Rename dp_ptask to be_ptask Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Do not leak fds in case of failures setting up a child process Resolves: https://fedorahosted.org/sssd/ticket/3006 The handling of open pipes in failure cases was suboptimal. Moreover, the faulty logic was copied all over the place. This patch introduces helper macros to: - initialize the pipe endpoints to -1 - close an open pipe fd and set it to -1 afterwards - close both ends unless already closed These macros are used in the child handling code. The patch also uses child_io_destructor in the p11_child code for safer fd handling. Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Do not leak file descriptors during machine password renewal Resolves: https://fedorahosted.org/sssd/ticket/3017 The AD renewal task was opening a pipe to write to the child process but never closed it, leaking the fd. This patch uses a desctructor we already use for pipes towards other child processes. Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Do not schedule the machine renewal task if adcli is not executable Before scheduling the adcli renewal task, check if the renewal program (typically adcli) is accessible. If not, do dot schedule the renewal task at all. Resolves: https://fedorahosted.org/sssd/ticket/3016 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: exit() the forked process if exec()-ing a child process fails When exec() fails, we should not attempt to continue, but just kill the forked process. The patch adds this logic to the exec_child() and exec_child_ex() functions to avoid code duplication Resolves: https://fedorahosted.org/sssd/ticket/3016 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: try to use current server in the renewal task Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: add task to renew the machine account password if needed AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>