[Freeipa-users] user-mod --rename and password

Alexander Bokovoy abokovoy at redhat.com
Thu May 7 14:01:33 UTC 2015 

On Thu, 07 May 2015, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>> On Thu, 07 May 2015, Jan Pazdziora wrote:
>>>
>>> Hello,
>>>
>>> I try to test renaming of user objects. I start with user bob and I'm
>>> able to kinit just fine:
>>>
>>>     # echo BobPassword123 | kinit bob
>>>     Password for bob at EXAMPLE.TEST:
>>>     #
>>>
>>> I then rename the user:
>>>
>>>     # echo Password123 | kinit admin
>>>     Password for admin at EXAMPLE.TEST:
>>>     # ipa user-mod --rename=bob1 bob
>>>     ------------------------
>>>     Modified user "bob"
>>>     ------------------------
>>>       User login: bob1
>>>       First name: Robert
>>>       Last name: Chase
>>>       Home directory: /home/bob
>>>       Login shell: /bin/sh
>>>       Email address: bob at example.test
>>>       UID: 251800001
>>>       GID: 251800001
>>>       Account disabled: False
>>>       Password: True
>>>       Member of HBAC rule: allow_wikiapp
>>>       Kerberos keys available: True
>>>
>>> And I try to kinit with the original password and it fails:
>>>
>>>     # echo BobPassword123 | kinit bob1
>>>     Password for bob1 at EXAMPLE.TEST:
>>>     kinit: Password incorrect while getting initial credentials
>>>     #
>>>
>>> Then I rename the user back and the original password starts to work
>>> again:
>>>
>>>     # echo Password123 | kinit admin
>>>     Password for admin at EXAMPLE.TEST:
>>>     # ipa user-mod --rename=bob bob1
>>>     --------------------
>>>     Modified user "bob1"
>>>     --------------------
>>>       User login: bob
>>>       First name: Robert
>>>       Last name: Chase
>>>       Home directory: /home/bob
>>>       Login shell: /bin/sh
>>>       Email address: bob at example.test
>>>       UID: 251800001
>>>       GID: 251800001
>>>       Account disabled: False
>>>       Password: True
>>>       Member of HBAC rule: allow_wikiapp
>>>       Kerberos keys available: True
>>>     # echo BobPassword123 | kinit bob
>>>     Password for bob at EXAMPLE.TEST:
>>>     #
>>>
>>> Is this expected? It's with 4.1.0.
>> Yes, we have a bug for this, actually, few of them:
>> https://fedorahosted.org/freeipa/ticket/4757
>>
>> The actual issue is due to https://fedorahosted.org/freeipa/ticket/4914
>>
>
>Well, in this case the principal isn't changed at all, it's still
>bob at EXAMPLE.TEST, which is why the password doesn't work. There probably
>is no bob1 principal anywhere.
Yep, and there is a note in the first bug (#4757) about that. I think
ipa user-mod should be doing that rename for krbPrincipalName too but we
need to fix password generation via kadmin as well because chances are
that users changed their passwords via SSSD which leads to kadmin use.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list