[Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Nalin Dahyabhai
nalin at redhat.com
Tue Oct 26 00:27:04 UTC 2010
On Mon, Oct 25, 2010 at 06:59:18PM -0400, Simo Sorce wrote:
> I was meaning to ask you if we have any other way around. Is it
> possible to use a random salt instead of the principal name ?
>
> We do enforce pre-authentication by default, so IIRC it should be
> possible, but it doesn't seem to make any difference atm, I guess we
> need to change something in the password plugin ?
If the salt stored in the user's key is marked as "special" instead of
"normal", the KDC should just send the recorded salt to the client.
It looks like encrypt_encode_key() needs to generate and store a random
salt when it sees that salt type in the configuration, and we need to
start configuring IPA to use that.
HTH,
Nalin
More information about the Freeipa-devel
mailing list