GPO: use SDAP_SASL_AUTHID as samAccountName

The samAccountName for AD hosts is the hosts NetBIOS name with a
trailing $. Since there is a size limit on NetBIOS names long DNS names
must be truncated to find a matching entry in the AD LDAP tree.

The NetBIOS name is already needed during kinit/SASL bind where the
SDAP_SASL_AUTHID config option is used. Since the GPO lookup code is
only reached after the SASL bind was successful we can safely assume
that the name is correct and use it for the GPO lookup.

Resolves https://fedorahosted.org/sssd/ticket/2692

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 4 insertions, 3 deletions

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 12632e56e..f1e928b71 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1651,7 +1651,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
     struct tevent_req *req;
     struct ad_gpo_access_state *state;
     char *filter;
-    char *sam_account_name;
+    const char *sam_account_name;
     char *domain_dn;
     int dp_error;
     errno_t ret;
@@ -1721,7 +1721,9 @@ ad_gpo_connect_done(struct tevent_req *subreq)
     DEBUG(SSSDBG_TRACE_ALL, "server_hostname from uri: %s\n",
           state->server_hostname);
 
-    sam_account_name = sss_krb5_get_primary(state, "%S$", state->ad_hostname);
+    /* SDAP_SASL_AUTHID contains the name used for kinit and SASL bind which
+     * in the AD case is the NetBIOS name. */
+    sam_account_name = dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID);
     if (sam_account_name == NULL) {
         ret = ENOMEM;
         goto done;
@@ -1744,7 +1746,6 @@ ad_gpo_connect_done(struct tevent_req *subreq)
                              state->opts->user_map[SDAP_OC_USER].name,
                              state->opts->user_map[SDAP_AT_USER_NAME].name,
                              sam_account_name);
-    talloc_zfree(sam_account_name);
     if (filter == NULL) {
         ret = ENOMEM;
         goto done;