-
-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need to always allow password for krbtgt #11
Comments
I got it. |
Did one of you happen to capture what kind of passwords are actually passed into the filter for the It might be possible and preferable to address the issue by allowing any sufficiently random-looking strings rather than allowing any password for CC: @rgarrigues from #18 |
@solardiz I don't recall off the top of my head without looking it up, exactly how the krbtgt password is comprised, but the two reasons why we should never interfere with the krbtgt password reset process are 1) the krbtgt password is sufficiently long and complex (probably around 120 random characters) to be reasonably strong for any of us, and 2) there are other internal processes within Active Directory that assume the krbtgt password change will never fail, so failing a krbtgt password is not a good idea and could lead to unforeseen consequences. |
@ryanries Thanks. FWIW, a comment here also says 120: https://www.reddit.com/r/sysadmin/comments/ubt8m7/krbtgt_password_reset_question/ |
Per https://support.microsoft.com/en-us/help/2549833/changing-the-krbtgt-password-may-fail-when-a-custom-password-filter-is it is critical that the
krbtgt
user account never have a password change attempt denied. We'll have to use a string comparison function inPasswordFilter()
and if the input account name iskrbtgt
, just return TRUE.I'm cooking up a patch now.
The text was updated successfully, but these errors were encountered: