Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1650: Why does adjoin truncate Pre-win2k / samAccountName to 15 characters?

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:02 AM

Applies to: Centrify DirectControl 4.3.x and above on all platforms
The UNIX server hostname is longer than 15 characters. 
After joining the machine to the domain, the samAccountName / pre-Win2k name gets truncated down to 15 characters.
[root@RedHat01234567890 ~]# adinfo
Local host name:   redhat01234567890
Joined to domain:  testdomain
Joined as:         redhat01234567890.testdomain
Pre-win2K name:    redhat012345678
pre-Win2k/samAccountName defaults to 15 characters as that is the maximum hostname length allowed by the NetLogon service that adclient prefers to use for NTLM pass-through authentication. NetLogon is fast and automatically returns a user's group membership.
This value can be configured for up to 19 characters, but in doing so the adclient will use the slower NTLM authentication methods. It will also use additional LDAP searches to fetch the user's group membership.
There are two ways to push the limits to 19 characters (maximum allowed):
Option 1) Run adjoin with option –N to specify a pre-Win2k name: adjoin –N <pre-Win2kname> <domain>  
adjoin -N redhat01234567890 testdomain
[root@RedHat01234567890 ~]# adinfo
Local host name:   redhat01234567890
Joined to domain:  testdomain
Joined as:         redhat01234567890.testdomain
Pre-win2K name:    redhat01234567890            
2) Open /etc/centrifydc/centrifydc.conf and configure the following parameter:
  adjoin.samaccountname.length: 19
Additional notes:
NTLM secure channel will not work - which means if adclient is told to use NTLM authentication for whatever reason, it will have to switch back to use NTLM passthrough mode which is much slower. There is no real security exposure though as NTLMv2 challenge and response is still performed normally - with adclient as the passthrough. 
The impact is not severe because adclient normally uses Kerberos for user authentication which is not affected by this restriction. 
Along the same lines, Samba will not be able to do NTLM authentication (it requires NTLM secure channel). This means if there is a Samba server on the machine, accessing its share via IP address will not work. It has to be done with hostname and Kerberos credentials.