From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 23 Feb 2021 12:13:41 +0000 (+1300)
Subject: s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account
X-Git-Tag: tevent-0.11.0~1305
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=88b3d3443b3a581ec301430346b3e9bf05d81b5e;p=thirdparty%2Fsamba.git

s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account

Since the length of the krbtgt password after conversion to UTF-8 form is
typically greater than the maximum accepted by crypt(), the call usually
fails. This commit disables generation of crypt() passwords for this specific
account, as it's not necessary.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail.d/bug-14621 b/selftest/knownfail.d/bug-14621
deleted file mode 100644
index 65acac7f07b..00000000000
--- a/selftest/knownfail.d/bug-14621
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.samba_tool.provision_userPassword_crypt
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 5bdd23c13e9..e173875f8d9 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2031,7 +2031,12 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 		num_packages++;
 	}
 
-	if (io->ac->userPassword_schemes) {
+	/*
+	 * Don't generate crypt() or similar password for the krbtgt account.
+	 * It's unnecessary, and the length of the cleartext in UTF-8 form
+	 * exceeds the maximum (CRYPT_MAX_PASSPHRASE_SIZE) allowed by crypt().
+	 */
+	if (io->ac->userPassword_schemes && !io->u.is_krbtgt) {
 		/*
 		 * setup 'Primary:userPassword' element
 		 */