Hello community, here is the log from the commit of package sssd for openSUSE:Leap:15.2 checked in at 2020-03-13 10:55:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/sssd (Old) and /work/SRC/openSUSE:Leap:15.2/.sssd.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sssd" Fri Mar 13 10:55:47 2020 rev:47 rq:783337 version:1.16.1 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/sssd/sssd.changes 2020-02-10 16:41:49.787719248 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.sssd.new.3160/sssd.changes 2020-03-13 10:55:50.128368811 +0100 @@ -1,0 +2,6 @@ +Mon Mar 9 16:04:05 UTC 2020 - Samuel Cabrero <[email protected]> + +- Update samba secrets after changing machine password; (jsc#SLE-11503); + Add 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch + +------------------------------------------------------------------- New: ---- 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.uDAIbD/_old 2020-03-13 10:55:50.776369273 +0100 +++ /var/tmp/diff_new_pack.uDAIbD/_new 2020-03-13 10:55:50.776369273 +0100 @@ -61,6 +61,7 @@ Patch28: 0028-ad-replace-ARRAY_SIZE-with-N_ELEMENTS.patch Patch29: sssd-gpo_host_security_filter-1.16.1.patch Patch30: 0001-Resolve-computer-lookup-failure-when-sam-cn.patch +Patch31: 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -425,6 +426,7 @@ %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 %build %if 0%{?suse_version} < 1210 ++++++ 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch ++++++ >From 74a32b1add9d8fd5591e319bc26667b6abb4e5c8 Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson <[email protected]> Date: Sat, 30 Nov 2019 20:49:10 -0500 Subject: [PATCH] ad: Add support for passing --add-samba-data to adcli This adds a new option named `ad_update_samba_machine_account_password`, which when enabled, will pass `--add-samba-data` to the adcli command for updating the machine account password in Samba's secrets.tdb database. This option is necessary when Samba is configured to use AD for authentication. For Kerberos auth, Samba can use the system keytab, but for NTLM, Samba uses its own copy of the machine account password in its secrets.tdb database. See: https://pagure.io/SSSD/sssd/issue/3920 Signed-off-by: Andrew Gunnerson <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 1cdd43140e6069a10d59af0ba80d1c4e9427a0b4) --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 16 ++++++++++++++++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_machine_pw_renewal.c | 11 +++++++++-- src/providers/ad/ad_opts.c | 1 + 7 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 857d56cb5..6e6073f1c 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -246,6 +246,7 @@ option_strings = { 'ad_site' : _('a particular site to be used by the client'), 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + 'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1f1113a1b..22c8781ef 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -450,6 +450,7 @@ option = ad_machine_account_password_renewal_opts option = ad_maximum_machine_account_password_age option = ad_server option = ad_site +option = ad_update_samba_machine_account_password # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 8d97a416c..9c6c6daad 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false ad_site = str, None, false ad_maximum_machine_account_password_age = int, None, false ad_machine_account_password_renewal_opts = str, None, false +ad_update_samba_machine_account_password = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index ebcc00639..4618a35bd 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -870,6 +870,22 @@ ad_gpo_map_deny = +my_pam_service </listitem> </varlistentry> + <varlistentry> + <term>ad_update_samba_machine_account_password (boolean)</term> + <listitem> + <para> + If enabled, when SSSD renews the machine account + password, it will also be updated in Samba's + database. This prevents Samba's copy of the machine + account password from getting out of date when it is + set up to use AD for authentication. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 8f6bc3597..cba693d65 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -66,6 +66,7 @@ enum ad_basic_opt { AD_KRB5_CONFD_PATH, AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c index 5b6ba26b7..7b5b5302e 100644 --- a/src/providers/ad/ad_machine_pw_renewal.c +++ b/src/providers/ad/ad_machine_pw_renewal.c @@ -40,6 +40,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, const char *ad_hostname, const char *ad_keytab, size_t pw_lifetime_in_days, + bool add_samba_data, size_t period, size_t initial_delay, struct renewal_data *renewal_data) @@ -58,7 +59,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, return ENOMEM; } - args = talloc_array(renewal_data, const char *, 8); + args = talloc_array(renewal_data, const char *, 9); if (args == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); return ENOMEM; @@ -70,6 +71,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain, args[c++] = NULL; args[c++] = talloc_asprintf(args, "--computer-password-lifetime=%zu", pw_lifetime_in_days); + if (add_samba_data) { + args[c++] = talloc_strdup(args, "--add-samba-data"); + } args[c++] = talloc_asprintf(args, "--host-fqdn=%s", ad_hostname); if (ad_keytab != NULL) { args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); @@ -375,7 +379,10 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, SDAP_KRB5_KEYTAB), - lifetime, period, initial_delay, renewal_data); + lifetime, + dp_opt_get_bool(ad_opts->basic, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD), + period, initial_delay, renewal_data); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "get_adcli_extra_args failed.\n"); goto done; diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 9e09991fd..d4fc811d9 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -52,6 +52,7 @@ struct dp_option ad_basic_opts[] = { { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, + { "ad_update_samba_machine_account_password", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; -- 2.25.1
