[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName

[simo]

On Mon, 2011-02-21 at 20:38 +0100, Volker Lendecke wrote:
> On Wed, Feb 16, 2011 at 05:07:40PM +0100, Angelos Oikonomopoulos wrote:
> > After Andrew kindly confirmed it was not a problem with my
> > configuration and hinted that the correct approach would most likely
> > be to modify s3 to not use the kerberos user principal name, I tried
> > the attached trivial patch to the test s3 fileserver. With this
> > patch, accounts with long usernames can access the share without any
> > issues.
> > 
> > Now I'm not absolutely sure this will not create subtle bugs, so I'm
> > posting it here for review. I'd gladly create and/or test a more
> > robust patch (for instance the second hunk assumes that if we have
> > the logon_info data, then the account name will be valid, which I'm
> > not sure is always the case. Other code in the same function e.g.
> > checks that logon_info->info3.base.domain.string is not NULL).
> 
> Hmmm. Sorry, but I missed some parts of your discussion. Are
> you saying that when we get a Krb5 ticket, we can not rely
> on the client principal sent there but must fall back to PAC
> data?
> 
> This sounds wrong to me, but on the other hand I'm far away
> from being a Kerberos expert.

Volker,
technically SamAccountName can be completely different from the UPN
which is what is used as a principal name. So it is safe to check if the
samaccountname in the PAC differs from the principal, and use that as
the username in case they differ.

We may also want to cache the principal -> samaccoutnname mapping if
that is useful elsewhere.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>