On Thu, 07 May 2015, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 07 May 2015, Jan Pazdziora wrote:


Hello,

I try to test renaming of user objects. I start with user bob and I'm
able to kinit just fine:

    # echo BobPassword123 | kinit bob
    Password for b...@example.test:
    #

I then rename the user:

    # echo Password123 | kinit admin
    Password for ad...@example.test:
    # ipa user-mod --rename=bob1 bob
    ------------------------
    Modified user "bob"
    ------------------------
      User login: bob1
      First name: Robert
      Last name: Chase
      Home directory: /home/bob
      Login shell: /bin/sh
      Email address: b...@example.test
      UID: 251800001
      GID: 251800001
      Account disabled: False
      Password: True
      Member of HBAC rule: allow_wikiapp
      Kerberos keys available: True

And I try to kinit with the original password and it fails:

    # echo BobPassword123 | kinit bob1
    Password for b...@example.test:
    kinit: Password incorrect while getting initial credentials
    #

Then I rename the user back and the original password starts to work
again:

    # echo Password123 | kinit admin
    Password for ad...@example.test:
    # ipa user-mod --rename=bob bob1
    --------------------
    Modified user "bob1"
    --------------------
      User login: bob
      First name: Robert
      Last name: Chase
      Home directory: /home/bob
      Login shell: /bin/sh
      Email address: b...@example.test
      UID: 251800001
      GID: 251800001
      Account disabled: False
      Password: True
      Member of HBAC rule: allow_wikiapp
      Kerberos keys available: True
    # echo BobPassword123 | kinit bob
    Password for b...@example.test:
    #

Is this expected? It's with 4.1.0.
Yes, we have a bug for this, actually, few of them:
https://fedorahosted.org/freeipa/ticket/4757

The actual issue is due to https://fedorahosted.org/freeipa/ticket/4914


Well, in this case the principal isn't changed at all, it's still
b...@example.test, which is why the password doesn't work. There probably
is no bob1 principal anywhere.
Yep, and there is a note in the first bug (#4757) about that. I think
ipa user-mod should be doing that rename for krbPrincipalName too but we
need to fix password generation via kadmin as well because chances are
that users changed their passwords via SSSD which leads to kadmin use.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to