Preliminary discussion: DB alias entries
hartmans at MIT.EDU
Fri Mar 13 10:53:43 EDT 2009
>>>>> "Simo" == Simo Sorce <ssorce at redhat.com> writes:
Simo> On Thu, 2009-03-12 at 23:21 -0400, Greg Hudson wrote:
>> * I discovered that our client side support for aliases didn't
>> work in cases where the client derives the salt from the client
>> principal name. I've committed a fix for the simple case (no
>> preauth); Sam thinks further changes are probably necessary for
>> some preauth cases but hopes to learn more about what those
>> changes are at the interop event.
Simo> Thanks, I meant to ask about this for some time, but always
Simo> postponed to gather some more info before asking :/ I tested
Simo> a while back if renaming users (changing krbPrincipalName
Simo> via ldapmodify) would work, and it didn't (I had to reset
Simo> the secret as well every time). I assume the fix you did
Simo> would also resolve this issue, it would be very cool.
Not really. If you want to rename a principal, you need to update the
key data to include the old salt in the key data.
I seem to recall John Hascall had a mostly working patch for doing
I think after I figure out what KDC side changes are needed, if you
had a 1.7 KDC and added/removed aliases to a principal but do not
change the canonical name, you will not need to rekey the principal.
More information about the krbdev