Preliminary discussion: DB alias entries

Sam Hartman hartmans at MIT.EDU
Fri Mar 13 10:53:43 EDT 2009

>>>>> "Simo" == Simo Sorce <ssorce at> writes:

    Simo> On Thu, 2009-03-12 at 23:21 -0400, Greg Hudson wrote:
    >> * I discovered that our client side support for aliases didn't
    >> work in cases where the client derives the salt from the client
    >> principal name.  I've committed a fix for the simple case (no
    >> preauth); Sam thinks further changes are probably necessary for
    >> some preauth cases but hopes to learn more about what those
    >> changes are at the interop event.

    Simo> Thanks, I meant to ask about this for some time, but always
    Simo> postponed to gather some more info before asking :/ I tested
    Simo> a while back if renaming users (changing krbPrincipalName
    Simo> via ldapmodify) would work, and it didn't (I had to reset
    Simo> the secret as well every time). I assume the fix you did
    Simo> would also resolve this issue, it would be very cool.

Not really.  If you want to rename a principal, you need to update the
key data to include the old salt in the key data.

I seem to recall John Hascall had a mostly working patch for doing

I think after I figure out what KDC side changes are needed, if you
had a 1.7 KDC and added/removed aliases to a principal but do not
change the canonical name, you will not need to rekey the principal.

More information about the krbdev mailing list