Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
sssd
0031-ad-Add-support-for-passing-add-samba-data-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch of Package sssd
From 74a32b1add9d8fd5591e319bc26667b6abb4e5c8 Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson <andrewgunnerson@gmail.com> Date: Sat, 30 Nov 2019 20:49:10 -0500 Subject: [PATCH] ad: Add support for passing --add-samba-data to adcli This adds a new option named `ad_update_samba_machine_account_password`, which when enabled, will pass `--add-samba-data` to the adcli command for updating the machine account password in Samba's secrets.tdb database. This option is necessary when Samba is configured to use AD for authentication. For Kerberos auth, Samba can use the system keytab, but for NTLM, Samba uses its own copy of the machine account password in its secrets.tdb database. See: https://pagure.io/SSSD/sssd/issue/3920 Signed-off-by: Andrew Gunnerson <andrewgunnerson@gmail.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 1cdd43140e6069a10d59af0ba80d1c4e9427a0b4) --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 16 ++++++++++++++++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_machine_pw_renewal.c | 11 +++++++++-- src/providers/ad/ad_opts.c | 1 + 7 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 857d56cb5..6e6073f1c 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -246,6 +246,7 @@ option_strings = { 'ad_site' : _('a particular site to be used by the client'), 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + 'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1f1113a1b..22c8781ef 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -450,6 +450,7 @@ option = ad_machine_account_password_renewal_opts option = ad_maximum_machine_account_password_age option = ad_server option = ad_site +option = ad_update_samba_machine_account_password # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 8d97a416c..9c6c6daad 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false ad_site = str, None, false ad_maximum_machine_account_password_age = int, None, false ad_machine_account_password_renewal_opts = str, None, false +ad_update_samba_machine_account_password = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index ebcc00639..4618a35bd 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -870,6 +870,22 @@ ad_gpo_map_deny = +my_pam_service </listitem> </varlistentry> + <varlistentry> + <term>ad_update_samba_machine_account_password (boolean)</term> + <listitem> + <para> + If enabled, when SSSD renews the machine account + password, it will also be updated in Samba's + database. This prevents Samba's copy of the machine + account password from getting out of date when it is + set up to use AD for authentication. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 8f6bc3597..cba693d65 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -66,6 +66,7 @@ enum ad_basic_opt { AD_KRB5_CONFD_PATH, AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c index 5b6ba26b7..7b5b5302e 100644 --- a/src/providers/ad/ad_machine_pw_renewal.c +++ b/src/providers/ad/ad_machine_pw_renewal.c @@ -40,6 +40,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, const char *ad_hostname, const char *ad_keytab, size_t pw_lifetime_in_days, + bool add_samba_data, size_t period, size_t initial_delay, struct renewal_data *renewal_data) @@ -58,7 +59,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, return ENOMEM; } - args = talloc_array(renewal_data, const char *, 8); + args = talloc_array(renewal_data, const char *, 9); if (args == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); return ENOMEM; @@ -70,6 +71,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain, args[c++] = NULL; args[c++] = talloc_asprintf(args, "--computer-password-lifetime=%zu", pw_lifetime_in_days); + if (add_samba_data) { + args[c++] = talloc_strdup(args, "--add-samba-data"); + } args[c++] = talloc_asprintf(args, "--host-fqdn=%s", ad_hostname); if (ad_keytab != NULL) { args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); @@ -375,7 +379,10 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, SDAP_KRB5_KEYTAB), - lifetime, period, initial_delay, renewal_data); + lifetime, + dp_opt_get_bool(ad_opts->basic, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD), + period, initial_delay, renewal_data); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "get_adcli_extra_args failed.\n"); goto done; diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 9e09991fd..d4fc811d9 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -52,6 +52,7 @@ struct dp_option ad_basic_opts[] = { { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, + { "ad_update_samba_machine_account_password", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor