s4-dsdb Allow a servicePrincipalName of machine$

This is pointless, but MacOS X (version 10.6.8 was tested) apparently
sets machine$ into this field.

Andrew Bartlett

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index b6eb56376ced0358f405e060ba25123c1680dc02..98bf43d21ea90c29fffc42e464b34cdbee1e9456 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -457,6 +457,12 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
        bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
                (userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
 
+       if (strcasecmp_m(spn_value, samAccountName) == 0) {
+               /* MacOS X sets this value, and setting an SPN of your
+                * own samAccountName is both pointless and safe */
+               return LDB_SUCCESS;
+       }
+
        kerr = smb_krb5_init_context_basic(mem_ctx,
                                           lp_ctx,
                                           &krb_ctx);