AD: add task to renew the machine account password if needed

AD expects its clients to renew the machine account password on a
regular basis, be default every 30 days. Even if a client does not renew
the password it might not cause issues because AD does not enforce the
renewal. But the password age might be used to identify unused machine
accounts in large environments which might get disabled or deleted
automatically.

With this patch SSSD calls an external program to check the age of the
machine account password and renew it if needed. Currently 'adcli' is
used as external program which is able to renew the password since
version 0.8.0.

Resolves https://fedorahosted.org/sssd/ticket/1041

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 2 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index fe2971d99..647d08125 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -200,6 +200,8 @@ option_strings = {
     'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'),
     'ad_gpo_default_right' : _('Default logon right (or permit/deny) to use for unmapped PAM service names'),
     'ad_site' : _('a particular site to be used by the client'),
+    'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
+    'ad_machine_account_password_renewal_opts' : _('Option for tuing the machine account renewal task'),
 
     # [provider/krb5]
     'krb5_kdcip' : _('Kerberos server address'),