From 3cd871321667045635d8236d91386070e84770a4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 12 Mar 2015 12:50:23 +1300 Subject: [PATCH] dsdb: Allow spaces in userPrincipalName values This is needed to enable a kinit with a UPN that has a space in it Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Reviewed-by: Guenther Deschner --- source4/dsdb/samdb/cracknames.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index 0d1a80050a3..a03b03d1034 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -680,8 +680,18 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, domain_filter = NULL; - /* By getting the unparsed name here, we ensure the escaping is correct (and trust the client less) */ - ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name); + /* + * By getting the unparsed name here, we ensure the + * escaping is removed correctly (and trust the client + * less). The important thing here is that a + * userPrincipalName may have a space in it, and this + * must not be kerberos escaped to match this filter, + * so we specify KRB5_PRINCIPAL_UNPARSE_DISPLAY + */ + ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, + principal, + KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &unparsed_name); if (ret) { krb5_free_principal(smb_krb5_context->krb5_context, principal); return WERR_NOMEM;