Renaming principals causes them to disappear
Greg Hudson
ghudson at mit.edu
Wed Feb 4 14:45:33 EST 2015
On 02/03/2015 10:00 PM, Paul B. Henson wrote:
> Hmm, that's a bummer, I was just about to avail of rename_principal
> functionality with an LDAP backend as part of a realm rename we have coming
> up :(. I was planning to rename everything and then rename it back in order
> to hardcode the correct salt before changing the realm name and avoid having
> to reset passwords. Given this bug, I guess I would have to dump the
> database, load it into bdb, do the renames, dump it again, and then load it
> back into ldap?
It seems so.
> Can you think of any easier way to store the correct salt with a principal
> before a realm rename?
For a one-off, you could write a C program which gets a principal entry,
fixes up the salt, and puts it back without changing the name. You
could use the code for kadm5_rename_principal() in svr_principal.c as a
template. (Make sure to also set entry.mask = KADM5_KEY_DATA or the
LDAP put_principal function will ignore the changed key data.)
More information about the Kerberos
mailing list