Random password problem with FDS

Tue Mar 9 20:00:48 MST 2010

On Tue, 2010-03-09 at 21:33 -0500, Endi Sukma Dewata wrote:
> Hi Andrew,
> 
> Currently the provisioning tool generates random password from
> the following list of characters (see generate_random_password()):
> 
> ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
> +_-#.,@$%&!?:;<=>(){}[]~
> 
> Sometimes it generates a password with a "{...}" prefix which
> would be incorrectly interpreted as encryption scheme by FDS
> tools so the provisioning will fail.
> 
> There are several options:
> 
> 1. Modify generate_random_password() to pick the first character
>    from a list of alphanumeric characters only. For the remainders
>    it could use the current list.
> 
> 2. Modify check_password_quality() to require alphanumeric prefix.
>    If the randomly generated password doesn't meet this requirement
>    it will try to generate a new one.
> 
> 3. Exclude the {} characters from the list.

We have other problems with {} as well.  If we get the sequence ${...}
(yes, I've had that happen), then the provision code thinks that a
variable has not been correctly substituted. 

Therefore, I think that 3 is the best option. 

Do note however that windows clients like sending very random password
choices, and while I'm guess your current problems come from LDAP
passwords we currently set into userPassword for the cn=samba user, if
in the future you wish to also tunnel passwords for machine accounts
down into userPassword, this will come up again. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100310/a503c16c/attachment.pgp>