diff options
| author | Bill MacAllister <whm@dropbox.com> | 2016-06-01 17:53:22 +0000 |
|---|---|---|
| committer | Russ Allbery <eagle@eyrie.org> | 2018-05-27 17:33:31 -0700 |
| commit | 635bd213d11085e128abccb1c7d8cbac49b6705e (patch) | |
| tree | 9a9d1e221da8f8ef098ac6e7570fad6b349fe05c /perl/lib/Wallet/Kadmin/AD.pm | |
| parent | 0d931418e7a73118263f86b7894d28204d4abcc7 (diff) | |
Create unique account id for host keytabs
It turns out that the length limitations apply to all keytabs, not
just service keytabs. This change creates unique ids for hostnames
that exceed the AD length limit.
Diffstat (limited to 'perl/lib/Wallet/Kadmin/AD.pm')
| -rw-r--r-- | perl/lib/Wallet/Kadmin/AD.pm | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm index 791c6f2..9749a2a 100644 --- a/perl/lib/Wallet/Kadmin/AD.pm +++ b/perl/lib/Wallet/Kadmin/AD.pm @@ -260,7 +260,7 @@ sub msktutil { # The unique identifier that Active Directory used to store keytabs # has a maximum length of 20 characters. This routine takes a # principal name an generates a unique ID based on the principal name. -sub get_service_id { +sub get_account_id { my ($self, $this_princ) = @_; my $this_id; @@ -272,7 +272,7 @@ sub get_service_id { $this_id =~ s/.*?=//xms; } else { my ($this_type, $this_cn) = split '/', $this_princ, 2; - if ($Wallet::Config::AD_SERVICE_PREFIX) { + if ($Wallet::Config::AD_SERVICE_PREFIX && $this_type = 'service') { $this_cn = $Wallet::Config::AD_SERVICE_PREFIX . $this_cn; } my $loop_limit = $Wallet::Config::AD_SERVICE_LIMIT; @@ -319,19 +319,19 @@ sub ad_create_update { if ($principal =~ m,^(.*?)/(\S+),xms) { $this_type = $1; $this_id = $2; + my $account_id = $self->get_account_id($principal); if ($this_type eq 'host') { my $host = $this_id; $host =~ s/[.].*//xms; push @cmd, '--base', $Wallet::Config::AD_COMPUTER_RDN; push @cmd, '--dont-expire-password'; - push @cmd, '--computer-name', $host; + push @cmd, '--computer-name', $account_id; push @cmd, '--hostname', $this_id; } else { - my $service_id = $self->get_service_id($principal); push @cmd, '--base', $Wallet::Config::AD_USER_RDN; push @cmd, '--use-service-account'; push @cmd, '--service', $principal; - push @cmd, '--account-name', $service_id; + push @cmd, '--account-name', $account_id; push @cmd, '--no-pac'; } my $out = $self->msktutil(\@cmd); |