AD: add task to renew the machine account password if needed

AD expects its clients to renew the machine account password on a
regular basis, be default every 30 days. Even if a client does not renew
the password it might not cause issues because AD does not enforce the
renewal. But the password age might be used to identify unused machine
accounts in large environments which might get disabled or deleted
automatically.

With this patch SSSD calls an external program to check the age of the
machine account password and renew it if needed. Currently 'adcli' is
used as external program which is able to renew the password since
version 0.8.0.

Resolves https://fedorahosted.org/sssd/ticket/1041

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2 files changed, 2 insertions, 0 deletions

diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index e7f30ab3c..59ae63ab8 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -83,6 +83,7 @@ struct err_string error_to_str[] = {
     { "Message sender is the bus" }, /* ERR_SBUS_SENDER_BUS */
     { "Subdomain is inactive" }, /* ERR_SUBDOM_INACTIVE */
     { "Account is locked" }, /* ERR_ACCOUNT_LOCKED */
+    { "AD renewal child failed" }, /* ERR_RENEWAL_CHILD */
     { "ERR_LAST" } /* ERR_LAST */
 };
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index a1c822c4b..05791f2f0 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -105,6 +105,7 @@ enum sssd_errors {
     ERR_SBUS_SENDER_BUS,
     ERR_SUBDOM_INACTIVE,
     ERR_ACCOUNT_LOCKED,
+    ERR_RENEWAL_CHILD,
     ERR_LAST            /* ALWAYS LAST */
 };