Bug 1793727

Summary: [RFE] Add support for passing --add-samba-data to adcli
Product: Red Hat Enterprise Linux 8 Reporter: Chetan Patil <cpatil>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact: David Voženílek <dvozenil>
Priority: unspecified    
Version: 8.4CC: atikhono, bthekkep, bvchiare, dvozenil, fhanzelk, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, pcech, sbose, sgoveas, thalman, tscherf
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.3.0-1.el8 Doc Type: Enhancement
Doc Text:
.SSSD now updates Samba's `secrets.tdb` file when rotating a password A new `ad_update_samba_machine_account_password` option in the `sssd.conf` file is now available in RHEL. You can use it to set SSSD to automatically update the Samba `secrets.tdb` file when rotating a machine's domain password while using Samba. However, if SELinux is in enforcing mode, SSSD fails to update the `secrets.tdb` file. Consequently, Samba does not have access to the new password. To work around this problem, set SELinux to permissive mode.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:04:37 UTC Type: Enhancement
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1855215    
Bug Blocks:    

Description Chetan Patil 2020-01-21 23:41:08 UTC 
Description of problem:
   When sssd does a roll of the machine's domain password it updates the local
keytab (krb5.keytab) but does not update the local smb secrets 
(secrets.tbd).
 


Version-Release number of selected component (if applicable):
7.7

How reproducible:
This can be rectified after the fact by running adcli with the
add-samba-data option:

adcli update --computer-password-lifetime=0 --add-samba-data


Steps to Reproduce:
1.

Actual results:
Does not update local smb secrets(secrets.tdb)

Expected results:
Should update local smb(secrets.tdb)

Additional info:
This adds a new option named ad_update_samba_machine_account_password,
which when enabled, will pass --add-samba-data to the adcli command
for updating the machine account password in Samba's secrets.tdb
database.

This option is necessary when Samba is configured to use AD for
authentication. For Kerberos auth, Samba can use the system keytab, but
for NTLM, Samba uses its own copy of the machine account password in its
secrets.tdb database.
Comment 1 Sumit Bose 2020-01-22 07:49:27 UTC 
Upstream:
 - 1cdd43140e6069a10d59af0ba80d1c4e9427a0b4
Comment 2 Sumit Bose 2020-06-10 06:23:56 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/4905
Comment 21 Niranjan Mallapadi Raghavender 2020-07-27 05:00:32 UTC 
This looks good to me.
Comment 29 errata-xmlrpc 2020-11-04 02:04:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569