[Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Simo Sorce
ssorce at redhat.com
Mon Oct 25 22:59:18 UTC 2010
On Mon, 25 Oct 2010 18:14:12 -0400
Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Fri, Oct 22, 2010 at 05:38:35PM -0400, Simo Sorce wrote:
> > This plugin intercepts a modrdn change so that when a user is
> > renamed the krbprincipalname is changhed accordingly.
>
> Changing the user's principal name usually breaks the client's ability
> to get initial creds, as the default salt is derived from the
> principal name. Assuming we don't want to force an administrative
> password reset, how are we working around that?
At the moment we will have no choice but reset the credentials.
I was meaning to ask you if we have any other way around. Is it
possible to use a random salt instead of the principal name ?
We do enforce pre-authentication by default, so IIRC it should be
possible, but it doesn't seem to make any difference atm, I guess we
need to change something in the password plugin ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list