s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account

Since the length of the krbtgt password after conversion to UTF-8 form is
typically greater than the maximum accepted by crypt(), the call usually
fails. This commit disables generation of crypt() passwords for this specific
account, as it's not necessary.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/bug-14621 b/selftest/knownfail.d/bug-14621
deleted file mode 100644 (file)
index 65acac7..0000000
--- a/selftest/knownfail.d/bug-14621
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.samba_tool.provision_userPassword_crypt

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 5bdd23c13e9e65585568a9f49c27091c603c1fbf..e173875f8d9167e233f19c34c26aa7c5a8bbffdf 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2031,7 +2031,12 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
                num_packages++;
        }
 
-       if (io->ac->userPassword_schemes) {
+       /*
+        * Don't generate crypt() or similar password for the krbtgt account.
+        * It's unnecessary, and the length of the cleartext in UTF-8 form
+        * exceeds the maximum (CRYPT_MAX_PASSPHRASE_SIZE) allowed by crypt().
+        */
+       if (io->ac->userPassword_schemes && !io->u.is_krbtgt) {
                /*
                 * setup 'Primary:userPassword' element
                 */