On Thu, 2011-06-09 at 13:04 +0200, [email protected] wrote: > Hi, > > Due to a bug in one of our maintanace scripts, I had to manually change some > attributes for one of the users, e.g.: uid and uidNumber. I did it using > /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221 > > (yeah, last argument is really user's uid ;) > > After that user canno use any of the ipa-* scripts, he's getting: > "Connection to database failed: Invalid credentials: SASL(-14): authorization > failure:" > > I suppose is a problem with inconsistency in ldap and Kerberos database > (probably Kerberos still has old data) > > My question is how to fix that without generating new user (I really have to > avoid that due to fact that this environment has some compliance restictions)
Use ldapsearch to check what is the DN, it is probably still something like: cn=1211,cn=users,cn=accounts, ... then use ldapmodrdn -r cn=1211,cn=users,cn=acc..... cn=username This will rename the user properly and a plugin will take care of renaming also the kerberos principal. Local client caches may need some purging to properly pick up the new value. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
