Bug 475051 - ipa-pwd-extop truncates NT passwords to 14 characters
ipa-pwd-extop truncates NT passwords to 14 characters
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
All All
low Severity medium
: v2 release
: ---
Assigned To: Simo Sorce
Chandrasekar Kannan
Depends On:
Blocks: 431020
  Show dependency treegraph
Reported: 2008-12-06 21:49 EST by Loris Santamaria
Modified: 2015-01-04 18:35 EST (History)
5 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-28 05:41:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Loris Santamaria 2008-12-06 21:49:18 EST
Description of problem:

When setting a password using samba with "ldap passwd sync = yes" or using kpasswd silently generates NT password hashes limited to 14 characters. 

Probably this is because an old limitation of Windows NT (and samba), limitation which is no longer true.

I think that if for some reason the 14 character limit has still to be enforced then the pwd-extop plugin should reject longer password instead of truncating _only_ the windows password, because that really confuses the user.

How reproducible: Always
Comment 1 Rob Crittenden 2008-12-07 19:53:12 EST
There are comments in the plugin code that reflect this as well.
Comment 2 David O'Brien 2009-07-15 23:43:23 EDT
Rob, what's the intent here? Should we be putting a comment in the doc that samba passwords are truncated at 14 chars, or are we going to patch the plug-in to allow longer passwords? Which plug-in code are you referring to?

/dob not the python speaker
Comment 3 Rob Crittenden 2009-07-16 08:54:15 EDT
The plugin is the IPA password plugin for DS.

The comment I mentioned is:

/* we are interested only in the first 14 ASCII chars for lanman */

I know next to nothing about NT passwords but considering that Simo is a Samba developer I'm guessing he did the right thing here.
Comment 5 Simo Sorce 2010-03-17 17:46:15 EDT
The 14 characters limit is a limitation of the Lanman hash, I guess that today we can simply stop generating it an only generate the NT hash.
The limit of 14 for the NT hash is probably a bug though.
Comment 6 David O'Brien 2010-09-14 01:56:25 EDT
Can I get an update on this BZ for IPA v2.0? I'm in the middle of updating the draft TOCs for the IPA 2.0 doc and would like to get as much info as possible about how this behaviour is going to affect users, sysadmins, etc., or if there has been some patch implemented that "makes it all go away".
Comment 8 Rob Crittenden 2010-09-14 12:44:48 EDT

Note You need to log in before you can comment on or make changes to this bug.