dsdb: Allow spaces in userPrincipalName values

This is needed to enable a kinit with a UPN that has a space in it

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 0d1a80050a336a7e6121922c925b3f7553d1b469..a03b03d103419ea8983d50156c67cf48158c5d98 100644 (file)
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -680,8 +680,18 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 
                domain_filter = NULL;
 
-               /* By getting the unparsed name here, we ensure the escaping is correct (and trust the client less) */
-               ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
+               /*
+                * By getting the unparsed name here, we ensure the
+                * escaping is removed correctly (and trust the client
+                * less).  The important thing here is that a
+                * userPrincipalName may have a space in it, and this
+                * must not be kerberos escaped to match this filter,
+                * so we specify KRB5_PRINCIPAL_UNPARSE_DISPLAY
+                */
+               ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context,
+                                             principal,
+                                             KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+                                             &unparsed_name);
                if (ret) {
                        krb5_free_principal(smb_krb5_context->krb5_context, principal);
                        return WERR_NOMEM;