freeipa

Clone
Source Code
GIT

#4757 Warning that if kerberos keys are in place for renamed users
Closed: fixed 5 years ago Opened 9 years ago by vjanelle.

Closed: fixed
Reopen Issue

I renamed my user, and apparently the default salt string includes the realm and principal name.

The end effect was that a later date, I could no longer kinit (but things using freeipa as an LDAP server could still retrieve information about me to authenticate).

There should be a warning if kerberos keys are in place for a renamed user, that the passwords should be changed.

--rename operation with Kerberos principals is tough, not just Kerberos keys are wrong, the principal also remains the same:

# echo a | ipa user-add --first=Foo --last=Bar fbar --password
# ipa user-mod fbar --rename barbar

# ipa user-show barbar --all --raw
  dn: uid=barbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  uid: barbar
  givenname: Foo
  sn: Bar
  cn: Foo Bar
  initials: FB
  homedirectory: /home/fbar
  gecos: Foo Bar
  loginshell: /bin/sh
  mail: fbar@idm.lab.bos.redhat.com
  uidnumber: 782000001
  gidnumber: 782000001
  nsaccountlock: FALSE
  has_password: TRUE
  has_keytab: TRUE
  displayName: Foo Bar
  ipaUniqueID: d00f7126-73d4-11e4-8a5d-001a4a104ec6
  krbExtraData: AAJxI3NUcm9vdC9hZG1pbkBJRE0uTEFCLkJPUy5SRURIQVQuQ09NAA==
  krbLastPwdChange: 20141124122417Z
  krbPasswordExpiration: 20141124122417Z
  krbPrincipalName: barbar@IDM.LAB.BOS.REDHAT.COM
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  mepManagedEntry: cn=barbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  objectClass: ipaobject
  objectClass: person
  objectClass: top
  objectClass: ipasshuser
  objectClass: inetorgperson
  objectClass: organizationalperson
  objectClass: krbticketpolicyaux
  objectClass: krbprincipalaux
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry

krbPrincipalName would also need to be updated. Question is if user-mod should even be that smart about renaming, maybe it should only issue the warning as proposed

Metadata Update from @vjanelle:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
7 years ago

The reproducer mkosek added is working for me in master, marking as fixed.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
minor
None
None
None
None
defect
None
None
IPA
None
0
easyfix
None
None
None
todo
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.