Bug 475051

Summary: ipa-pwd-extop truncates NT passwords to 14 characters
Product: [Retired] freeIPA Reporter: Loris Santamaria <loris>
Component: ipa-serverAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2CC: benl, dpal, jgalipea, rcritten, ssorce
Target Milestone: v2 release   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:41:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020    

Description Loris Santamaria 2008-12-07 02:49:18 UTC
Description of problem:

When setting a password using samba with "ldap passwd sync = yes" or using kpasswd silently generates NT password hashes limited to 14 characters. 

Probably this is because an old limitation of Windows NT (and samba), limitation which is no longer true.

I think that if for some reason the 14 character limit has still to be enforced then the pwd-extop plugin should reject longer password instead of truncating _only_ the windows password, because that really confuses the user.

How reproducible: Always

Comment 1 Rob Crittenden 2008-12-08 00:53:12 UTC
There are comments in the plugin code that reflect this as well.

Comment 2 David O'Brien 2009-07-16 03:43:23 UTC
Rob, what's the intent here? Should we be putting a comment in the doc that samba passwords are truncated at 14 chars, or are we going to patch the plug-in to allow longer passwords? Which plug-in code are you referring to?

ta
/dob not the python speaker

Comment 3 Rob Crittenden 2009-07-16 12:54:15 UTC
The plugin is the IPA password plugin for DS.

The comment I mentioned is:

/* we are interested only in the first 14 ASCII chars for lanman */

I know next to nothing about NT passwords but considering that Simo is a Samba developer I'm guessing he did the right thing here.

Comment 5 Simo Sorce 2010-03-17 21:46:15 UTC
The 14 characters limit is a limitation of the Lanman hash, I guess that today we can simply stop generating it an only generate the NT hash.
The limit of 14 for the NT hash is probably a bug though.

Comment 6 David O'Brien 2010-09-14 05:56:25 UTC
Can I get an update on this BZ for IPA v2.0? I'm in the middle of updating the draft TOCs for the IPA 2.0 doc and would like to get as much info as possible about how this behaviour is going to affect users, sysadmins, etc., or if there has been some patch implemented that "makes it all go away".

Comment 8 Rob Crittenden 2010-09-14 16:44:48 UTC
https://fedorahosted.org/freeipa/ticket/223