From b2dcfa00dcb7b315a739d35ff6722a25b0ab5556 Mon Sep 17 00:00:00 2001

From: Lukas Slebodnik <lslebodn@redhat.com>

Date: Tue, 14 Mar 2017 10:34:00 +0100

Subject: [PATCH 102/102] UTIL: Use max 15 characters for AD host UPN

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

We do not want to use host principal with AD

"host/name.domain.tld@DOMAIN.TLD" because it does not work.

We need to use correct user principal for AD hosts. And we cannot

rely all fallback "*$" because of other principals in keytab.

The NetBIOS naming convention allows for 16 characters in a NetBIOS

name. Microsoft, however, limits NetBIOS names to 15 characters and

uses the 16th character as a NetBIOS suffix.

https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name

Resolves:

https://pagure.io/SSSD/sssd/issue/3329

Reviewed-by: Michal Židek <mzidek@redhat.com>

(cherry picked from commit c6f1bc32774a7cf2f8678499dfbced420be3a3a1)

---

 src/util/sss_krb5.c | 8 +++++++-

 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c

index d461cf881566af37f31524c16f6a5f1511a5dc89..a3f066e8add5b7d7575c1e0f537c5729e4a0dad0 100644

--- a/src/util/sss_krb5.c

+++ b/src/util/sss_krb5.c

@@ -51,7 +51,13 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx,

             *c = toupper(*c);

         }

-        primary = talloc_asprintf(mem_ctx, "%s$", shortname);

+        /* The samAccountName is recommended to be less than 20 characters.

+         * This is only for users and groups. For machine accounts,

+         * the real limit is caused by NetBIOS protocol.

+         * NetBIOS names are limited to 16 (15 + $)

+         * https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name

+         */

+        primary = talloc_asprintf(mem_ctx, "%.15s$", shortname);

         talloc_free(shortname);

         return primary;

     }

-- 

2.9.3