[Freeipa-users] Kerberos problem with account with changed attributes
Rob Crittenden
rcritten at redhat.com
Thu Jun 9 14:59:17 UTC 2011
tomasz.napierala at allegro.pl wrote:
> Hi,
>
> Due to a bug in one of our maintanace scripts, I had to manually change some attributes for one of the users, e.g.: uid and uidNumber. I did it using
> /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221
>
> (yeah, last argument is really user's uid ;)
>
> After that user canno use any of the ipa-* scripts, he's getting:
> "Connection to database failed: Invalid credentials: SASL(-14): authorization failure:"
>
> I suppose is a problem with inconsistency in ldap and Kerberos database (probably Kerberos still has old data)
>
> My question is how to fix that without generating new user (I really have to avoid that due to fact that this environment has some compliance restictions)
>
> Regards,
Hmm, this is strange. It looks like you changed the uid properly.
Let's remove the ipa admin tools from the picture. Can the user try this
using your LDAP search basedn?
ldapsearch -Y GSSAPI -b dc=example,dc=com uid=1221
They may also want to try a kdestroy/kinit if it fails, though I don't
know why the principal wouldn't be accepted.
When binding in LDAP we need to map the Kerberos principal to a user
account. It may be that this mapping is failing. The ldapsearch command
may give us a more specific error message.
rob
More information about the Freeipa-users
mailing list