[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Feb 21 12:38:14 MST 2011

On Wed, Feb 16, 2011 at 05:07:40PM +0100, Angelos Oikonomopoulos wrote:
> After Andrew kindly confirmed it was not a problem with my
> configuration and hinted that the correct approach would most likely
> be to modify s3 to not use the kerberos user principal name, I tried
> the attached trivial patch to the test s3 fileserver. With this
> patch, accounts with long usernames can access the share without any
> issues.
> Now I'm not absolutely sure this will not create subtle bugs, so I'm
> posting it here for review. I'd gladly create and/or test a more
> robust patch (for instance the second hunk assumes that if we have
> the logon_info data, then the account name will be valid, which I'm
> not sure is always the case. Other code in the same function e.g.
> checks that logon_info->info3.base.domain.string is not NULL).

Hmmm. Sorry, but I missed some parts of your discussion. Are
you saying that when we get a Krb5 ticket, we can not rely
on the client principal sent there but must fall back to PAC

This sounds wrong to me, but on the other hand I'm far away
from being a Kerberos expert.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

More information about the samba-technical mailing list