I renamed my user, and apparently the default salt string includes the realm and principal name.
The end effect was that a later date, I could no longer kinit (but things using freeipa as an LDAP server could still retrieve information about me to authenticate).
There should be a warning if kerberos keys are in place for a renamed user, that the passwords should be changed.
--rename operation with Kerberos principals is tough, not just Kerberos keys are wrong, the principal also remains the same:
--rename
# echo a | ipa user-add --first=Foo --last=Bar fbar --password # ipa user-mod fbar --rename barbar # ipa user-show barbar --all --raw dn: uid=barbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: barbar givenname: Foo sn: Bar cn: Foo Bar initials: FB homedirectory: /home/fbar gecos: Foo Bar loginshell: /bin/sh mail: fbar@idm.lab.bos.redhat.com uidnumber: 782000001 gidnumber: 782000001 nsaccountlock: FALSE has_password: TRUE has_keytab: TRUE displayName: Foo Bar ipaUniqueID: d00f7126-73d4-11e4-8a5d-001a4a104ec6 krbExtraData: AAJxI3NUcm9vdC9hZG1pbkBJRE0uTEFCLkJPUy5SRURIQVQuQ09NAA== krbLastPwdChange: 20141124122417Z krbPasswordExpiration: 20141124122417Z krbPrincipalName: barbar@IDM.LAB.BOS.REDHAT.COM memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com mepManagedEntry: cn=barbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry
krbPrincipalName would also need to be updated. Question is if user-mod should even be that smart about renaming, maybe it should only issue the warning as proposed
krbPrincipalName
user-mod
Metadata Update from @vjanelle: - Issue assigned to someone - Issue set to the milestone: Future Releases
The reproducer mkosek added is working for me in master, marking as fixed.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.