On Thu, 2011-06-09 at 13:04 +0200, tomasz.napier...@allegro.pl wrote:
> Hi,
> Due to a bug in one of our maintanace scripts, I had to manually change some 
> attributes for one of the users, e.g.: uid and uidNumber. I did it using
> /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221
> (yeah, last argument is really user's uid ;)
> After that user canno use any of the ipa-* scripts, he's getting:
> "Connection to database failed: Invalid credentials: SASL(-14): authorization 
> failure:"
> I suppose is a problem with inconsistency in ldap and Kerberos database 
> (probably Kerberos still has old data)
> My question is how to fix that without generating new user (I really have to 
> avoid that due to fact that this environment has some compliance restictions)

Use ldapsearch to check what is the DN, it is probably still something
like: cn=1211,cn=users,cn=accounts, ...

then use ldapmodrdn -r cn=1211,cn=users,cn=acc..... cn=username

This will rename the user properly and a plugin will take care of
renaming also the kerberos principal.

Local client caches may need some purging to properly pick up the new


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to