = value; |
|
User *refreshed_user; |
|
|
|
refreshed_user = g_hash_table_lookup (users, name); |
|
|
|
if (!refreshed_user || (user_get_cached (user) && !user_get_cached (refreshed_user))) { |
|
accounts_accounts_emit_user_deleted (ACCOUNTS_ACCOUNTS (daemon), |
|
user_get_object_path (user)); |
|
user_unregister (user); |
|
} |
|
} |
|
|
|
/* Register all the new users */ |
|
g_hash_table_iter_init (&iter, users); |
|
@@ -766,64 +824,61 @@ daemon_finalize (GObject *object) |
|
priv = daemon_get_instance_private (daemon); |
|
|
|
if (priv->bus_connection != NULL) |
|
g_object_unref (priv->bus_connection); |
|
|
|
g_queue_free_full (priv->pending_list_cached_users, |
|
(GDestroyNotify) list_user_data_free); |
|
|
|
g_list_free_full (priv->explicitly_requested_users, g_free); |
|
|
|
g_hash_table_destroy (priv->users); |
|
|
|
g_hash_table_unref (priv->extension_ifaces); |
|
|
|
G_OBJECT_CLASS (daemon_parent_class)->finalize (object); |
|
} |
|
|
|
static gboolean |
|
register_accounts_daemon (Daemon *daemon) |
|
{ |
|
DaemonPrivate *priv = daemon_get_instance_private (daemon); |
|
g_autoptr(GError) error = NULL; |
|
|
|
priv->authority = polkit_authority_get_sync (NULL, &error); |
|
if (priv->authority == NULL) { |
|
if (error != NULL) |
|
g_critical ("error getting polkit authority: %s", error->message); |
|
return FALSE; |
|
} |
|
|
|
- priv->bus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error); |
|
- if (priv->bus_connection == NULL) { |
|
- if (error != NULL) |
|
- g_critical ("error getting system bus: %s", error->message); |
|
+ if (!ensure_bus_connection (daemon)) { |
|
return FALSE; |
|
} |
|
|
|
if (!g_dbus_interface_skeleton_export (G_DBUS_INTERFACE_SKELETON (daemon), |
|
priv->bus_connection, |
|
"/org/freedesktop/Accounts", |
|
&error)) { |
|
if (error != NULL) |
|
g_critical ("error exporting interface: %s", error->message); |
|
return FALSE; |
|
} |
|
|
|
return TRUE; |
|
} |
|
|
|
Daemon * |
|
daemon_new (void) |
|
{ |
|
g_autoptr(Daemon) daemon = NULL; |
|
|
|
daemon = DAEMON (g_object_new (TYPE_DAEMON, NULL)); |
|
|
|
if (!register_accounts_daemon (DAEMON (daemon))) { |
|
return NULL; |
|
} |
|
|
|
return g_steal_pointer (&daemon); |
|
} |
|
|
|
static void |
|
diff --git a/src/meson.build b/src/meson.build |
|
index 20d5276..3970749 100644 |
|
--- a/src/meson.build |
|
+++ b/src/meson.build |
|
@@ -1,37 +1,38 @@ |
|
sources = [] |
|
|
|
gdbus_headers = [] |
|
|
|
ifaces = [ |
|
['accounts-generated', 'org.freedesktop.', 'Accounts'], |
|
['accounts-user-generated', act_namespace + '.', 'User'], |
|
+ ['realmd-generated', 'org.freedesktop.', 'realmd'], |
|
] |
|
|
|
foreach iface: ifaces |
|
gdbus_sources = gnome.gdbus_codegen( |
|
iface[0], |
|
join_paths(data_dir, iface[1] + iface[2] + '.xml'), |
|
interface_prefix: iface[1], |
|
namespace: 'Accounts', |
|
) |
|
sources += gdbus_sources |
|
gdbus_headers += gdbus_sources[1] |
|
endforeach |
|
|
|
deps = [ |
|
gio_dep, |
|
gio_unix_dep, |
|
] |
|
|
|
cflags = [ |
|
'-DLOCALSTATEDIR="@0@"'.format(act_localstatedir), |
|
'-DDATADIR="@0@"'.format(act_datadir), |
|
'-DICONDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'icons')), |
|
'-DUSERDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'users')), |
|
] |
|
|
|
libaccounts_generated = static_library( |
|
'accounts-generated', |
|
sources: sources, |
|
include_directories: top_inc, |
|
dependencies: deps, |
|
diff --git a/src/org.freedesktop.realmd.xml b/src/org.freedesktop.realmd.xml |
|
new file mode 100644 |
|
index 0000000..c34a47a |
|
--- /dev/null |
|
+++ b/src/org.freedesktop.realmd.xml |
|
@@ -0,0 +1,730 @@ |
|
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN" |
|
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd"> |
|
+<node name="/"> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Provider: |
|
+ @short_description: a realm provider |
|
+ |
|
+ Various realm providers represent different software implementations |
|
+ that provide access to realms or domains. |
|
+ |
|
+ This interface is implemented by individual providers, but is |
|
+ aggregated globally at the system bus name |
|
+ <literal>org.freedesktop.realmd</literal> |
|
+ with the object path <literal>/org/freedesktop/realmd</literal> |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Provider"> |
|
+ |
|
+ <!-- |
|
+ Name: the name of the provider |
|
+ |
|
+ The name of the provider. This is not normally displayed |
|
+ to the user, but may be useful for diagnostics or debugging. |
|
+ --> |
|
+ <property name="Name" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Version: the version of the provider |
|
+ |
|
+ The version of the provider. This is not normally used in |
|
+ logic, but may be useful for diagnostics or debugging. |
|
+ --> |
|
+ <property name="Version" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Realms: a list of realms |
|
+ |
|
+ A list of known, enrolled or discovered realms. All realms |
|
+ that this provider knows about are listed here. As realms |
|
+ are discovered they are added to this list. |
|
+ |
|
+ Each realm is represented by the DBus object path of the |
|
+ realm object. |
|
+ --> |
|
+ <property name="Realms" type="ao" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Discover: |
|
+ @string: an input string to discover realms for |
|
+ @options: options for the discovery operation |
|
+ @relevance: the relevance of the returned results |
|
+ @realm: a list of realms discovered |
|
+ |
|
+ Discover realms for the given string. The input @string is |
|
+ usually a domain or realm name, perhaps typed by a user. If |
|
+ an empty string is provided, the realm provider should try to |
|
+ discover a default realm, if possible (e.g. from DHCP). |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ <listitem><para><literal>client-software</literal>: a string |
|
+ containing the client software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ <listitem><para><literal>server-software</literal>: a string |
|
+ containing the client software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ <listitem><para><literal>membership-software</literal>: a string |
|
+ containing the membership software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ The @relevance returned can be used to rank results from |
|
+ different discover calls to different providers. Implementors |
|
+ should return a positive number if the provider highly |
|
+ recommends that the realms be handled by this provider, |
|
+ or a zero if it can possibly handle the realms. Negative numbers |
|
+ should be returned if no realms are found. |
|
+ |
|
+ This method does not return an error when no realms are |
|
+ discovered. It simply returns an empty @realm list. |
|
+ |
|
+ To see diagnostic information about the discovery process, |
|
+ connect to the org.freedesktop.realmd.Service::Diagnostics |
|
+ signal. |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.discover-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may |
|
+ return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the discovery could not be run for some reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to perform a discovery |
|
+ operation.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Discover"> |
|
+ <arg name="string" type="s" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ <arg name="relevance" type="i" direction="out"/> |
|
+ <arg name="realm" type="ao" direction="out"/> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Service: |
|
+ @short_description: the realmd service |
|
+ |
|
+ Global calls for managing the realmd service. Usually you'll want |
|
+ to use #org.freedesktop.realmd.Provider instead. |
|
+ |
|
+ This interface is implemented by the realmd service, and is always |
|
+ available at the object path <literal>/org/freedesktop/realmd</literal> |
|
+ |
|
+ The service also implements the |
|
+ <literal>org.freedesktop.DBus.ObjectManager</literal> interface which |
|
+ makes it easy to retrieve all realmd objects and properties in one go. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Service"> |
|
+ |
|
+ <!-- |
|
+ Cancel: |
|
+ @operation: the operation to cancel |
|
+ |
|
+ Cancel a realmd operation. To be able to cancel an operation, |
|
+ pass a uniquely chosen <literal>operation</literal> string |
|
+ identifier as an option in the method's <literal>options</literal> |
|
+ argument. |
|
+ |
|
+ These operation string identifiers should be unique per client |
|
+ calling the realmd service. |
|
+ |
|
+ It is not guaranteed that the service can or will cancel the |
|
+ operation. For example, the operation may have already completed |
|
+ by the time this method is handled. The caller of the operation |
|
+ method will receive a |
|
+ <literal>org.freedesktop.realmd.Error.Cancelled</literal> |
|
+ if the operation was cancelled. |
|
+ --> |
|
+ <method name="Cancel"> |
|
+ <arg name="operation" type="s" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ SetLocale: |
|
+ @locale: the locale for the client |
|
+ |
|
+ Set the language @locale for the client. This locale is used |
|
+ for error messages. The locale is used until the next time |
|
+ this method is called, the client disconnects, or the client |
|
+ calls #org.freedesktop.realmd.Service.Release(). |
|
+ --> |
|
+ <method name="SetLocale"> |
|
+ <arg name="locale" type="s" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ Diagnostics: |
|
+ @data: diagnostic data |
|
+ @operation: the operation this data resulted from |
|
+ |
|
+ This signal is fired when diagnostics result from an operation |
|
+ in the provider or one of its realms. |
|
+ |
|
+ It is not guaranteed that this signal is emitted once per line. |
|
+ More than one line may be contained in @data, or a partial |
|
+ line. New line characters are embedded in @data. |
|
+ |
|
+ This signal is sent explicitly to the client which invoked an |
|
+ operation method. In order to tell which operation this |
|
+ diagnostic data results from, pass a unique |
|
+ <literal>operation</literal> string identifier in the |
|
+ <literal>options</literal> argument of the operation method. |
|
+ That same identifier will be passed back via the @operation |
|
+ argument of this signal. |
|
+ --> |
|
+ <signal name="Diagnostics"> |
|
+ <arg name="data" type="s"/> |
|
+ <arg name="operation" type="s"/> |
|
+ </signal> |
|
+ |
|
+ <!-- |
|
+ Release: |
|
+ |
|
+ Normally, realmd waits until all clients have disconnected |
|
+ before exiting itself sometime later. Long lived clients |
|
+ can call this method to allow the realmd service to quit. |
|
+ This is an optimization. The daemon will not exit immediately. |
|
+ It is safe to call this multiple times. |
|
+ --> |
|
+ <method name="Release"> |
|
+ <!-- no arguments --> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Realm: |
|
+ @short_description: a realm |
|
+ |
|
+ Represents one realm. |
|
+ |
|
+ Contains generic information about a realm, and useful properties for |
|
+ introspecting what kind of realm this is and how to work with |
|
+ the realm. |
|
+ |
|
+ Use #org.freedesktop.realmd.Provider:Realms or |
|
+ #org.freedesktop.realmd.Provider.Discover() to get access to some |
|
+ kerberos realm objects. |
|
+ |
|
+ Realms will always implement additional interfaces, such as |
|
+ #org.freedesktop.realmd.Kerberos. Do not assume that all realms |
|
+ implement that kerberos interface. Use the |
|
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property to see |
|
+ which interfaces are supported. |
|
+ |
|
+ Different realms support various ways to configure them on the |
|
+ system. Use the #org.freedesktop.realmd.Realm:Configured property |
|
+ to determine if a realm is configured. If it is configured, the |
|
+ property will be set to the interface of the mechanism that was |
|
+ used to configure it. |
|
+ |
|
+ To configure a realm, look in the |
|
+ #org.freedesktop.realmd.Realm:SupportedInterfaces property for a |
|
+ recognized purpose-specific interface that can be used for |
|
+ configuration, such as the |
|
+ #org.freedesktop.realmd.KerberosMembership interface and its |
|
+ #org.freedesktop.realmd.KerberosMembership.Join() method. |
|
+ |
|
+ To deconfigure a realm from the current system, you can use the |
|
+ #org.freedesktop.realmd.Realm.Deconfigure() method. In addition, some |
|
+ of the configuration specific interfaces provide methods to |
|
+ deconfigure a realm in a specific way, such as the |
|
+ #org.freedesktop.realmd.KerberosMembership.Leave() method. |
|
+ |
|
+ The various properties are guaranteed to have been updated before |
|
+ the operation methods return, if they change state. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Realm"> |
|
+ |
|
+ <!-- |
|
+ Name: the realm name |
|
+ |
|
+ This is the name of the realm, appropriate for display to |
|
+ end users where necessary. |
|
+ --> |
|
+ <property name="Name" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Configured: whether this domain is configured and how |
|
+ |
|
+ If this property is an empty string, then the realm is not |
|
+ configured. Otherwise the realm is configured, and contains |
|
+ a string which is the interface that represents how it was |
|
+ configured, for example #org.freedesktop.realmd.KerberosMembership. |
|
+ --> |
|
+ <property name="Configured" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Deconfigure: deconfigure this realm |
|
+ |
|
+ Deconfigure this realm from the local machine with standard |
|
+ default behavior. |
|
+ |
|
+ The behavior of this method depends on the which configuration |
|
+ interface is present in the |
|
+ #org.freedesktop.realmd.Realm.Configured property. It does not |
|
+ always delete membership accounts in the realm, but just |
|
+ reconfigures the local machine so it no longer is configured |
|
+ for the given realm. In some cases the implementation may try |
|
+ to update membership accounts, but this is not guaranteed. |
|
+ |
|
+ Various configuration interfaces may support more specific ways |
|
+ to deconfigure a realm in a specific way, such as the |
|
+ #org.freedesktop.realmd.KerberosMembership.Leave() method. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the deconfigure failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to deconfigure a |
|
+ realm.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>: |
|
+ returned if this realm is not configured on the machine.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Deconfigure"> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ SupportedInterfaces: |
|
+ |
|
+ Additional supported interfaces of this realm. This includes |
|
+ interfaces that contain more information about the realm, |
|
+ such as #org.freedesktop.realmd.Kerberos and interfaces |
|
+ which contain methods for configuring a realm, such as |
|
+ #org.freedesktop.realmd.KerberosMembership. |
|
+ --> |
|
+ <property name="SupportedInterfaces" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Details: informational details about the realm |
|
+ |
|
+ Informational details about the realm. The following values |
|
+ should be present: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>server-software</literal>: |
|
+ identifier of the software running on the server (e.g. |
|
+ <literal>active-directory</literal>).</para></listitem> |
|
+ <listitem><para><literal>client-software</literal>: |
|
+ identifier of the software running on the client (e.g. |
|
+ <literal>sssd</literal>).</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <property name="Details" type="a(ss)" access="read"/> |
|
+ |
|
+ <!-- |
|
+ RequiredPackages: prerequisite software |
|
+ |
|
+ Software packages that are required in order for a join to |
|
+ succeed. These are either simple strings like <literal>sssd</literal>, |
|
+ or strings with an operator and version number like |
|
+ <literal>sssd >= 1.9.0</literal> |
|
+ |
|
+ These values are specific to the packaging system that is |
|
+ being run. |
|
+ --> |
|
+ <property name="RequiredPackages" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ LoginFormats: supported formats for login names |
|
+ |
|
+ Supported formats for login to this realm. This is only |
|
+ relevant once the realm has been enrolled. The formats |
|
+ will contain a <literal>%U</literal> in the string, which |
|
+ indicate where the user name should be placed. The formats |
|
+ may contain a <literal>%D</literal> in the string which |
|
+ indicate where a domain name should be placed. |
|
+ |
|
+ The first format in the list is the preferred format for |
|
+ login names. |
|
+ --> |
|
+ <property name="LoginFormats" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ LoginPolicy: the policy for logins using this realm |
|
+ |
|
+ The policy for logging into this computer using this realm. |
|
+ |
|
+ The policy can be changed using the |
|
+ #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method. |
|
+ |
|
+ The following policies are predefined. Not all providers |
|
+ support all these policies and there may be provider specific |
|
+ policies or multiple policies represented in the string: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>allow-any-login</literal>: allow |
|
+ login by any authenticated user present in this |
|
+ realm.</para></listitem> |
|
+ <listitem><para><literal>allow-realm-logins</literal>: allow |
|
+ logins according to the realm or domain policy for logins |
|
+ on this machine. This usually defaults to allowing any realm |
|
+ user to log in.</para></listitem> |
|
+ <listitem><para><literal>allow-permitted-logins</literal>: |
|
+ only allow the logins permitted in the |
|
+ #org.freedesktop.realmd.Realm:PermittedLogins |
|
+ property.</para></listitem> |
|
+ <listitem><para><literal>deny-any-login</literal>: |
|
+ don't allow any logins via authenticated users of this |
|
+ realm.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <property name="LoginPolicy" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ PermittedLogins: the permitted login names |
|
+ |
|
+ The list of permitted authenticated users allowed to login |
|
+ into this computer. This is only relevant if the |
|
+ #org.freedesktop.realmd.Realm:LoginPolicy property |
|
+ contains the <literal>allow-permitted-logins</literal> |
|
+ string. |
|
+ --> |
|
+ <property name="PermittedLogins" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ PermittedGroups: the permitted group names |
|
+ |
|
+ The list of groups which users need to be in to be allowed |
|
+ to log into this computer. This is only relevant if the |
|
+ #org.freedesktop.realmd.Realm:LoginPolicy property |
|
+ contains the <literal>allow-permitted-logins</literal> |
|
+ string. |
|
+ --> |
|
+ <property name="PermittedGroups" type="as" access="read"/> |
|
+ |
|
+ <!-- |
|
+ ChangeLoginPolicy: |
|
+ @login_policy: the new login policy, or an empty string |
|
+ @permitted_add: a list of logins to permit |
|
+ @permitted_remove: a list of logins to not permit |
|
+ @options: options for this operation |
|
+ |
|
+ Change the login policy and/or permitted logins for this realm. |
|
+ |
|
+ Not all realms support all the various login policies. An |
|
+ error will be returned if the new login policy is not supported. |
|
+ You may specify an empty string for the @login_policy argument |
|
+ which will cause no change in the policy itself. If the policy |
|
+ is changed, it will be reflected in the |
|
+ #org.freedesktop.realmd.Realm:LoginPolicy property. |
|
+ |
|
+ The @permitted_add and @permitted_remove arguments represent |
|
+ lists of login names that should be added and removed from |
|
+ the #org.freedesktop.realmd.Kerberos:PermittedLogins property. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ <listitem><para><literal>groups</literal>: boolean which if |
|
+ set to <literal>TRUE</literal> means that the names in |
|
+ @permitted_add and @permitted_remove are group names instead |
|
+ of login names.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.login-policy</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the policy change failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to change login policy |
|
+ operation.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>: |
|
+ returned if the realm is not configured.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="ChangeLoginPolicy"> |
|
+ <arg name="login_policy" type="s" direction="in"/> |
|
+ <arg name="permitted_add" type="as" direction="in"/> |
|
+ <arg name="permitted_remove" type="as" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.Kerberos: |
|
+ @short_description: a kerberos realm |
|
+ |
|
+ An interface that describes a kerberos realm in more detail. This |
|
+ is always implemented on an DBus object path that also implements |
|
+ the #org.freedesktop.realmd.Realm interface. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.Kerberos"> |
|
+ |
|
+ <!-- |
|
+ RealmName: the kerberos realm name |
|
+ |
|
+ The kerberos name for this realm. This is usually in upper |
|
+ case. |
|
+ --> |
|
+ <property name="RealmName" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ DomainName: the DNS domain name |
|
+ |
|
+ The DNS domain name for this realm. |
|
+ --> |
|
+ <property name="DomainName" type="s" access="read"/> |
|
+ |
|
+ </interface> |
|
+ |
|
+ <!-- |
|
+ org.freedesktop.realmd.KerberosMembership: |
|
+ |
|
+ An interface used to configure this machine by joining a realm. |
|
+ |
|
+ It sets up a computer/host account in the realm for this machine |
|
+ and a keytab to track the credentials for that account. |
|
+ |
|
+ The various properties are guaranteed to have been updated before |
|
+ the operation methods return, if they change state. |
|
+ --> |
|
+ <interface name="org.freedesktop.realmd.KerberosMembership"> |
|
+ |
|
+ <!-- |
|
+ SuggestedAdministrator: common administrator name |
|
+ |
|
+ The common administrator name for this type of realm. This |
|
+ can be used by clients as a hint when prompting the user for |
|
+ administrative authentication. |
|
+ --> |
|
+ <property name="SuggestedAdministrator" type="s" access="read"/> |
|
+ |
|
+ <!-- |
|
+ SupportedJoinCredentials: credentials supported for joining |
|
+ |
|
+ Various kinds of credentials that are supported when calling the |
|
+ #org.freedesktop.realmd.Kerberos.Join() method. |
|
+ |
|
+ Each credential is represented by a type and an owner. The type |
|
+ denotes which kind of credential is passed to the method. The |
|
+ owner indicates to the client how to prompt the user or obtain |
|
+ the credential, and to the service how to use the credential. |
|
+ |
|
+ The various types are: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>ccache</literal>: |
|
+ the credentials should contain an array of bytes as a |
|
+ <literal>ay</literal> containing the data from a kerberos |
|
+ credential cache file.</para></listitem> |
|
+ <listitem><para><literal>password</literal>: |
|
+ the credentials should contain a pair of strings as a |
|
+ <literal>(ss)</literal> representing a name and |
|
+ password. The name may contain a realm in the standard |
|
+ kerberos format. If a realm is missing, it will default |
|
+ to this realm. </para></listitem> |
|
+ <listitem><para><literal>secret</literal>: |
|
+ the credentials should contain a string secret as an |
|
+ <literal>ay</literal> array of bytes. This is usually used |
|
+ for one time passwords. To pass a string here, encode it |
|
+ in UTF-8, and place the resulting bytes in the |
|
+ value.</para></listitem> |
|
+ <listitem><para><literal>automatic</literal>: |
|
+ the credentials should contain an empty string as a |
|
+ <literal>s</literal>. Using <literal>automatic</literal> |
|
+ indicates that default or system credentials are to be |
|
+ used.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ The various owners are: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>administrator</literal>: |
|
+ the credentials belong to a kerberos administrator principal. |
|
+ The caller may use this as a hint to prompt the user |
|
+ for administrative credentials.</para></listitem> |
|
+ <listitem><para><literal>user</literal>: |
|
+ the credentials belong to a kerberos user principal. |
|
+ The caller may use this as a hint to prompt the user |
|
+ for his (possibly non-administrative) |
|
+ credentials.</para></listitem> |
|
+ <listitem><para><literal>computer</literal>: |
|
+ the credentials belong to a computer account.</para></listitem> |
|
+ <listitem><para><literal>none</literal>: |
|
+ the credentials have an unspecified owner, such as a one |
|
+ time password.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <property name="SupportedJoinCredentials" type="a(ss)" access="read"/> |
|
+ |
|
+ <!-- |
|
+ SupportedLeaveCredentials: credentials supported for leaving |
|
+ |
|
+ Various kinds of credentials that are supported when calling the |
|
+ #org.freedesktop.realmd.Kerberos.Leave() method. |
|
+ |
|
+ See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for |
|
+ a discussion of what the values represent. |
|
+ --> |
|
+ <property name="SupportedLeaveCredentials" type="a(ss)" access="read"/> |
|
+ |
|
+ <!-- |
|
+ Join: |
|
+ |
|
+ Join this machine to the realm and enroll the machine. |
|
+ |
|
+ If this method returns successfully, then the machine will be |
|
+ joined to the realm. It is not necessary to restart services or the |
|
+ machine afterward. Relevant properties on the realm will be updated |
|
+ before the method returns. |
|
+ |
|
+ The @credentials should be set according to one of the |
|
+ supported credentials returned by |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials. |
|
+ The first string in the tuple is the type, the second string |
|
+ is the owner, and the variant contains the credential contents |
|
+ See the discussion at |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials |
|
+ for more information. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>automatic-id-mapping</literal>: a boolean |
|
+ value whether to turn on automatic UID/GID mapping. If not |
|
+ specified the default will come from realmd.conf |
|
+ configuration.</para></listitem> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ <listitem><para><literal>computer-ou</literal>: a string |
|
+ containing an LDAP DN for an organizational unit where the |
|
+ computer account should be created</para></listitem> |
|
+ <listitem><para><literal>user-principal</literal>: a string |
|
+ containing an kerberos user principal name to be set on the |
|
+ computer account</para></listitem> |
|
+ <listitem><para><literal>membership-software</literal>: a string |
|
+ containing the membership software identifier that the returned |
|
+ realms should match.</para></listitem> |
|
+ <listitem><para><literal>manage-system</literal>: a boolean |
|
+ which controls whether this machine should be managed by |
|
+ the realm or domain or not. Defaults to true.</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.configure-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the join failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to perform a join |
|
+ operation.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>: |
|
+ returned if the credentials passed did not authenticate against the realm |
|
+ correctly. It is appropriate to prompt the user again.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>: |
|
+ returned if already enrolled in this realm, or if already enrolled in another realm |
|
+ (if enrolling in multiple realms is not supported).</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.BadHostname</literal>: |
|
+ returned if the machine has a hostname that is not usable for a join |
|
+ or is in conflict with those in the domain.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Join"> |
|
+ <arg name="credentials" type="(ssv)" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ <!-- |
|
+ Leave: |
|
+ |
|
+ Leave the realm and unenroll the machine. |
|
+ |
|
+ If this method returns successfully, then the machine will have |
|
+ left the domain and been unenrolled. It is not necessary to restart |
|
+ services or the machine afterward. Relevant properties on the realm |
|
+ will be updated before the method returns. |
|
+ |
|
+ The @credentials should be set according to one of the |
|
+ supported credentials returned by |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials. |
|
+ The first string in the tuple is the type, the second string |
|
+ is the owner, and the variant contains the credential contents |
|
+ See the discussion at |
|
+ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials |
|
+ for more information. |
|
+ |
|
+ @options can contain, but is not limited to, the following values: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>operation</literal>: a string |
|
+ identifier chosen by the client, which can then later be |
|
+ passed to org.freedesktop.realmd.Service.Cancel() in order |
|
+ to cancel the operation</para></listitem> |
|
+ </itemizedlist> |
|
+ |
|
+ This method requires authorization for the PolicyKit action |
|
+ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>. |
|
+ |
|
+ In addition to common DBus error results, this method may return: |
|
+ <itemizedlist> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>: |
|
+ may be returned if the unenroll failed for a generic reason.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>: |
|
+ returned if the operation was cancelled.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>: |
|
+ returned if the calling client is not permitted to perform an unenroll |
|
+ operation.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>: |
|
+ returned if the credentials passed did not authenticate against the realm |
|
+ correctly. It is appropriate to prompt the user again.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>: |
|
+ returned if not enrolled in this realm.</para></listitem> |
|
+ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>: |
|
+ returned if the service is currently performing another operation like |
|
+ join or leave.</para></listitem> |
|
+ </itemizedlist> |
|
+ --> |
|
+ <method name="Leave"> |
|
+ <arg name="credentials" type="(ssv)" direction="in"/> |
|
+ <arg name="options" type="a{sv}" direction="in"/> |
|
+ </method> |
|
+ |
|
+ </interface> |
|
+ |
|
+</node> |
|
-- |
|
2.27.0 |
|
|
|
|