From bec68d1d8c983c5531ba34d6bfd9e4aef2f8e495 Mon Sep 17 00:00:00 2001
From: Evgeny Sinelnikov <sin@altlinux.org>
Date: Sun, 27 Jul 2025 18:15:58 +0400
Subject: [PATCH] kerberos_keytab: Fix keytab sync regression for domain
 controllers

The keytab sync was broken for domain controllers (both AD and IPA) by the
introduction of the 'sync machine password to keytab' option. We now extend
it to work on Active Directory and IPA domain controllers (ROLE_ACTIVE_DIRECTORY_DC
and ROLE_IPA_DC), while maintaining the existing behavior for other roles.

While here, improve debug messages and use clearer switch statement.

Signed-off-by: Evgeny Sinelnikov <sin@altlinux.org>
---
 source3/libads/kerberos_keytab.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 49a892e5a55..86218f646cf 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -1043,13 +1043,20 @@ NTSTATUS sync_pw2keytabs(void)
 	int i;
 	size_t num_keytabs;
 
-	DBG_DEBUG("Syncing machine password from secrets to keytabs.\n");
-
-	if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
-		TALLOC_FREE(frame);
-		return NT_STATUS_OK; /* nothing todo */
+	switch (lp_server_role()) {
+	case ROLE_DOMAIN_MEMBER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
+	case ROLE_IPA_DC:
+		break;
+	default:
+		DBG_DEBUG("Skip syncing machine password from secrets to "
+			  "keytabs. Nothing to do on if server role is not "
+			  "domain member or domain controller.\n");
+		goto out;
 	}
 
+	DBG_DEBUG("Syncing machine password from secrets to keytabs.\n");
+
 	state = talloc_zero(frame, struct pw2kt_global_state);
 	if (state == NULL) {
 		TALLOC_FREE(frame);
@@ -1149,6 +1156,7 @@ params_ready:
 		}
 	}
 
+out:
 	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
-- 
2.42.4