UTIL: Use max 15 characters for AD host UPN

We do not want to use host principal with AD
"host/name.domain.tld@DOMAIN.TLD" because it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" because of other principals in keytab.

The NetBIOS naming convention allows for 16 characters in a NetBIOS
name. Microsoft, however, limits NetBIOS names to 15 characters and
uses the 16th character as a NetBIOS suffix.
https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name

Resolves:
https://pagure.io/SSSD/sssd/issue/3329

Reviewed-by: Michal Židek <mzidek@redhat.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index d461cf881..a3f066e8a 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -51,7 +51,13 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx,
             *c = toupper(*c);
         }
 
-        primary = talloc_asprintf(mem_ctx, "%s$", shortname);
+        /* The samAccountName is recommended to be less than 20 characters.
+         * This is only for users and groups. For machine accounts,
+         * the real limit is caused by NetBIOS protocol.
+         * NetBIOS names are limited to 16 (15 + $)
+         * https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
+         */
+        primary = talloc_asprintf(mem_ctx, "%.15s$", shortname);
         talloc_free(shortname);
         return primary;
     }