[Freeipa-users] user-mod --rename and password
Simo Sorce
simo at redhat.com
Thu May 7 19:43:45 UTC 2015
On Thu, 2015-05-07 at 17:01 +0300, Alexander Bokovoy wrote:
> On Thu, 07 May 2015, Rob Crittenden wrote:
> >Alexander Bokovoy wrote:
> >> On Thu, 07 May 2015, Jan Pazdziora wrote:
> >>>
> >>> Hello,
> >>>
> >>> I try to test renaming of user objects. I start with user bob and I'm
> >>> able to kinit just fine:
> >>>
> >>> # echo BobPassword123 | kinit bob
> >>> Password for bob at EXAMPLE.TEST:
> >>> #
> >>>
> >>> I then rename the user:
> >>>
> >>> # echo Password123 | kinit admin
> >>> Password for admin at EXAMPLE.TEST:
> >>> # ipa user-mod --rename=bob1 bob
> >>> ------------------------
> >>> Modified user "bob"
> >>> ------------------------
> >>> User login: bob1
> >>> First name: Robert
> >>> Last name: Chase
> >>> Home directory: /home/bob
> >>> Login shell: /bin/sh
> >>> Email address: bob at example.test
> >>> UID: 251800001
> >>> GID: 251800001
> >>> Account disabled: False
> >>> Password: True
> >>> Member of HBAC rule: allow_wikiapp
> >>> Kerberos keys available: True
> >>>
> >>> And I try to kinit with the original password and it fails:
> >>>
> >>> # echo BobPassword123 | kinit bob1
> >>> Password for bob1 at EXAMPLE.TEST:
> >>> kinit: Password incorrect while getting initial credentials
> >>> #
> >>>
> >>> Then I rename the user back and the original password starts to work
> >>> again:
> >>>
> >>> # echo Password123 | kinit admin
> >>> Password for admin at EXAMPLE.TEST:
> >>> # ipa user-mod --rename=bob bob1
> >>> --------------------
> >>> Modified user "bob1"
> >>> --------------------
> >>> User login: bob
> >>> First name: Robert
> >>> Last name: Chase
> >>> Home directory: /home/bob
> >>> Login shell: /bin/sh
> >>> Email address: bob at example.test
> >>> UID: 251800001
> >>> GID: 251800001
> >>> Account disabled: False
> >>> Password: True
> >>> Member of HBAC rule: allow_wikiapp
> >>> Kerberos keys available: True
> >>> # echo BobPassword123 | kinit bob
> >>> Password for bob at EXAMPLE.TEST:
> >>> #
> >>>
> >>> Is this expected? It's with 4.1.0.
> >> Yes, we have a bug for this, actually, few of them:
> >> https://fedorahosted.org/freeipa/ticket/4757
> >>
> >> The actual issue is due to https://fedorahosted.org/freeipa/ticket/4914
> >>
> >
> >Well, in this case the principal isn't changed at all, it's still
> >bob at EXAMPLE.TEST, which is why the password doesn't work. There probably
> >is no bob1 principal anywhere.
> Yep, and there is a note in the first bug (#4757) about that. I think
> ipa user-mod should be doing that rename for krbPrincipalName too but we
> need to fix password generation via kadmin as well because chances are
> that users changed their passwords via SSSD which leads to kadmin use.
Patch to fix this is sitting in the fedora-devel list for a month or so,
please review and ack it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list