From b2dcfa00dcb7b315a739d35ff6722a25b0ab5556 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Tue, 14 Mar 2017 10:34:00 +0100 Subject: [PATCH 102/102] UTIL: Use max 15 characters for AD host UPN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We do not want to use host principal with AD "host/name.domain.tld@DOMAIN.TLD" because it does not work. We need to use correct user principal for AD hosts. And we cannot rely all fallback "*$" because of other principals in keytab. The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits NetBIOS names to 15 characters and uses the 16th character as a NetBIOS suffix. https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name Resolves: https://pagure.io/SSSD/sssd/issue/3329 Reviewed-by: Michal Židek (cherry picked from commit c6f1bc32774a7cf2f8678499dfbced420be3a3a1) --- src/util/sss_krb5.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index d461cf881566af37f31524c16f6a5f1511a5dc89..a3f066e8add5b7d7575c1e0f537c5729e4a0dad0 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -51,7 +51,13 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx, *c = toupper(*c); } - primary = talloc_asprintf(mem_ctx, "%s$", shortname); + /* The samAccountName is recommended to be less than 20 characters. + * This is only for users and groups. For machine accounts, + * the real limit is caused by NetBIOS protocol. + * NetBIOS names are limited to 16 (15 + $) + * https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name + */ + primary = talloc_asprintf(mem_ctx, "%.15s$", shortname); talloc_free(shortname); return primary; } -- 2.9.3