Renaming principals causes them to disappear
Rasmus Borup Hansen
rbh at intomics.com
Tue Feb 3 08:09:35 EST 2015
I'm trying to find all the steps necessary for successfully changing a username on our system, and it appears that when I try to rename the corresponding principal using kadmin, the principal just disappears (see the transcript below).
I'm using 1.12 as distributed with Ubuntu 14.04.1 LTS (Trusty), all updates installed. The KDC stores its data in an openldap directory.
I can provide more details about the setup if needed. For now I'd like to know if I'm missing anything obvious, and if other people can reproduce the behaviour I see – that should be easy to check.
Best,
Rasmus
Transcript:
Add the principal:
kadmin.local: add_principal rbhtest3
WARNING: no policy specified for rbhtest3 at INTOMICS.COM; defaulting to no policy
Enter password for principal "rbhtest3 at INTOMICS.COM":
Re-enter password for principal "rbhtest3 at INTOMICS.COM":
Principal "rbhtest3 at INTOMICS.COM" created.
Find out what the new principal looks like:
kadmin.local: get_principal rbhtest3
Principal: rbhtest3 at INTOMICS.COM
Expiration date: [never]
Last password change: Tue Feb 03 13:32:43 CET 2015
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Feb 03 13:32:43 CET 2015 (rbh/admin at INTOMICS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-md5, Version 5 - No Realm
Key: vno 1, des-cbc-md5, Version 5 - Realm Only
Key: vno 1, des-cbc-md5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Do a kinit rbhtest3 somewhere and then check that "Last successful authentication" is updated:
kadmin.local: get_principal rbhtest3
Principal: rbhtest3 at INTOMICS.COM
Expiration date: [never]
Last password change: Tue Feb 03 13:32:43 CET 2015
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Feb 03 13:32:43 CET 2015 (rbh/admin at INTOMICS.COM)
Last successful authentication: Tue Feb 03 13:33:00 CET 2015
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-md5, Version 5 - No Realm
Key: vno 1, des-cbc-md5, Version 5 - Realm Only
Key: vno 1, des-cbc-md5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Try to rename the principal:
kadmin.local: rename_principal rbhtest3 rbhtest4
Are you sure you want to rename the principal "rbhtest3 at INTOMICS.COM" to "rbhtest4 at INTOMICS.COM"? (yes/no): yes
Principal "rbhtest3 at INTOMICS.COM" renamed to "rbhtest4 at INTOMICS.COM".
Make sure that you have removed the old principal from all ACLs before reusing.
Check that the principal cannot be found by its old name:
kadmin.local: get_principal rbhtest3
get_principal: Principal does not exist while retrieving "rbhtest3 at INTOMICS.COM".
Try to find the principal by its new name:
kadmin.local: get_principal rbhtest4
get_principal: Principal does not exist while retrieving "rbhtest4 at INTOMICS.COM".
Intomics is a contract research organization specialized in deriving core biological insight from large scale data. We help our clients in the pharmaceutical industry develop tomorrow's medicines better, faster, and cheaper through optimized use of biomedical data.
-----------------------------------------------------------------
Hansen, Rasmus Borup Intomics - from data to biology
System Administrator Diplomvej 377
Scientific Programmer DK-2800 Kgs. Lyngby
Denmark
E: rbh at intomics.com W: http://www.intomics.com/
P: +45 5167 7972 P: +45 8880 7979
More information about the Kerberos
mailing list