-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/25/2014 04:56 AM, Jakub Hrozek wrote: > On Wed, Sep 24, 2014 at 11:10:00AM -0400, Stephen Gallagher wrote: > We were assuming that the ad_hostname value would match the > sAMAccountName attribute, but in practice this was almost never > the case on a properly-configured system. > > Microsoft's convention is that the sAMAccountName is always the > portion of the FQDN before the first dot, so this patch makes that > same assumption. > >> From c179806c27ce6d25137306ba7bb37ecfae573c3b Mon Sep 17 00:00:00 >> 2001 From: Stephen Gallagher <sgall...@redhat.com> Date: Tue, 23 >> Sep 2014 17:44:41 -0400 Subject: [PATCH] AD GPO: Fix incorrect >> sAMAccountName selection >> >> --- src/providers/ad/ad_gpo.c | 20 +++++++++++++++++++- 1 file >> changed, 19 insertions(+), 1 deletion(-) >> >> diff --git a/src/providers/ad/ad_gpo.c >> b/src/providers/ad/ad_gpo.c index >> de4d44166b85ccd85ed36bcb11f0596e0020af11..745af8b2786a5d6c71a2a3eb6c1448a61c151019 >> 100644 --- a/src/providers/ad/ad_gpo.c +++ >> b/src/providers/ad/ad_gpo.c @@ -1479,6 +1479,8 @@ >> ad_gpo_connect_done(struct tevent_req *subreq) struct tevent_req >> *req; struct ad_gpo_access_state *state; char *filter; + char >> *hostname; + char *shortname; char *sam_account_name; char >> *domain_dn; int dp_error; @@ -1519,7 +1521,21 @@ >> ad_gpo_connect_done(struct tevent_req *subreq) } } >> >> - sam_account_name = talloc_asprintf(state, "%s$", >> state->ad_hostname); + hostname = talloc_strdup(state, >> state->ad_hostname); + if (hostname == NULL) { + ret = >> ENOMEM; + goto done; + } + shortname = >> strtok(hostname, "."); + if (shortname == NULL) { + /* >> This should never fail; if there's no dot, + * it should >> return the full string. + */ + ret = EIO; + >> goto done; + } + sam_account_name = talloc_asprintf(state, >> "%s$", hostname); + talloc_zfree(hostname); if >> (sam_account_name == NULL) { ret = ENOMEM; goto done; > > The fix works, but we already have code that does pretty much the > same for principal selection -- check out get_primary() in > sss_krb5.c. Would it be better to split out lines 38 to 53 from > get_primary() into a separate function and use it in ad_gpo.c, too, > to save code duplication? >
I didn't know about get_primary(). It's actually a perfect solution for this (and accomplishes everything I set out to do here, including appending the $ to the shortname). See two new patches. The first renames get_primary() to sss_krb5_get_primary() and makes it public, the second consumes it to generate an appropriate sAMAccountName value. I tested this with my AD setup and it works correctly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQkb6MACgkQeiVVYja6o6PNZQCfRx90vgnvRP7YUX7WtZtUcZJn D28An3faKQ94a5ek1wGx3Lr348MOYheM =RR7r -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel