URL: https://github.com/SSSD/sssd/pull/950 Author: chenxiaolong Title: #950: ad: Add support for passing --add-samba-data to adcli Action: opened
PR body: """ This adds a new option named `ad_update_samba_machine_account_password`, which when enabled, will pass `--add-samba-data` to the adcli command for updating the machine account password in Samba's secrets.tdb database. This option is necessary when Samba is configured to use AD for authentication. For Kerberos auth, Samba can use the system keytab, but for NTLM, Samba uses its own copy of the machine account password in its secrets.tdb database. See: https://pagure.io/SSSD/sssd/issue/3920 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/950/head:pr950 git checkout pr950
From aa83f882778feaf9cfd00d6b757d18f322b1bdfc Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson <andrewgunner...@gmail.com> Date: Sat, 30 Nov 2019 20:49:10 -0500 Subject: [PATCH] ad: Add support for passing --add-samba-data to adcli This adds a new option named `ad_update_samba_machine_account_password`, which when enabled, will pass `--add-samba-data` to the adcli command for updating the machine account password in Samba's secrets.tdb database. This option is necessary when Samba is configured to use AD for authentication. For Kerberos auth, Samba can use the system keytab, but for NTLM, Samba uses its own copy of the machine account password in its secrets.tdb database. See: https://pagure.io/SSSD/sssd/issue/3920 Signed-off-by: Andrew Gunnerson <andrewgunner...@gmail.com> --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 16 ++++++++++++++++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_machine_pw_renewal.c | 11 +++++++++-- src/providers/ad/ad_opts.c | 1 + 7 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index eba89b4614..92e6141170 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -252,6 +252,7 @@ option_strings = { 'ad_site' : _('a particular site to be used by the client'), 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + 'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 8c73c89ac2..fbace7adfe 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts option = ad_maximum_machine_account_password_age option = ad_server option = ad_site +option = ad_update_samba_machine_account_password # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 80e329b3b6..19c2b7ef5d 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false ad_site = str, None, false ad_maximum_machine_account_password_age = int, None, false ad_machine_account_password_renewal_opts = str, None, false +ad_update_samba_machine_account_password = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index fdcb4e4b90..30c7d07cfa 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -1015,6 +1015,22 @@ ad_gpo_map_deny = +my_pam_service </listitem> </varlistentry> + <varlistentry> + <term>ad_update_samba_machine_account_password (boolean)</term> + <listitem> + <para> + If enabled, when SSSD renews the machine account + password, it will also be updated in Samba's + database. This prevents Samba's copy of the machine + account password from getting out of date when it is + set up to use AD for authentication. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 75f11de2e4..36366e3292 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -67,6 +67,7 @@ enum ad_basic_opt { AD_KRB5_CONFD_PATH, AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c index 9dc36247a0..e0db5fad53 100644 --- a/src/providers/ad/ad_machine_pw_renewal.c +++ b/src/providers/ad/ad_machine_pw_renewal.c @@ -40,6 +40,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, const char *ad_hostname, const char *ad_keytab, size_t pw_lifetime_in_days, + bool add_samba_data, size_t period, size_t initial_delay, struct renewal_data *renewal_data) @@ -58,7 +59,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, return ENOMEM; } - args = talloc_array(renewal_data, const char *, 8); + args = talloc_array(renewal_data, const char *, 9); if (args == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); return ENOMEM; @@ -70,6 +71,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain, args[c++] = NULL; args[c++] = talloc_asprintf(args, "--computer-password-lifetime=%zu", pw_lifetime_in_days); + if (add_samba_data) { + args[c++] = talloc_strdup(args, "--add-samba-data"); + } args[c++] = talloc_asprintf(args, "--host-fqdn=%s", ad_hostname); if (ad_keytab != NULL) { args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); @@ -375,7 +379,10 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, SDAP_KRB5_KEYTAB), - lifetime, period, initial_delay, renewal_data); + lifetime, + dp_opt_get_bool(ad_opts->basic, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD), + period, initial_delay, renewal_data); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "get_adcli_extra_args failed.\n"); goto done; diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index cd568e4663..9707314e4f 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = { { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, + { "ad_update_samba_machine_account_password", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR };
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org