From 635bd213d11085e128abccb1c7d8cbac49b6705e Mon Sep 17 00:00:00 2001
From: Bill MacAllister <whm@dropbox.com>
Date: Wed, 1 Jun 2016 17:53:22 +0000
Subject: Create unique account id for host keytabs

It turns out that the length limitations apply to all keytabs, not
just service keytabs.  This change creates unique ids for hostnames
that exceed the AD length limit.
---
 perl/lib/Wallet/Kadmin/AD.pm | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm
index 791c6f2..9749a2a 100644
--- a/perl/lib/Wallet/Kadmin/AD.pm
+++ b/perl/lib/Wallet/Kadmin/AD.pm
@@ -260,7 +260,7 @@ sub msktutil {
 # The unique identifier that Active Directory used to store keytabs
 # has a maximum length of 20 characters.  This routine takes a
 # principal name an generates a unique ID based on the principal name.
-sub get_service_id {
+sub get_account_id {
     my ($self, $this_princ) = @_;
 
     my $this_id;
@@ -272,7 +272,7 @@ sub get_service_id {
         $this_id =~ s/.*?=//xms;
     } else {
         my ($this_type, $this_cn) = split '/', $this_princ, 2;
-        if ($Wallet::Config::AD_SERVICE_PREFIX) {
+        if ($Wallet::Config::AD_SERVICE_PREFIX && $this_type = 'service') {
             $this_cn = $Wallet::Config::AD_SERVICE_PREFIX . $this_cn;
         }
         my $loop_limit = $Wallet::Config::AD_SERVICE_LIMIT;
@@ -319,19 +319,19 @@ sub ad_create_update {
     if ($principal =~ m,^(.*?)/(\S+),xms) {
         $this_type = $1;
         $this_id   = $2;
+        my $account_id = $self->get_account_id($principal);
         if ($this_type eq 'host') {
             my $host = $this_id;
             $host =~ s/[.].*//xms;
             push @cmd, '--base',          $Wallet::Config::AD_COMPUTER_RDN;
             push @cmd, '--dont-expire-password';
-            push @cmd, '--computer-name', $host;
+            push @cmd, '--computer-name', $account_id;
             push @cmd, '--hostname',      $this_id;
         } else {
-            my $service_id = $self->get_service_id($principal);
             push @cmd, '--base',         $Wallet::Config::AD_USER_RDN;
             push @cmd, '--use-service-account';
             push @cmd, '--service',      $principal;
-            push @cmd, '--account-name', $service_id;
+            push @cmd, '--account-name', $account_id;
             push @cmd, '--no-pac';
         }
         my $out = $self->msktutil(\@cmd);
-- 
cgit v1.2.3