Need to always allow password for krbtgt

[allquixotic]

Per https://support.microsoft.com/en-us/help/2549833/changing-the-krbtgt-password-may-fail-when-a-custom-password-filter-is it is critical that the krbtgt user account never have a password change attempt denied. We'll have to use a string comparison function in PasswordFilter() and if the input account name is krbtgt, just return TRUE.

I'm cooking up a patch now.

[ryanries]

I got it.

[solardiz]

Did one of you happen to capture what kind of passwords are actually passed into the filter for the krbtgt account? What length, character set? Do they literally mean "random bits", so including non-printable characters and maybe even NULs? I wasn't able to find reliable info on this yet.

It might be possible and preferable to address the issue by allowing any sufficiently random-looking strings rather than allowing any password for krbtgt.

CC: @rgarrigues from #18

[ryanries]

@solardiz I don't recall off the top of my head without looking it up, exactly how the krbtgt password is comprised, but the two reasons why we should never interfere with the krbtgt password reset process are 1) the krbtgt password is sufficiently long and complex (probably around 120 random characters) to be reasonably strong for any of us, and 2) there are other internal processes within Active Directory that assume the krbtgt password change will never fail, so failing a krbtgt password is not a good idea and could lead to unforeseen consequences.

[solardiz]

@ryanries Thanks. FWIW, a comment here also says 120: https://www.reddit.com/r/sysadmin/comments/ubt8m7/krbtgt_password_reset_question/
"As soon as you set the password the KRBTGT account will generate its own 120 character unique password."