summaryrefslogtreecommitdiff
path: root/0001-daemon-if-no-local-users-check-if-machine-is-enrolle.patch
diff options
context:
space:
mode:
Diffstat (limited to '0001-daemon-if-no-local-users-check-if-machine-is-enrolle.patch')
-rw-r--r--0001-daemon-if-no-local-users-check-if-machine-is-enrolle.patch1839
1 files changed, 1839 insertions, 0 deletions
diff --git a/0001-daemon-if-no-local-users-check-if-machine-is-enrolle.patch b/0001-daemon-if-no-local-users-check-if-machine-is-enrolle.patch
new file mode 100644
index 0000000..5185345
--- /dev/null
+++ b/0001-daemon-if-no-local-users-check-if-machine-is-enrolle.patch
@@ -0,0 +1,1839 @@
+From 54b207649979475ea7f1fa5eaaea94be31d20935 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Fri, 13 Dec 2019 15:16:06 -0500
+Subject: [PATCH] daemon: if no local users, check if machine is enrolled in
+ network
+
+GDM will show gnome initial-setup if a machine has no local users.
+But it's totally possible that a machine has only remote users,
+and shouldn't have a local user.
+
+This commit detects that case, and avoids setting the HasNoUsers
+property.
+---
+ data/org.freedesktop.realmd.xml | 730 ++++++++++++++++++++++++++++++++
+ src/daemon.c | 63 ++-
+ src/meson.build | 1 +
+ src/org.freedesktop.realmd.xml | 730 ++++++++++++++++++++++++++++++++
+ 4 files changed, 1520 insertions(+), 4 deletions(-)
+ create mode 100644 data/org.freedesktop.realmd.xml
+ create mode 100644 src/org.freedesktop.realmd.xml
+
+diff --git a/data/org.freedesktop.realmd.xml b/data/org.freedesktop.realmd.xml
+new file mode 100644
+index 0000000..c34a47a
+--- /dev/null
++++ b/data/org.freedesktop.realmd.xml
+@@ -0,0 +1,730 @@
++<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
++ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
++<node name="/">
++
++ <!--
++ org.freedesktop.realmd.Provider:
++ @short_description: a realm provider
++
++ Various realm providers represent different software implementations
++ that provide access to realms or domains.
++
++ This interface is implemented by individual providers, but is
++ aggregated globally at the system bus name
++ <literal>org.freedesktop.realmd</literal>
++ with the object path <literal>/org/freedesktop/realmd</literal>
++ -->
++ <interface name="org.freedesktop.realmd.Provider">
++
++ <!--
++ Name: the name of the provider
++
++ The name of the provider. This is not normally displayed
++ to the user, but may be useful for diagnostics or debugging.
++ -->
++ <property name="Name" type="s" access="read"/>
++
++ <!--
++ Version: the version of the provider
++
++ The version of the provider. This is not normally used in
++ logic, but may be useful for diagnostics or debugging.
++ -->
++ <property name="Version" type="s" access="read"/>
++
++ <!--
++ Realms: a list of realms
++
++ A list of known, enrolled or discovered realms. All realms
++ that this provider knows about are listed here. As realms
++ are discovered they are added to this list.
++
++ Each realm is represented by the DBus object path of the
++ realm object.
++ -->
++ <property name="Realms" type="ao" access="read"/>
++
++ <!--
++ Discover:
++ @string: an input string to discover realms for
++ @options: options for the discovery operation
++ @relevance: the relevance of the returned results
++ @realm: a list of realms discovered
++
++ Discover realms for the given string. The input @string is
++ usually a domain or realm name, perhaps typed by a user. If
++ an empty string is provided, the realm provider should try to
++ discover a default realm, if possible (e.g. from DHCP).
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ <listitem><para><literal>client-software</literal>: a string
++ containing the client software identifier that the returned
++ realms should match.</para></listitem>
++ <listitem><para><literal>server-software</literal>: a string
++ containing the client software identifier that the returned
++ realms should match.</para></listitem>
++ <listitem><para><literal>membership-software</literal>: a string
++ containing the membership software identifier that the returned
++ realms should match.</para></listitem>
++ </itemizedlist>
++
++ The @relevance returned can be used to rank results from
++ different discover calls to different providers. Implementors
++ should return a positive number if the provider highly
++ recommends that the realms be handled by this provider,
++ or a zero if it can possibly handle the realms. Negative numbers
++ should be returned if no realms are found.
++
++ This method does not return an error when no realms are
++ discovered. It simply returns an empty @realm list.
++
++ To see diagnostic information about the discovery process,
++ connect to the org.freedesktop.realmd.Service::Diagnostics
++ signal.
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.discover-realm</literal>.
++
++ In addition to common DBus error results, this method may
++ return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the discovery could not be run for some reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to perform a discovery
++ operation.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Discover">
++ <arg name="string" type="s" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ <arg name="relevance" type="i" direction="out"/>
++ <arg name="realm" type="ao" direction="out"/>
++ </method>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.Service:
++ @short_description: the realmd service
++
++ Global calls for managing the realmd service. Usually you'll want
++ to use #org.freedesktop.realmd.Provider instead.
++
++ This interface is implemented by the realmd service, and is always
++ available at the object path <literal>/org/freedesktop/realmd</literal>
++
++ The service also implements the
++ <literal>org.freedesktop.DBus.ObjectManager</literal> interface which
++ makes it easy to retrieve all realmd objects and properties in one go.
++ -->
++ <interface name="org.freedesktop.realmd.Service">
++
++ <!--
++ Cancel:
++ @operation: the operation to cancel
++
++ Cancel a realmd operation. To be able to cancel an operation,
++ pass a uniquely chosen <literal>operation</literal> string
++ identifier as an option in the method's <literal>options</literal>
++ argument.
++
++ These operation string identifiers should be unique per client
++ calling the realmd service.
++
++ It is not guaranteed that the service can or will cancel the
++ operation. For example, the operation may have already completed
++ by the time this method is handled. The caller of the operation
++ method will receive a
++ <literal>org.freedesktop.realmd.Error.Cancelled</literal>
++ if the operation was cancelled.
++ -->
++ <method name="Cancel">
++ <arg name="operation" type="s" direction="in"/>
++ </method>
++
++ <!--
++ SetLocale:
++ @locale: the locale for the client
++
++ Set the language @locale for the client. This locale is used
++ for error messages. The locale is used until the next time
++ this method is called, the client disconnects, or the client
++ calls #org.freedesktop.realmd.Service.Release().
++ -->
++ <method name="SetLocale">
++ <arg name="locale" type="s" direction="in"/>
++ </method>
++
++ <!--
++ Diagnostics:
++ @data: diagnostic data
++ @operation: the operation this data resulted from
++
++ This signal is fired when diagnostics result from an operation
++ in the provider or one of its realms.
++
++ It is not guaranteed that this signal is emitted once per line.
++ More than one line may be contained in @data, or a partial
++ line. New line characters are embedded in @data.
++
++ This signal is sent explicitly to the client which invoked an
++ operation method. In order to tell which operation this
++ diagnostic data results from, pass a unique
++ <literal>operation</literal> string identifier in the
++ <literal>options</literal> argument of the operation method.
++ That same identifier will be passed back via the @operation
++ argument of this signal.
++ -->
++ <signal name="Diagnostics">
++ <arg name="data" type="s"/>
++ <arg name="operation" type="s"/>
++ </signal>
++
++ <!--
++ Release:
++
++ Normally, realmd waits until all clients have disconnected
++ before exiting itself sometime later. Long lived clients
++ can call this method to allow the realmd service to quit.
++ This is an optimization. The daemon will not exit immediately.
++ It is safe to call this multiple times.
++ -->
++ <method name="Release">
++ <!-- no arguments -->
++ </method>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.Realm:
++ @short_description: a realm
++
++ Represents one realm.
++
++ Contains generic information about a realm, and useful properties for
++ introspecting what kind of realm this is and how to work with
++ the realm.
++
++ Use #org.freedesktop.realmd.Provider:Realms or
++ #org.freedesktop.realmd.Provider.Discover() to get access to some
++ kerberos realm objects.
++
++ Realms will always implement additional interfaces, such as
++ #org.freedesktop.realmd.Kerberos. Do not assume that all realms
++ implement that kerberos interface. Use the
++ #org.freedesktop.realmd.Realm:SupportedInterfaces property to see
++ which interfaces are supported.
++
++ Different realms support various ways to configure them on the
++ system. Use the #org.freedesktop.realmd.Realm:Configured property
++ to determine if a realm is configured. If it is configured, the
++ property will be set to the interface of the mechanism that was
++ used to configure it.
++
++ To configure a realm, look in the
++ #org.freedesktop.realmd.Realm:SupportedInterfaces property for a
++ recognized purpose-specific interface that can be used for
++ configuration, such as the
++ #org.freedesktop.realmd.KerberosMembership interface and its
++ #org.freedesktop.realmd.KerberosMembership.Join() method.
++
++ To deconfigure a realm from the current system, you can use the
++ #org.freedesktop.realmd.Realm.Deconfigure() method. In addition, some
++ of the configuration specific interfaces provide methods to
++ deconfigure a realm in a specific way, such as the
++ #org.freedesktop.realmd.KerberosMembership.Leave() method.
++
++ The various properties are guaranteed to have been updated before
++ the operation methods return, if they change state.
++ -->
++ <interface name="org.freedesktop.realmd.Realm">
++
++ <!--
++ Name: the realm name
++
++ This is the name of the realm, appropriate for display to
++ end users where necessary.
++ -->
++ <property name="Name" type="s" access="read"/>
++
++ <!--
++ Configured: whether this domain is configured and how
++
++ If this property is an empty string, then the realm is not
++ configured. Otherwise the realm is configured, and contains
++ a string which is the interface that represents how it was
++ configured, for example #org.freedesktop.realmd.KerberosMembership.
++ -->
++ <property name="Configured" type="s" access="read"/>
++
++ <!--
++ Deconfigure: deconfigure this realm
++
++ Deconfigure this realm from the local machine with standard
++ default behavior.
++
++ The behavior of this method depends on the which configuration
++ interface is present in the
++ #org.freedesktop.realmd.Realm.Configured property. It does not
++ always delete membership accounts in the realm, but just
++ reconfigures the local machine so it no longer is configured
++ for the given realm. In some cases the implementation may try
++ to update membership accounts, but this is not guaranteed.
++
++ Various configuration interfaces may support more specific ways
++ to deconfigure a realm in a specific way, such as the
++ #org.freedesktop.realmd.KerberosMembership.Leave() method.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the deconfigure failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to deconfigure a
++ realm.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
++ returned if this realm is not configured on the machine.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Deconfigure">
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ <!--
++ SupportedInterfaces:
++
++ Additional supported interfaces of this realm. This includes
++ interfaces that contain more information about the realm,
++ such as #org.freedesktop.realmd.Kerberos and interfaces
++ which contain methods for configuring a realm, such as
++ #org.freedesktop.realmd.KerberosMembership.
++ -->
++ <property name="SupportedInterfaces" type="as" access="read"/>
++
++ <!--
++ Details: informational details about the realm
++
++ Informational details about the realm. The following values
++ should be present:
++ <itemizedlist>
++ <listitem><para><literal>server-software</literal>:
++ identifier of the software running on the server (e.g.
++ <literal>active-directory</literal>).</para></listitem>
++ <listitem><para><literal>client-software</literal>:
++ identifier of the software running on the client (e.g.
++ <literal>sssd</literal>).</para></listitem>
++ </itemizedlist>
++ -->
++ <property name="Details" type="a(ss)" access="read"/>
++
++ <!--
++ RequiredPackages: prerequisite software
++
++ Software packages that are required in order for a join to
++ succeed. These are either simple strings like <literal>sssd</literal>,
++ or strings with an operator and version number like
++ <literal>sssd >= 1.9.0</literal>
++
++ These values are specific to the packaging system that is
++ being run.
++ -->
++ <property name="RequiredPackages" type="as" access="read"/>
++
++ <!--
++ LoginFormats: supported formats for login names
++
++ Supported formats for login to this realm. This is only
++ relevant once the realm has been enrolled. The formats
++ will contain a <literal>%U</literal> in the string, which
++ indicate where the user name should be placed. The formats
++ may contain a <literal>%D</literal> in the string which
++ indicate where a domain name should be placed.
++
++ The first format in the list is the preferred format for
++ login names.
++ -->
++ <property name="LoginFormats" type="as" access="read"/>
++
++ <!--
++ LoginPolicy: the policy for logins using this realm
++
++ The policy for logging into this computer using this realm.
++
++ The policy can be changed using the
++ #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method.
++
++ The following policies are predefined. Not all providers
++ support all these policies and there may be provider specific
++ policies or multiple policies represented in the string:
++ <itemizedlist>
++ <listitem><para><literal>allow-any-login</literal>: allow
++ login by any authenticated user present in this
++ realm.</para></listitem>
++ <listitem><para><literal>allow-realm-logins</literal>: allow
++ logins according to the realm or domain policy for logins
++ on this machine. This usually defaults to allowing any realm
++ user to log in.</para></listitem>
++ <listitem><para><literal>allow-permitted-logins</literal>:
++ only allow the logins permitted in the
++ #org.freedesktop.realmd.Realm:PermittedLogins
++ property.</para></listitem>
++ <listitem><para><literal>deny-any-login</literal>:
++ don't allow any logins via authenticated users of this
++ realm.</para></listitem>
++ </itemizedlist>
++ -->
++ <property name="LoginPolicy" type="s" access="read"/>
++
++ <!--
++ PermittedLogins: the permitted login names
++
++ The list of permitted authenticated users allowed to login
++ into this computer. This is only relevant if the
++ #org.freedesktop.realmd.Realm:LoginPolicy property
++ contains the <literal>allow-permitted-logins</literal>
++ string.
++ -->
++ <property name="PermittedLogins" type="as" access="read"/>
++
++ <!--
++ PermittedGroups: the permitted group names
++
++ The list of groups which users need to be in to be allowed
++ to log into this computer. This is only relevant if the
++ #org.freedesktop.realmd.Realm:LoginPolicy property
++ contains the <literal>allow-permitted-logins</literal>
++ string.
++ -->
++ <property name="PermittedGroups" type="as" access="read"/>
++
++ <!--
++ ChangeLoginPolicy:
++ @login_policy: the new login policy, or an empty string
++ @permitted_add: a list of logins to permit
++ @permitted_remove: a list of logins to not permit
++ @options: options for this operation
++
++ Change the login policy and/or permitted logins for this realm.
++
++ Not all realms support all the various login policies. An
++ error will be returned if the new login policy is not supported.
++ You may specify an empty string for the @login_policy argument
++ which will cause no change in the policy itself. If the policy
++ is changed, it will be reflected in the
++ #org.freedesktop.realmd.Realm:LoginPolicy property.
++
++ The @permitted_add and @permitted_remove arguments represent
++ lists of login names that should be added and removed from
++ the #org.freedesktop.realmd.Kerberos:PermittedLogins property.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ <listitem><para><literal>groups</literal>: boolean which if
++ set to <literal>TRUE</literal> means that the names in
++ @permitted_add and @permitted_remove are group names instead
++ of login names.</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.login-policy</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the policy change failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to change login policy
++ operation.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
++ returned if the realm is not configured.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="ChangeLoginPolicy">
++ <arg name="login_policy" type="s" direction="in"/>
++ <arg name="permitted_add" type="as" direction="in"/>
++ <arg name="permitted_remove" type="as" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.Kerberos:
++ @short_description: a kerberos realm
++
++ An interface that describes a kerberos realm in more detail. This
++ is always implemented on an DBus object path that also implements
++ the #org.freedesktop.realmd.Realm interface.
++ -->
++ <interface name="org.freedesktop.realmd.Kerberos">
++
++ <!--
++ RealmName: the kerberos realm name
++
++ The kerberos name for this realm. This is usually in upper
++ case.
++ -->
++ <property name="RealmName" type="s" access="read"/>
++
++ <!--
++ DomainName: the DNS domain name
++
++ The DNS domain name for this realm.
++ -->
++ <property name="DomainName" type="s" access="read"/>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.KerberosMembership:
++
++ An interface used to configure this machine by joining a realm.
++
++ It sets up a computer/host account in the realm for this machine
++ and a keytab to track the credentials for that account.
++
++ The various properties are guaranteed to have been updated before
++ the operation methods return, if they change state.
++ -->
++ <interface name="org.freedesktop.realmd.KerberosMembership">
++
++ <!--
++ SuggestedAdministrator: common administrator name
++
++ The common administrator name for this type of realm. This
++ can be used by clients as a hint when prompting the user for
++ administrative authentication.
++ -->
++ <property name="SuggestedAdministrator" type="s" access="read"/>
++
++ <!--
++ SupportedJoinCredentials: credentials supported for joining
++
++ Various kinds of credentials that are supported when calling the
++ #org.freedesktop.realmd.Kerberos.Join() method.
++
++ Each credential is represented by a type and an owner. The type
++ denotes which kind of credential is passed to the method. The
++ owner indicates to the client how to prompt the user or obtain
++ the credential, and to the service how to use the credential.
++
++ The various types are:
++ <itemizedlist>
++ <listitem><para><literal>ccache</literal>:
++ the credentials should contain an array of bytes as a
++ <literal>ay</literal> containing the data from a kerberos
++ credential cache file.</para></listitem>
++ <listitem><para><literal>password</literal>:
++ the credentials should contain a pair of strings as a
++ <literal>(ss)</literal> representing a name and
++ password. The name may contain a realm in the standard
++ kerberos format. If a realm is missing, it will default
++ to this realm. </para></listitem>
++ <listitem><para><literal>secret</literal>:
++ the credentials should contain a string secret as an
++ <literal>ay</literal> array of bytes. This is usually used
++ for one time passwords. To pass a string here, encode it
++ in UTF-8, and place the resulting bytes in the
++ value.</para></listitem>
++ <listitem><para><literal>automatic</literal>:
++ the credentials should contain an empty string as a
++ <literal>s</literal>. Using <literal>automatic</literal>
++ indicates that default or system credentials are to be
++ used.</para></listitem>
++ </itemizedlist>
++
++ The various owners are:
++ <itemizedlist>
++ <listitem><para><literal>administrator</literal>:
++ the credentials belong to a kerberos administrator principal.
++ The caller may use this as a hint to prompt the user
++ for administrative credentials.</para></listitem>
++ <listitem><para><literal>user</literal>:
++ the credentials belong to a kerberos user principal.
++ The caller may use this as a hint to prompt the user
++ for his (possibly non-administrative)
++ credentials.</para></listitem>
++ <listitem><para><literal>computer</literal>:
++ the credentials belong to a computer account.</para></listitem>
++ <listitem><para><literal>none</literal>:
++ the credentials have an unspecified owner, such as a one
++ time password.</para></listitem>
++ </itemizedlist>
++ -->
++ <property name="SupportedJoinCredentials" type="a(ss)" access="read"/>
++
++ <!--
++ SupportedLeaveCredentials: credentials supported for leaving
++
++ Various kinds of credentials that are supported when calling the
++ #org.freedesktop.realmd.Kerberos.Leave() method.
++
++ See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for
++ a discussion of what the values represent.
++ -->
++ <property name="SupportedLeaveCredentials" type="a(ss)" access="read"/>
++
++ <!--
++ Join:
++
++ Join this machine to the realm and enroll the machine.
++
++ If this method returns successfully, then the machine will be
++ joined to the realm. It is not necessary to restart services or the
++ machine afterward. Relevant properties on the realm will be updated
++ before the method returns.
++
++ The @credentials should be set according to one of the
++ supported credentials returned by
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
++ The first string in the tuple is the type, the second string
++ is the owner, and the variant contains the credential contents
++ See the discussion at
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
++ for more information.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>automatic-id-mapping</literal>: a boolean
++ value whether to turn on automatic UID/GID mapping. If not
++ specified the default will come from realmd.conf
++ configuration.</para></listitem>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ <listitem><para><literal>computer-ou</literal>: a string
++ containing an LDAP DN for an organizational unit where the
++ computer account should be created</para></listitem>
++ <listitem><para><literal>user-principal</literal>: a string
++ containing an kerberos user principal name to be set on the
++ computer account</para></listitem>
++ <listitem><para><literal>membership-software</literal>: a string
++ containing the membership software identifier that the returned
++ realms should match.</para></listitem>
++ <listitem><para><literal>manage-system</literal>: a boolean
++ which controls whether this machine should be managed by
++ the realm or domain or not. Defaults to true.</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.configure-realm</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the join failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to perform a join
++ operation.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
++ returned if the credentials passed did not authenticate against the realm
++ correctly. It is appropriate to prompt the user again.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>:
++ returned if already enrolled in this realm, or if already enrolled in another realm
++ (if enrolling in multiple realms is not supported).</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.BadHostname</literal>:
++ returned if the machine has a hostname that is not usable for a join
++ or is in conflict with those in the domain.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Join">
++ <arg name="credentials" type="(ssv)" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ <!--
++ Leave:
++
++ Leave the realm and unenroll the machine.
++
++ If this method returns successfully, then the machine will have
++ left the domain and been unenrolled. It is not necessary to restart
++ services or the machine afterward. Relevant properties on the realm
++ will be updated before the method returns.
++
++ The @credentials should be set according to one of the
++ supported credentials returned by
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
++ The first string in the tuple is the type, the second string
++ is the owner, and the variant contains the credential contents
++ See the discussion at
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
++ for more information.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the unenroll failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to perform an unenroll
++ operation.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
++ returned if the credentials passed did not authenticate against the realm
++ correctly. It is appropriate to prompt the user again.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>:
++ returned if not enrolled in this realm.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Leave">
++ <arg name="credentials" type="(ssv)" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ </interface>
++
++</node>
+diff --git a/src/daemon.c b/src/daemon.c
+index c52bda3..5ce0216 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -20,60 +20,61 @@
+ * Written by: Matthias Clasen <mclasen@redhat.com>
+ */
+
+ #include "config.h"
+
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <sys/wait.h>
+ #include <pwd.h>
+ #ifdef HAVE_SHADOW_H
+ #include <shadow.h>
+ #endif
+ #include <unistd.h>
+ #include <errno.h>
+ #include <sys/types.h>
+
+ #include <glib.h>
+ #include <glib/gi18n.h>
+ #include <glib-object.h>
+ #include <glib/gstdio.h>
+ #include <gio/gio.h>
+ #include <polkit/polkit.h>
+
+ #include "user-classify.h"
+ #include "wtmp-helper.h"
+ #include "daemon.h"
+ #include "util.h"
++#include "realmd-generated.h"
+
+ #define PATH_PASSWD "/etc/passwd"
+ #define PATH_SHADOW "/etc/shadow"
+ #define PATH_GROUP "/etc/group"
+
+ enum {
+ PROP_0,
+ PROP_DAEMON_VERSION
+ };
+
+ typedef struct {
+ GDBusConnection *bus_connection;
+
+ GHashTable *users;
+ gsize number_of_normal_users;
+ GList *explicitly_requested_users;
+
+ User *autologin;
+
+ GFileMonitor *passwd_monitor;
+ GFileMonitor *shadow_monitor;
+ GFileMonitor *group_monitor;
+ GFileMonitor *gdm_monitor;
+ GFileMonitor *wtmp_monitor;
+
+ GQueue *pending_list_cached_users;
+
+ guint reload_id;
+ guint autologin_id;
+
+@@ -425,110 +426,167 @@ load_entries (Daemon *daemon,
+ } else {
+ g_object_ref (user);
+ }
+
+ /* freeze & update users not already in the new list */
+ g_object_freeze_notify (G_OBJECT (user));
+ user_update_from_pwent (user, pwent, spent);
+
+ g_hash_table_insert (users, g_strdup (user_get_user_name (user)), user);
+ g_debug ("loaded user: %s", user_get_user_name (user));
+ }
+
+ if (!explicitly_requested) {
+ user_set_cached (user, TRUE);
+ }
+ }
+
+ /* Generator should have cleaned up */
+ g_assert (generator_state == NULL);
+ }
+
+ static GHashTable *
+ create_users_hash_table (void)
+ {
+ return g_hash_table_new_full (g_str_hash,
+ g_str_equal,
+ g_free,
+ g_object_unref);
+ }
+
++static gboolean
++ensure_bus_connection (Daemon *daemon)
++{
++ DaemonPrivate *priv = daemon_get_instance_private (daemon);
++ g_autoptr (GError) error = NULL;
++
++ if (priv->bus_connection != NULL)
++ return TRUE;
++
++ priv->bus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
++ if (priv->bus_connection == NULL) {
++ if (error != NULL)
++ g_critical ("error getting system bus: %s", error->message);
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
++static gboolean
++has_network_realms (Daemon *daemon)
++{
++ DaemonPrivate *priv = daemon_get_instance_private (daemon);
++ g_autoptr (AccountsRealmdProvider) realmd_provider = NULL;
++ g_autoptr (GError) error = NULL;
++ const char *const *realms = NULL;
++
++ if (!ensure_bus_connection (daemon)) {
++ return FALSE;
++ }
++
++ realmd_provider = accounts_realmd_provider_proxy_new_sync (priv->bus_connection,
++ G_DBUS_PROXY_FLAGS_NONE,
++ "org.freedesktop.realmd",
++ "/org/freedesktop/realmd",
++ NULL,
++ &error);
++ if (realmd_provider == NULL) {
++ g_debug ("failed to contact realmd: %s", error->message);
++ return FALSE;
++ }
++
++ realms = accounts_realmd_provider_get_realms (realmd_provider);
++
++ if (!realms) {
++ g_debug("realmd provider 'Realms' property is unset");
++ return FALSE;
++ }
++
++ return realms[0] != NULL;
++}
++
+ static void
+ reload_users (Daemon *daemon)
+ {
+ DaemonPrivate *priv = daemon_get_instance_private (daemon);
+ AccountsAccounts *accounts = ACCOUNTS_ACCOUNTS (daemon);
+ gboolean had_no_users, has_no_users, had_multiple_users, has_multiple_users;
+ GHashTable *users;
+ GHashTable *old_users;
+ GHashTable *local;
+ GHashTableIter iter;
+ gsize number_of_normal_users = 0;
+ gpointer name, value;
+
+ /* Track the users that we saw during our (re)load */
+ users = create_users_hash_table ();
+
+ /*
+ * NOTE: As we load data from all the sources, notifies are
+ * frozen in load_entries() and then thawed as we process
+ * them below.
+ */
+
+ /* Load the local users into our hash table */
+ load_entries (daemon, users, FALSE, entry_generator_fgetpwent);
+ local = g_hash_table_new (g_str_hash, g_str_equal);
+ g_hash_table_iter_init (&iter, users);
+ while (g_hash_table_iter_next (&iter, &name, NULL))
+ g_hash_table_add (local, name);
+
+ /* and add users to hash table that were explicitly requested */
+ load_entries (daemon, users, TRUE, entry_generator_requested_users);
+
+ /* Now add/update users from other sources, possibly non-local */
+ load_entries (daemon, users, FALSE, entry_generator_cachedir);
+
+ wtmp_helper_update_login_frequencies (users);
+
+ /* Count the non-system users. Mark which users are local, which are not. */
+ g_hash_table_iter_init (&iter, users);
+ while (g_hash_table_iter_next (&iter, &name, &value)) {
+ User *user = value;
+ if (!user_get_system_account (user))
+ number_of_normal_users++;
+ user_update_local_account_property (user, g_hash_table_lookup (local, name) != NULL);
+ }
+ g_hash_table_destroy (local);
+
+ had_no_users = accounts_accounts_get_has_no_users (accounts);
+ has_no_users = number_of_normal_users == 0;
+
++ if (has_no_users && has_network_realms (daemon)) {
++ g_debug ("No local users, but network realms detected, presuming there are remote users");
++ has_no_users = FALSE;
++ }
++
+ if (had_no_users != has_no_users)
+ accounts_accounts_set_has_no_users (accounts, has_no_users);
+
+ had_multiple_users = accounts_accounts_get_has_multiple_users (accounts);
+ has_multiple_users = number_of_normal_users > 1;
+
+ if (had_multiple_users != has_multiple_users)
+ accounts_accounts_set_has_multiple_users (accounts, has_multiple_users);
+
+ /* Swap out the users */
+ old_users = priv->users;
+ priv->users = users;
+
+ /* Remove all the old users */
+ g_hash_table_iter_init (&iter, old_users);
+ while (g_hash_table_iter_next (&iter, &name, &value)) {
+ User *user = value;
+ User *refreshed_user;
+
+ refreshed_user = g_hash_table_lookup (users, name);
+
+ if (!refreshed_user || (user_get_cached (user) && !user_get_cached (refreshed_user))) {
+ accounts_accounts_emit_user_deleted (ACCOUNTS_ACCOUNTS (daemon),
+ user_get_object_path (user));
+ user_unregister (user);
+ }
+ }
+
+ /* Register all the new users */
+ g_hash_table_iter_init (&iter, users);
+@@ -766,64 +824,61 @@ daemon_finalize (GObject *object)
+ priv = daemon_get_instance_private (daemon);
+
+ if (priv->bus_connection != NULL)
+ g_object_unref (priv->bus_connection);
+
+ g_queue_free_full (priv->pending_list_cached_users,
+ (GDestroyNotify) list_user_data_free);
+
+ g_list_free_full (priv->explicitly_requested_users, g_free);
+
+ g_hash_table_destroy (priv->users);
+
+ g_hash_table_unref (priv->extension_ifaces);
+
+ G_OBJECT_CLASS (daemon_parent_class)->finalize (object);
+ }
+
+ static gboolean
+ register_accounts_daemon (Daemon *daemon)
+ {
+ DaemonPrivate *priv = daemon_get_instance_private (daemon);
+ g_autoptr(GError) error = NULL;
+
+ priv->authority = polkit_authority_get_sync (NULL, &error);
+ if (priv->authority == NULL) {
+ if (error != NULL)
+ g_critical ("error getting polkit authority: %s", error->message);
+ return FALSE;
+ }
+
+- priv->bus_connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
+- if (priv->bus_connection == NULL) {
+- if (error != NULL)
+- g_critical ("error getting system bus: %s", error->message);
++ if (!ensure_bus_connection (daemon)) {
+ return FALSE;
+ }
+
+ if (!g_dbus_interface_skeleton_export (G_DBUS_INTERFACE_SKELETON (daemon),
+ priv->bus_connection,
+ "/org/freedesktop/Accounts",
+ &error)) {
+ if (error != NULL)
+ g_critical ("error exporting interface: %s", error->message);
+ return FALSE;
+ }
+
+ return TRUE;
+ }
+
+ Daemon *
+ daemon_new (void)
+ {
+ g_autoptr(Daemon) daemon = NULL;
+
+ daemon = DAEMON (g_object_new (TYPE_DAEMON, NULL));
+
+ if (!register_accounts_daemon (DAEMON (daemon))) {
+ return NULL;
+ }
+
+ return g_steal_pointer (&daemon);
+ }
+
+ static void
+diff --git a/src/meson.build b/src/meson.build
+index 20d5276..3970749 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -1,37 +1,38 @@
+ sources = []
+
+ gdbus_headers = []
+
+ ifaces = [
+ ['accounts-generated', 'org.freedesktop.', 'Accounts'],
+ ['accounts-user-generated', act_namespace + '.', 'User'],
++ ['realmd-generated', 'org.freedesktop.', 'realmd'],
+ ]
+
+ foreach iface: ifaces
+ gdbus_sources = gnome.gdbus_codegen(
+ iface[0],
+ join_paths(data_dir, iface[1] + iface[2] + '.xml'),
+ interface_prefix: iface[1],
+ namespace: 'Accounts',
+ )
+ sources += gdbus_sources
+ gdbus_headers += gdbus_sources[1]
+ endforeach
+
+ deps = [
+ gio_dep,
+ gio_unix_dep,
+ ]
+
+ cflags = [
+ '-DLOCALSTATEDIR="@0@"'.format(act_localstatedir),
+ '-DDATADIR="@0@"'.format(act_datadir),
+ '-DICONDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'icons')),
+ '-DUSERDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'users')),
+ ]
+
+ libaccounts_generated = static_library(
+ 'accounts-generated',
+ sources: sources,
+ include_directories: top_inc,
+ dependencies: deps,
+diff --git a/src/org.freedesktop.realmd.xml b/src/org.freedesktop.realmd.xml
+new file mode 100644
+index 0000000..c34a47a
+--- /dev/null
++++ b/src/org.freedesktop.realmd.xml
+@@ -0,0 +1,730 @@
++<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
++ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
++<node name="/">
++
++ <!--
++ org.freedesktop.realmd.Provider:
++ @short_description: a realm provider
++
++ Various realm providers represent different software implementations
++ that provide access to realms or domains.
++
++ This interface is implemented by individual providers, but is
++ aggregated globally at the system bus name
++ <literal>org.freedesktop.realmd</literal>
++ with the object path <literal>/org/freedesktop/realmd</literal>
++ -->
++ <interface name="org.freedesktop.realmd.Provider">
++
++ <!--
++ Name: the name of the provider
++
++ The name of the provider. This is not normally displayed
++ to the user, but may be useful for diagnostics or debugging.
++ -->
++ <property name="Name" type="s" access="read"/>
++
++ <!--
++ Version: the version of the provider
++
++ The version of the provider. This is not normally used in
++ logic, but may be useful for diagnostics or debugging.
++ -->
++ <property name="Version" type="s" access="read"/>
++
++ <!--
++ Realms: a list of realms
++
++ A list of known, enrolled or discovered realms. All realms
++ that this provider knows about are listed here. As realms
++ are discovered they are added to this list.
++
++ Each realm is represented by the DBus object path of the
++ realm object.
++ -->
++ <property name="Realms" type="ao" access="read"/>
++
++ <!--
++ Discover:
++ @string: an input string to discover realms for
++ @options: options for the discovery operation
++ @relevance: the relevance of the returned results
++ @realm: a list of realms discovered
++
++ Discover realms for the given string. The input @string is
++ usually a domain or realm name, perhaps typed by a user. If
++ an empty string is provided, the realm provider should try to
++ discover a default realm, if possible (e.g. from DHCP).
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ <listitem><para><literal>client-software</literal>: a string
++ containing the client software identifier that the returned
++ realms should match.</para></listitem>
++ <listitem><para><literal>server-software</literal>: a string
++ containing the client software identifier that the returned
++ realms should match.</para></listitem>
++ <listitem><para><literal>membership-software</literal>: a string
++ containing the membership software identifier that the returned
++ realms should match.</para></listitem>
++ </itemizedlist>
++
++ The @relevance returned can be used to rank results from
++ different discover calls to different providers. Implementors
++ should return a positive number if the provider highly
++ recommends that the realms be handled by this provider,
++ or a zero if it can possibly handle the realms. Negative numbers
++ should be returned if no realms are found.
++
++ This method does not return an error when no realms are
++ discovered. It simply returns an empty @realm list.
++
++ To see diagnostic information about the discovery process,
++ connect to the org.freedesktop.realmd.Service::Diagnostics
++ signal.
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.discover-realm</literal>.
++
++ In addition to common DBus error results, this method may
++ return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the discovery could not be run for some reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to perform a discovery
++ operation.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Discover">
++ <arg name="string" type="s" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ <arg name="relevance" type="i" direction="out"/>
++ <arg name="realm" type="ao" direction="out"/>
++ </method>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.Service:
++ @short_description: the realmd service
++
++ Global calls for managing the realmd service. Usually you'll want
++ to use #org.freedesktop.realmd.Provider instead.
++
++ This interface is implemented by the realmd service, and is always
++ available at the object path <literal>/org/freedesktop/realmd</literal>
++
++ The service also implements the
++ <literal>org.freedesktop.DBus.ObjectManager</literal> interface which
++ makes it easy to retrieve all realmd objects and properties in one go.
++ -->
++ <interface name="org.freedesktop.realmd.Service">
++
++ <!--
++ Cancel:
++ @operation: the operation to cancel
++
++ Cancel a realmd operation. To be able to cancel an operation,
++ pass a uniquely chosen <literal>operation</literal> string
++ identifier as an option in the method's <literal>options</literal>
++ argument.
++
++ These operation string identifiers should be unique per client
++ calling the realmd service.
++
++ It is not guaranteed that the service can or will cancel the
++ operation. For example, the operation may have already completed
++ by the time this method is handled. The caller of the operation
++ method will receive a
++ <literal>org.freedesktop.realmd.Error.Cancelled</literal>
++ if the operation was cancelled.
++ -->
++ <method name="Cancel">
++ <arg name="operation" type="s" direction="in"/>
++ </method>
++
++ <!--
++ SetLocale:
++ @locale: the locale for the client
++
++ Set the language @locale for the client. This locale is used
++ for error messages. The locale is used until the next time
++ this method is called, the client disconnects, or the client
++ calls #org.freedesktop.realmd.Service.Release().
++ -->
++ <method name="SetLocale">
++ <arg name="locale" type="s" direction="in"/>
++ </method>
++
++ <!--
++ Diagnostics:
++ @data: diagnostic data
++ @operation: the operation this data resulted from
++
++ This signal is fired when diagnostics result from an operation
++ in the provider or one of its realms.
++
++ It is not guaranteed that this signal is emitted once per line.
++ More than one line may be contained in @data, or a partial
++ line. New line characters are embedded in @data.
++
++ This signal is sent explicitly to the client which invoked an
++ operation method. In order to tell which operation this
++ diagnostic data results from, pass a unique
++ <literal>operation</literal> string identifier in the
++ <literal>options</literal> argument of the operation method.
++ That same identifier will be passed back via the @operation
++ argument of this signal.
++ -->
++ <signal name="Diagnostics">
++ <arg name="data" type="s"/>
++ <arg name="operation" type="s"/>
++ </signal>
++
++ <!--
++ Release:
++
++ Normally, realmd waits until all clients have disconnected
++ before exiting itself sometime later. Long lived clients
++ can call this method to allow the realmd service to quit.
++ This is an optimization. The daemon will not exit immediately.
++ It is safe to call this multiple times.
++ -->
++ <method name="Release">
++ <!-- no arguments -->
++ </method>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.Realm:
++ @short_description: a realm
++
++ Represents one realm.
++
++ Contains generic information about a realm, and useful properties for
++ introspecting what kind of realm this is and how to work with
++ the realm.
++
++ Use #org.freedesktop.realmd.Provider:Realms or
++ #org.freedesktop.realmd.Provider.Discover() to get access to some
++ kerberos realm objects.
++
++ Realms will always implement additional interfaces, such as
++ #org.freedesktop.realmd.Kerberos. Do not assume that all realms
++ implement that kerberos interface. Use the
++ #org.freedesktop.realmd.Realm:SupportedInterfaces property to see
++ which interfaces are supported.
++
++ Different realms support various ways to configure them on the
++ system. Use the #org.freedesktop.realmd.Realm:Configured property
++ to determine if a realm is configured. If it is configured, the
++ property will be set to the interface of the mechanism that was
++ used to configure it.
++
++ To configure a realm, look in the
++ #org.freedesktop.realmd.Realm:SupportedInterfaces property for a
++ recognized purpose-specific interface that can be used for
++ configuration, such as the
++ #org.freedesktop.realmd.KerberosMembership interface and its
++ #org.freedesktop.realmd.KerberosMembership.Join() method.
++
++ To deconfigure a realm from the current system, you can use the
++ #org.freedesktop.realmd.Realm.Deconfigure() method. In addition, some
++ of the configuration specific interfaces provide methods to
++ deconfigure a realm in a specific way, such as the
++ #org.freedesktop.realmd.KerberosMembership.Leave() method.
++
++ The various properties are guaranteed to have been updated before
++ the operation methods return, if they change state.
++ -->
++ <interface name="org.freedesktop.realmd.Realm">
++
++ <!--
++ Name: the realm name
++
++ This is the name of the realm, appropriate for display to
++ end users where necessary.
++ -->
++ <property name="Name" type="s" access="read"/>
++
++ <!--
++ Configured: whether this domain is configured and how
++
++ If this property is an empty string, then the realm is not
++ configured. Otherwise the realm is configured, and contains
++ a string which is the interface that represents how it was
++ configured, for example #org.freedesktop.realmd.KerberosMembership.
++ -->
++ <property name="Configured" type="s" access="read"/>
++
++ <!--
++ Deconfigure: deconfigure this realm
++
++ Deconfigure this realm from the local machine with standard
++ default behavior.
++
++ The behavior of this method depends on the which configuration
++ interface is present in the
++ #org.freedesktop.realmd.Realm.Configured property. It does not
++ always delete membership accounts in the realm, but just
++ reconfigures the local machine so it no longer is configured
++ for the given realm. In some cases the implementation may try
++ to update membership accounts, but this is not guaranteed.
++
++ Various configuration interfaces may support more specific ways
++ to deconfigure a realm in a specific way, such as the
++ #org.freedesktop.realmd.KerberosMembership.Leave() method.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the deconfigure failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to deconfigure a
++ realm.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
++ returned if this realm is not configured on the machine.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Deconfigure">
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ <!--
++ SupportedInterfaces:
++
++ Additional supported interfaces of this realm. This includes
++ interfaces that contain more information about the realm,
++ such as #org.freedesktop.realmd.Kerberos and interfaces
++ which contain methods for configuring a realm, such as
++ #org.freedesktop.realmd.KerberosMembership.
++ -->
++ <property name="SupportedInterfaces" type="as" access="read"/>
++
++ <!--
++ Details: informational details about the realm
++
++ Informational details about the realm. The following values
++ should be present:
++ <itemizedlist>
++ <listitem><para><literal>server-software</literal>:
++ identifier of the software running on the server (e.g.
++ <literal>active-directory</literal>).</para></listitem>
++ <listitem><para><literal>client-software</literal>:
++ identifier of the software running on the client (e.g.
++ <literal>sssd</literal>).</para></listitem>
++ </itemizedlist>
++ -->
++ <property name="Details" type="a(ss)" access="read"/>
++
++ <!--
++ RequiredPackages: prerequisite software
++
++ Software packages that are required in order for a join to
++ succeed. These are either simple strings like <literal>sssd</literal>,
++ or strings with an operator and version number like
++ <literal>sssd >= 1.9.0</literal>
++
++ These values are specific to the packaging system that is
++ being run.
++ -->
++ <property name="RequiredPackages" type="as" access="read"/>
++
++ <!--
++ LoginFormats: supported formats for login names
++
++ Supported formats for login to this realm. This is only
++ relevant once the realm has been enrolled. The formats
++ will contain a <literal>%U</literal> in the string, which
++ indicate where the user name should be placed. The formats
++ may contain a <literal>%D</literal> in the string which
++ indicate where a domain name should be placed.
++
++ The first format in the list is the preferred format for
++ login names.
++ -->
++ <property name="LoginFormats" type="as" access="read"/>
++
++ <!--
++ LoginPolicy: the policy for logins using this realm
++
++ The policy for logging into this computer using this realm.
++
++ The policy can be changed using the
++ #org.freedesktop.realmd.Realm.ChangeLoginPolicy() method.
++
++ The following policies are predefined. Not all providers
++ support all these policies and there may be provider specific
++ policies or multiple policies represented in the string:
++ <itemizedlist>
++ <listitem><para><literal>allow-any-login</literal>: allow
++ login by any authenticated user present in this
++ realm.</para></listitem>
++ <listitem><para><literal>allow-realm-logins</literal>: allow
++ logins according to the realm or domain policy for logins
++ on this machine. This usually defaults to allowing any realm
++ user to log in.</para></listitem>
++ <listitem><para><literal>allow-permitted-logins</literal>:
++ only allow the logins permitted in the
++ #org.freedesktop.realmd.Realm:PermittedLogins
++ property.</para></listitem>
++ <listitem><para><literal>deny-any-login</literal>:
++ don't allow any logins via authenticated users of this
++ realm.</para></listitem>
++ </itemizedlist>
++ -->
++ <property name="LoginPolicy" type="s" access="read"/>
++
++ <!--
++ PermittedLogins: the permitted login names
++
++ The list of permitted authenticated users allowed to login
++ into this computer. This is only relevant if the
++ #org.freedesktop.realmd.Realm:LoginPolicy property
++ contains the <literal>allow-permitted-logins</literal>
++ string.
++ -->
++ <property name="PermittedLogins" type="as" access="read"/>
++
++ <!--
++ PermittedGroups: the permitted group names
++
++ The list of groups which users need to be in to be allowed
++ to log into this computer. This is only relevant if the
++ #org.freedesktop.realmd.Realm:LoginPolicy property
++ contains the <literal>allow-permitted-logins</literal>
++ string.
++ -->
++ <property name="PermittedGroups" type="as" access="read"/>
++
++ <!--
++ ChangeLoginPolicy:
++ @login_policy: the new login policy, or an empty string
++ @permitted_add: a list of logins to permit
++ @permitted_remove: a list of logins to not permit
++ @options: options for this operation
++
++ Change the login policy and/or permitted logins for this realm.
++
++ Not all realms support all the various login policies. An
++ error will be returned if the new login policy is not supported.
++ You may specify an empty string for the @login_policy argument
++ which will cause no change in the policy itself. If the policy
++ is changed, it will be reflected in the
++ #org.freedesktop.realmd.Realm:LoginPolicy property.
++
++ The @permitted_add and @permitted_remove arguments represent
++ lists of login names that should be added and removed from
++ the #org.freedesktop.realmd.Kerberos:PermittedLogins property.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ <listitem><para><literal>groups</literal>: boolean which if
++ set to <literal>TRUE</literal> means that the names in
++ @permitted_add and @permitted_remove are group names instead
++ of login names.</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.login-policy</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the policy change failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to change login policy
++ operation.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotConfigured</literal>:
++ returned if the realm is not configured.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="ChangeLoginPolicy">
++ <arg name="login_policy" type="s" direction="in"/>
++ <arg name="permitted_add" type="as" direction="in"/>
++ <arg name="permitted_remove" type="as" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.Kerberos:
++ @short_description: a kerberos realm
++
++ An interface that describes a kerberos realm in more detail. This
++ is always implemented on an DBus object path that also implements
++ the #org.freedesktop.realmd.Realm interface.
++ -->
++ <interface name="org.freedesktop.realmd.Kerberos">
++
++ <!--
++ RealmName: the kerberos realm name
++
++ The kerberos name for this realm. This is usually in upper
++ case.
++ -->
++ <property name="RealmName" type="s" access="read"/>
++
++ <!--
++ DomainName: the DNS domain name
++
++ The DNS domain name for this realm.
++ -->
++ <property name="DomainName" type="s" access="read"/>
++
++ </interface>
++
++ <!--
++ org.freedesktop.realmd.KerberosMembership:
++
++ An interface used to configure this machine by joining a realm.
++
++ It sets up a computer/host account in the realm for this machine
++ and a keytab to track the credentials for that account.
++
++ The various properties are guaranteed to have been updated before
++ the operation methods return, if they change state.
++ -->
++ <interface name="org.freedesktop.realmd.KerberosMembership">
++
++ <!--
++ SuggestedAdministrator: common administrator name
++
++ The common administrator name for this type of realm. This
++ can be used by clients as a hint when prompting the user for
++ administrative authentication.
++ -->
++ <property name="SuggestedAdministrator" type="s" access="read"/>
++
++ <!--
++ SupportedJoinCredentials: credentials supported for joining
++
++ Various kinds of credentials that are supported when calling the
++ #org.freedesktop.realmd.Kerberos.Join() method.
++
++ Each credential is represented by a type and an owner. The type
++ denotes which kind of credential is passed to the method. The
++ owner indicates to the client how to prompt the user or obtain
++ the credential, and to the service how to use the credential.
++
++ The various types are:
++ <itemizedlist>
++ <listitem><para><literal>ccache</literal>:
++ the credentials should contain an array of bytes as a
++ <literal>ay</literal> containing the data from a kerberos
++ credential cache file.</para></listitem>
++ <listitem><para><literal>password</literal>:
++ the credentials should contain a pair of strings as a
++ <literal>(ss)</literal> representing a name and
++ password. The name may contain a realm in the standard
++ kerberos format. If a realm is missing, it will default
++ to this realm. </para></listitem>
++ <listitem><para><literal>secret</literal>:
++ the credentials should contain a string secret as an
++ <literal>ay</literal> array of bytes. This is usually used
++ for one time passwords. To pass a string here, encode it
++ in UTF-8, and place the resulting bytes in the
++ value.</para></listitem>
++ <listitem><para><literal>automatic</literal>:
++ the credentials should contain an empty string as a
++ <literal>s</literal>. Using <literal>automatic</literal>
++ indicates that default or system credentials are to be
++ used.</para></listitem>
++ </itemizedlist>
++
++ The various owners are:
++ <itemizedlist>
++ <listitem><para><literal>administrator</literal>:
++ the credentials belong to a kerberos administrator principal.
++ The caller may use this as a hint to prompt the user
++ for administrative credentials.</para></listitem>
++ <listitem><para><literal>user</literal>:
++ the credentials belong to a kerberos user principal.
++ The caller may use this as a hint to prompt the user
++ for his (possibly non-administrative)
++ credentials.</para></listitem>
++ <listitem><para><literal>computer</literal>:
++ the credentials belong to a computer account.</para></listitem>
++ <listitem><para><literal>none</literal>:
++ the credentials have an unspecified owner, such as a one
++ time password.</para></listitem>
++ </itemizedlist>
++ -->
++ <property name="SupportedJoinCredentials" type="a(ss)" access="read"/>
++
++ <!--
++ SupportedLeaveCredentials: credentials supported for leaving
++
++ Various kinds of credentials that are supported when calling the
++ #org.freedesktop.realmd.Kerberos.Leave() method.
++
++ See #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials for
++ a discussion of what the values represent.
++ -->
++ <property name="SupportedLeaveCredentials" type="a(ss)" access="read"/>
++
++ <!--
++ Join:
++
++ Join this machine to the realm and enroll the machine.
++
++ If this method returns successfully, then the machine will be
++ joined to the realm. It is not necessary to restart services or the
++ machine afterward. Relevant properties on the realm will be updated
++ before the method returns.
++
++ The @credentials should be set according to one of the
++ supported credentials returned by
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
++ The first string in the tuple is the type, the second string
++ is the owner, and the variant contains the credential contents
++ See the discussion at
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
++ for more information.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>automatic-id-mapping</literal>: a boolean
++ value whether to turn on automatic UID/GID mapping. If not
++ specified the default will come from realmd.conf
++ configuration.</para></listitem>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ <listitem><para><literal>computer-ou</literal>: a string
++ containing an LDAP DN for an organizational unit where the
++ computer account should be created</para></listitem>
++ <listitem><para><literal>user-principal</literal>: a string
++ containing an kerberos user principal name to be set on the
++ computer account</para></listitem>
++ <listitem><para><literal>membership-software</literal>: a string
++ containing the membership software identifier that the returned
++ realms should match.</para></listitem>
++ <listitem><para><literal>manage-system</literal>: a boolean
++ which controls whether this machine should be managed by
++ the realm or domain or not. Defaults to true.</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.configure-realm</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the join failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to perform a join
++ operation.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
++ returned if the credentials passed did not authenticate against the realm
++ correctly. It is appropriate to prompt the user again.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.AlreadyEnrolled</literal>:
++ returned if already enrolled in this realm, or if already enrolled in another realm
++ (if enrolling in multiple realms is not supported).</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.BadHostname</literal>:
++ returned if the machine has a hostname that is not usable for a join
++ or is in conflict with those in the domain.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Join">
++ <arg name="credentials" type="(ssv)" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ <!--
++ Leave:
++
++ Leave the realm and unenroll the machine.
++
++ If this method returns successfully, then the machine will have
++ left the domain and been unenrolled. It is not necessary to restart
++ services or the machine afterward. Relevant properties on the realm
++ will be updated before the method returns.
++
++ The @credentials should be set according to one of the
++ supported credentials returned by
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials.
++ The first string in the tuple is the type, the second string
++ is the owner, and the variant contains the credential contents
++ See the discussion at
++ #org.freedesktop.realmd.Kerberos:SupportedJoinCredentials
++ for more information.
++
++ @options can contain, but is not limited to, the following values:
++ <itemizedlist>
++ <listitem><para><literal>operation</literal>: a string
++ identifier chosen by the client, which can then later be
++ passed to org.freedesktop.realmd.Service.Cancel() in order
++ to cancel the operation</para></listitem>
++ </itemizedlist>
++
++ This method requires authorization for the PolicyKit action
++ called <literal>org.freedesktop.realmd.deconfigure-realm</literal>.
++
++ In addition to common DBus error results, this method may return:
++ <itemizedlist>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Failed</literal>:
++ may be returned if the unenroll failed for a generic reason.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Cancelled</literal>:
++ returned if the operation was cancelled.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotAuthorized</literal>:
++ returned if the calling client is not permitted to perform an unenroll
++ operation.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.AuthenticationFailed</literal>:
++ returned if the credentials passed did not authenticate against the realm
++ correctly. It is appropriate to prompt the user again.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.NotEnrolled</literal>:
++ returned if not enrolled in this realm.</para></listitem>
++ <listitem><para><literal>org.freedesktop.realmd.Error.Busy</literal>:
++ returned if the service is currently performing another operation like
++ join or leave.</para></listitem>
++ </itemizedlist>
++ -->
++ <method name="Leave">
++ <arg name="credentials" type="(ssv)" direction="in"/>
++ <arg name="options" type="a{sv}" direction="in"/>
++ </method>
++
++ </interface>
++
++</node>
+--
+2.27.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 13:29:48 +0000