[PATCH 06/10] s4-backupkey: Comply with [MS-BKRP] 2.2.1

Arvid Requate requate at univention.de
Mon Jul 7 11:14:59 MDT 2014

[MS-BKRP] 2.2.1 specifies "The Common Name field of the Subject name
field SHOULD contain the name of the DNS domain assigned to the server."

In fact Windows 7 clients don't seem to care. Also in certificates
generated by native AD the domain name (after CN=) is encoded as
UTF-16LE. Since hx509_parse_name only supports UTF-8 strings currently
we just leave the encoding as it is for now. Windows 7 clients don't seem to 
care anyway.

Signed-off-by: Arvid Requate <requate at univention.de>
 source4/rpc_server/backupkey/dcesrv_backupkey.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c 
index 046efb9..737d609 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1185,8 +1185,7 @@ static WERROR bkrp_do_retreive_client_wrap_key(struct 
dcesrv_call_state *dce_cal
                if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) 
                        /* Ok we can be in this case if there was no certs */
                        struct loadparm_context *lp_ctx = dce_call->conn-
-                       char *dn = talloc_asprintf(mem_ctx, "CN=%s.%s",
+                       char *dn = talloc_asprintf(mem_ctx, "CN=%s",
                        WERROR werr =  generate_bkrp_cert(mem_ctx, dce_call, 
ldb_ctx, dn);

More information about the samba-technical mailing list