[Freeipa-users] user-mod --rename and password

Simo Sorce simo at redhat.com
Thu May 7 19:43:45 UTC 2015 

On Thu, 2015-05-07 at 17:01 +0300, Alexander Bokovoy wrote:
> On Thu, 07 May 2015, Rob Crittenden wrote:
> >Alexander Bokovoy wrote:
> >> On Thu, 07 May 2015, Jan Pazdziora wrote:
> >>>
> >>> Hello,
> >>>
> >>> I try to test renaming of user objects. I start with user bob and I'm
> >>> able to kinit just fine:
> >>>
> >>>     # echo BobPassword123 | kinit bob
> >>>     Password for bob at EXAMPLE.TEST:
> >>>     #
> >>>
> >>> I then rename the user:
> >>>
> >>>     # echo Password123 | kinit admin
> >>>     Password for admin at EXAMPLE.TEST:
> >>>     # ipa user-mod --rename=bob1 bob
> >>>     ------------------------
> >>>     Modified user "bob"
> >>>     ------------------------
> >>>       User login: bob1
> >>>       First name: Robert
> >>>       Last name: Chase
> >>>       Home directory: /home/bob
> >>>       Login shell: /bin/sh
> >>>       Email address: bob at example.test
> >>>       UID: 251800001
> >>>       GID: 251800001
> >>>       Account disabled: False
> >>>       Password: True
> >>>       Member of HBAC rule: allow_wikiapp
> >>>       Kerberos keys available: True
> >>>
> >>> And I try to kinit with the original password and it fails:
> >>>
> >>>     # echo BobPassword123 | kinit bob1
> >>>     Password for bob1 at EXAMPLE.TEST:
> >>>     kinit: Password incorrect while getting initial credentials
> >>>     #
> >>>
> >>> Then I rename the user back and the original password starts to work
> >>> again:
> >>>
> >>>     # echo Password123 | kinit admin
> >>>     Password for admin at EXAMPLE.TEST:
> >>>     # ipa user-mod --rename=bob bob1
> >>>     --------------------
> >>>     Modified user "bob1"
> >>>     --------------------
> >>>       User login: bob
> >>>       First name: Robert
> >>>       Last name: Chase
> >>>       Home directory: /home/bob
> >>>       Login shell: /bin/sh
> >>>       Email address: bob at example.test
> >>>       UID: 251800001
> >>>       GID: 251800001
> >>>       Account disabled: False
> >>>       Password: True
> >>>       Member of HBAC rule: allow_wikiapp
> >>>       Kerberos keys available: True
> >>>     # echo BobPassword123 | kinit bob
> >>>     Password for bob at EXAMPLE.TEST:
> >>>     #
> >>>
> >>> Is this expected? It's with 4.1.0.
> >> Yes, we have a bug for this, actually, few of them:
> >> https://fedorahosted.org/freeipa/ticket/4757
> >>
> >> The actual issue is due to https://fedorahosted.org/freeipa/ticket/4914
> >>
> >
> >Well, in this case the principal isn't changed at all, it's still
> >bob at EXAMPLE.TEST, which is why the password doesn't work. There probably
> >is no bob1 principal anywhere.
> Yep, and there is a note in the first bug (#4757) about that. I think
> ipa user-mod should be doing that rename for krbPrincipalName too but we
> need to fix password generation via kadmin as well because chances are
> that users changed their passwords via SSSD which leads to kadmin use.

Patch to fix this is sitting in the fedora-devel list for a month or so,
please review and ack it.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list