sssd/backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch

From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001
From: santeri3700 <santeri.pikarinen@gmail.com>
Date: Tue, 15 Oct 2024 20:13:20 +0300
Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal

The value of ad_use_ldaps was not passed as `--use-ldaps`
argument to the adcli update command which handles
the automatic renewal of AD machine account password.

Resolves: https://github.com/SSSD/sssd/issues/7642

Signed-off-by: santeri3700 <santeri.pikarinen@gmail.com>

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
index 56b64a2a9..2e54e9bff 100644
--- a/src/providers/ad/ad_machine_pw_renewal.c
+++ b/src/providers/ad/ad_machine_pw_renewal.c
@@ -39,6 +39,7 @@ struct renewal_data {
 static errno_t get_adcli_extra_args(const char *ad_domain,
                                     const char *ad_hostname,
                                     const char *ad_keytab,
+				    bool ad_use_ldaps,
                                     size_t pw_lifetime_in_days,
                                     bool add_samba_data,
                                     size_t period,
@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
         return ENOMEM;
     }
 
-    args = talloc_array(renewal_data, const char *, 9);
+    args = talloc_array(renewal_data, const char *, 10);
     if (args == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
         return ENOMEM;
@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
         args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);
     }
     args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain);
+    if (ad_use_ldaps) {
+        args[c++] = talloc_strdup(args, "--use-ldaps");
+    }
     if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
         args[c++] = talloc_strdup(args, "--verbose");
     }
@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
                    dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),
                    dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,
                                       SDAP_KRB5_KEYTAB),
+		   dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS),
                    lifetime,
                    dp_opt_get_bool(ad_opts->basic,
                                    AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),
-- 
2.33.0
backport patches from upstream community 2024-12-03 11:04:12 +08:00			`From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001`
			`From: santeri3700 <santeri.pikarinen@gmail.com>`
			`Date: Tue, 15 Oct 2024 20:13:20 +0300`
			`Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal`

			The value of ad_use_ldaps was not passed as `--use-ldaps`
			`argument to the adcli update command which handles`
			`the automatic renewal of AD machine account password.`

			`Resolves: https://github.com/SSSD/sssd/issues/7642`

			`Signed-off-by: santeri3700 <santeri.pikarinen@gmail.com>`

			`Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>`
			`Reviewed-by: Sumit Bose <sbose@redhat.com>`
			`---`
			`src/providers/ad/ad_machine_pw_renewal.c \| 7 ++++++-`
			`1 file changed, 6 insertions(+), 1 deletion(-)`

			`diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c`
			`index 56b64a2a9..2e54e9bff 100644`
			`--- a/src/providers/ad/ad_machine_pw_renewal.c`
			`+++ b/src/providers/ad/ad_machine_pw_renewal.c`
			`@@ -39,6 +39,7 @@ struct renewal_data {`
			`static errno_t get_adcli_extra_args(const char *ad_domain,`
			`const char *ad_hostname,`
			`const char *ad_keytab,`
			`+ bool ad_use_ldaps,`
			`size_t pw_lifetime_in_days,`
			`bool add_samba_data,`
			`size_t period,`
			`@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,`
			`return ENOMEM;`
			`}`

			`- args = talloc_array(renewal_data, const char *, 9);`
			`+ args = talloc_array(renewal_data, const char *, 10);`
			`if (args == NULL) {`
			`DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");`
			`return ENOMEM;`
			`@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,`
			`args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);`
			`}`
			`args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain);`
			`+ if (ad_use_ldaps) {`
			`+ args[c++] = talloc_strdup(args, "--use-ldaps");`
			`+ }`
			`if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {`
			`args[c++] = talloc_strdup(args, "--verbose");`
			`}`
			`@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,`
			`dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),`
			`dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,`
			`SDAP_KRB5_KEYTAB),`
			`+ dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS),`
			`lifetime,`
			`dp_opt_get_bool(ad_opts->basic,`
			`AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),`
			`--`
			`2.33.0`