Red Hat Bugzilla – Bug 475051
ipa-pwd-extop truncates NT passwords to 14 characters
Last modified: 2015-01-04 18:35:15 EST
Description of problem:
When setting a password using samba with "ldap passwd sync = yes" or using kpasswd silently generates NT password hashes limited to 14 characters.
Probably this is because an old limitation of Windows NT (and samba), limitation which is no longer true.
I think that if for some reason the 14 character limit has still to be enforced then the pwd-extop plugin should reject longer password instead of truncating _only_ the windows password, because that really confuses the user.
How reproducible: Always
There are comments in the plugin code that reflect this as well.
Rob, what's the intent here? Should we be putting a comment in the doc that samba passwords are truncated at 14 chars, or are we going to patch the plug-in to allow longer passwords? Which plug-in code are you referring to?
/dob not the python speaker
The plugin is the IPA password plugin for DS.
The comment I mentioned is:
/* we are interested only in the first 14 ASCII chars for lanman */
I know next to nothing about NT passwords but considering that Simo is a Samba developer I'm guessing he did the right thing here.
The 14 characters limit is a limitation of the Lanman hash, I guess that today we can simply stop generating it an only generate the NT hash.
The limit of 14 for the NT hash is probably a bug though.
Can I get an update on this BZ for IPA v2.0? I'm in the middle of updating the draft TOCs for the IPA 2.0 doc and would like to get as much info as possible about how this behaviour is going to affect users, sysadmins, etc., or if there has been some patch implemented that "makes it all go away".