[Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed
Simo Sorce
ssorce at redhat.com
Tue Oct 26 12:13:53 UTC 2010
On Mon, 25 Oct 2010 20:27:04 -0400
Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Mon, Oct 25, 2010 at 06:59:18PM -0400, Simo Sorce wrote:
> > I was meaning to ask you if we have any other way around. Is it
> > possible to use a random salt instead of the principal name ?
> >
> > We do enforce pre-authentication by default, so IIRC it should be
> > possible, but it doesn't seem to make any difference atm, I guess we
> > need to change something in the password plugin ?
>
> If the salt stored in the user's key is marked as "special" instead of
> "normal", the KDC should just send the recorded salt to the client.
>
> It looks like encrypt_encode_key() needs to generate and store a
> random salt when it sees that salt type in the configuration, and we
> need to start configuring IPA to use that.
I'll open a bug with this comment in it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list