[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName

[Volker Lendecke]

On Wed, Feb 16, 2011 at 05:07:40PM +0100, Angelos Oikonomopoulos wrote:
> After Andrew kindly confirmed it was not a problem with my
> configuration and hinted that the correct approach would most likely
> be to modify s3 to not use the kerberos user principal name, I tried
> the attached trivial patch to the test s3 fileserver. With this
> patch, accounts with long usernames can access the share without any
> issues.
> 
> Now I'm not absolutely sure this will not create subtle bugs, so I'm
> posting it here for review. I'd gladly create and/or test a more
> robust patch (for instance the second hunk assumes that if we have
> the logon_info data, then the account name will be valid, which I'm
> not sure is always the case. Other code in the same function e.g.
> checks that logon_info->info3.base.domain.string is not NULL).

Hmmm. Sorry, but I missed some parts of your discussion. Are
you saying that when we get a Krb5 ticket, we can not rely
on the client principal sent there but must fall back to PAC
data?

This sounds wrong to me, but on the other hand I'm far away
from being a Kerberos expert.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen