=== VERIFICATION ===
- Using the packages in xenial-proposed:

ubuntu@sssd-xenial:~$ dpkg -l | grep sssd
ii  sssd                              1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- metapackage
ii  sssd-ad                           1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- Active Directory back end
ii  sssd-ad-common                    1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- PAC responder
ii  sssd-common                       1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- common files
ii  sssd-ipa                          1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- IPA back end
ii  sssd-krb5                         1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                  1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- Kerberos helpers
ii  sssd-ldap                         1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- LDAP back end
ii  sssd-proxy                        1.13.4-1ubuntu1.11                         amd64        System Security Services Daemon -- proxy back end

ubuntu@sssd-xenial:~$ apt-cache policy sssd
sssd:
  Installed: 1.13.4-1ubuntu1.11
  Candidate: 1.13.4-1ubuntu1.11
  Version table:
 *** 1.13.4-1ubuntu1.11 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status


- With the same configuration as in the description (ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:

root@sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28

- AD machine password renewal still works:

(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5532] 
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1152850 
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
 * Found realm in keytab: UBUNTU.LOCAL
 * Found service principal in keytab: host/sssd-xenial.ubuntu.local
 * Found host qualified name in keytab: host/sssd-xenial.ubuntu.local
 * Found service principal in keytab: host/sssd-xenial
 * Found computer name in keytab: SSSD-XENIAL
 * Using fully qualified name: sssd-xenial
 * Using domain name: ubuntu.local
 * Calculated computer account name from fqdn: SSSD-XENIAL
 * Using domain realm: ubuntu.local
 * Sending netlogon pings to domain controller: cldap://10.5.0.12
 * Received NetLogon info from: DC.ubuntu.local
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-nQYPKJ/krb5.d/adcli-krb5-conf-go6Txj
 * Authenticated as default/reset computer account: SSSD-XENIAL
 * Looked up short domain name: UBUNTU
 * Using fully qualified name: sssd-xenial
 * Using domain name: ubuntu.local
 * Using computer account name: SSSD-XENIAL
 * Using domain realm: ubuntu.local
 * Using fully qualified name: sssd-xenial.ubuntu.local
 * Enrolling computer name: SSSD-XENIAL
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for SSSD-XENIAL$ at: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
 * Retrieved kvno '2' for computer account in directory: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
 * Password not too old, no change needed
 * Modifying computer account: userAccountControl
 ! Couldn't set userAccountControl on computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local: Insufficient access
 * Updated existing computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
---adcli output end---
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503784]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5532].
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5532] finished successfully.