From 087965dc255e08482f034d72b652f1529068f6df Mon Sep 17 00:00:00 2001
From: Thomas Schneider <thomas@fsmpi.rwth-aachen.de>
Date: Thu, 6 May 2021 13:46:24 +0200
Subject: [PATCH] ad-auth: Allow overriding DC and syncing w/ Samba in
 renew_krb5

---
 ad-auth/defaults/main.yml       |  4 ++++
 ad-auth/templates/renew_krb5.j2 | 10 ++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/ad-auth/defaults/main.yml b/ad-auth/defaults/main.yml
index c866183..d404727 100644
--- a/ad-auth/defaults/main.yml
+++ b/ad-auth/defaults/main.yml
@@ -3,3 +3,7 @@
 ad_admin_group: admin
 ad_admin_password: samba-admin
 ad_admin_password_content: "{{ lookup('passwordstore', ad_admin_password) }}"
+# Set this to force a specific DC for the renew_krb5 cron job
+# ad_auth_renew_force_dc: dc.example.org
+# Sync client credentials with Samba (i.e., winbindd)
+ad_auth_sync_samba: false
diff --git a/ad-auth/templates/renew_krb5.j2 b/ad-auth/templates/renew_krb5.j2
index 903f8b0..c1cd985 100644
--- a/ad-auth/templates/renew_krb5.j2
+++ b/ad-auth/templates/renew_krb5.j2
@@ -1,3 +1,9 @@
 #!/bin/bash
-/usr/sbin/adcli update -D {{ domain }}
-
+/usr/sbin/adcli update \
+{% if ad_auth_renew_force_dc is defined %}
+	-S {{ ad_auth_renew_force_dc }} \
+{% endif %}
+{% if ad_auth_sync_samba %}
+	--add-samba-data \
+{% endif %}
+	-D {{ domain }}
-- 
GitLab