File 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch of Package sssd.22979
From 74a32b1add9d8fd5591e319bc26667b6abb4e5c8 Mon Sep 17 00:00:00 2001
From: Andrew Gunnerson <andrewgunnerson@gmail.com>
Date: Sat, 30 Nov 2019 20:49:10 -0500
Subject: [PATCH] ad: Add support for passing --add-samba-data to adcli
This adds a new option named `ad_update_samba_machine_account_password`,
which when enabled, will pass `--add-samba-data` to the adcli command
for updating the machine account password in Samba's secrets.tdb
database.
This option is necessary when Samba is configured to use AD for
authentication. For Kerberos auth, Samba can use the system keytab, but
for NTLM, Samba uses its own copy of the machine account password in its
secrets.tdb database.
See: https://pagure.io/SSSD/sssd/issue/3920
Signed-off-by: Andrew Gunnerson <andrewgunnerson@gmail.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 1cdd43140e6069a10d59af0ba80d1c4e9427a0b4)
---
 src/config/SSSDConfig/__init__.py.in     |  1 +
 src/config/cfg_rules.ini                 |  1 +
 src/config/etc/sssd.api.d/sssd-ad.conf   |  1 +
 src/man/sssd-ad.5.xml                    | 16 ++++++++++++++++
 src/providers/ad/ad_common.h             |  1 +
 src/providers/ad/ad_machine_pw_renewal.c | 11 +++++++++--
 src/providers/ad/ad_opts.c               |  1 +
 7 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 857d56cb5..6e6073f1c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -246,6 +246,7 @@ option_strings = {
     'ad_site' : _('a particular site to be used by the client'),
     'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
     'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
+    'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'),
 
     # [provider/krb5]
     'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 1f1113a1b..22c8781ef 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -450,6 +450,7 @@ option = ad_machine_account_password_renewal_opts
 option = ad_maximum_machine_account_password_age
 option = ad_server
 option = ad_site
+option = ad_update_samba_machine_account_password
 
 # IPA provider specific options
 option = ipa_anchor_uuid
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 8d97a416c..9c6c6daad 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
 ad_site = str, None, false
 ad_maximum_machine_account_password_age = int, None, false
 ad_machine_account_password_renewal_opts = str, None, false
+ad_update_samba_machine_account_password = bool, None, false
 ldap_uri = str, None, false
 ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index ebcc00639..4618a35bd 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -870,6 +870,22 @@ ad_gpo_map_deny = +my_pam_service
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ad_update_samba_machine_account_password (boolean)</term>
+                    <listitem>
+                        <para>
+                            If enabled, when SSSD renews the machine account
+                            password, it will also be updated in Samba's
+                            database. This prevents Samba's copy of the machine
+                            account password from getting out of date when it is
+                            set up to use AD for authentication.
+                        </para>
+                        <para>
+                            Default: false
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>dyndns_update (boolean)</term>
                     <listitem>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 8f6bc3597..cba693d65 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -66,6 +66,7 @@ enum ad_basic_opt {
     AD_KRB5_CONFD_PATH,
     AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
     AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
+    AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD,
 
     AD_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
index 5b6ba26b7..7b5b5302e 100644
--- a/src/providers/ad/ad_machine_pw_renewal.c
+++ b/src/providers/ad/ad_machine_pw_renewal.c
@@ -40,6 +40,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
                                     const char *ad_hostname,
                                     const char *ad_keytab,
                                     size_t pw_lifetime_in_days,
+                                    bool add_samba_data,
                                     size_t period,
                                     size_t initial_delay,
                                     struct renewal_data *renewal_data)
@@ -58,7 +59,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
         return ENOMEM;
     }
 
-    args = talloc_array(renewal_data, const char *, 8);
+    args = talloc_array(renewal_data, const char *, 9);
     if (args == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
         return ENOMEM;
@@ -70,6 +71,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
     args[c++] = NULL;
     args[c++] = talloc_asprintf(args, "--computer-password-lifetime=%zu",
                                 pw_lifetime_in_days);
+    if (add_samba_data) {
+        args[c++] = talloc_strdup(args, "--add-samba-data");
+    }
     args[c++] = talloc_asprintf(args, "--host-fqdn=%s", ad_hostname);
     if (ad_keytab != NULL) {
         args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);
@@ -375,7 +379,10 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
                    dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),
                    dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,
                                       SDAP_KRB5_KEYTAB),
-                   lifetime, period, initial_delay, renewal_data);
+                   lifetime,
+                   dp_opt_get_bool(ad_opts->basic,
+                                   AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),
+                   period, initial_delay, renewal_data);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "get_adcli_extra_args failed.\n");
         goto done;
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 9e09991fd..d4fc811d9 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -52,6 +52,7 @@ struct dp_option ad_basic_opts[] = {
     { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
     { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
+    { "ad_update_samba_machine_account_password", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     DP_OPTION_TERMINATOR
 };
 
-- 
2.25.1