[Freeipa-users] user-mod --rename and password

Rob Crittenden rcritten at redhat.com
Thu May 7 13:48:01 UTC 2015 

Alexander Bokovoy wrote:
> On Thu, 07 May 2015, Jan Pazdziora wrote:
>>
>> Hello,
>>
>> I try to test renaming of user objects. I start with user bob and I'm
>> able to kinit just fine:
>>
>>     # echo BobPassword123 | kinit bob
>>     Password for bob at EXAMPLE.TEST:
>>     #
>>
>> I then rename the user:
>>
>>     # echo Password123 | kinit admin
>>     Password for admin at EXAMPLE.TEST:
>>     # ipa user-mod --rename=bob1 bob
>>     ------------------------
>>     Modified user "bob"
>>     ------------------------
>>       User login: bob1
>>       First name: Robert
>>       Last name: Chase
>>       Home directory: /home/bob
>>       Login shell: /bin/sh
>>       Email address: bob at example.test
>>       UID: 251800001
>>       GID: 251800001
>>       Account disabled: False
>>       Password: True
>>       Member of HBAC rule: allow_wikiapp
>>       Kerberos keys available: True
>>
>> And I try to kinit with the original password and it fails:
>>
>>     # echo BobPassword123 | kinit bob1
>>     Password for bob1 at EXAMPLE.TEST:
>>     kinit: Password incorrect while getting initial credentials
>>     #
>>
>> Then I rename the user back and the original password starts to work
>> again:
>>
>>     # echo Password123 | kinit admin
>>     Password for admin at EXAMPLE.TEST:
>>     # ipa user-mod --rename=bob bob1
>>     --------------------
>>     Modified user "bob1"
>>     --------------------
>>       User login: bob
>>       First name: Robert
>>       Last name: Chase
>>       Home directory: /home/bob
>>       Login shell: /bin/sh
>>       Email address: bob at example.test
>>       UID: 251800001
>>       GID: 251800001
>>       Account disabled: False
>>       Password: True
>>       Member of HBAC rule: allow_wikiapp
>>       Kerberos keys available: True
>>     # echo BobPassword123 | kinit bob
>>     Password for bob at EXAMPLE.TEST:
>>     #
>>
>> Is this expected? It's with 4.1.0.
> Yes, we have a bug for this, actually, few of them:
> https://fedorahosted.org/freeipa/ticket/4757
> 
> The actual issue is due to https://fedorahosted.org/freeipa/ticket/4914
> 

Well, in this case the principal isn't changed at all, it's still
bob at EXAMPLE.TEST, which is why the password doesn't work. There probably
is no bob1 principal anywhere.

rob

More information about the Freeipa-users mailing list