[36756] in Kerberos
Re: Renaming principals causes them to disappear
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Feb 4 14:45:54 2015
Message-ID: <54D276DD.50807@mit.edu>
Date: Wed, 04 Feb 2015 14:45:33 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "Paul B. Henson" <henson@acm.org>, kerberos@mit.edu
In-Reply-To: <077301d04026$c02e9e80$408bdb80$@acm.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 02/03/2015 10:00 PM, Paul B. Henson wrote:
> Hmm, that's a bummer, I was just about to avail of rename_principal
> functionality with an LDAP backend as part of a realm rename we have coming
> up :(. I was planning to rename everything and then rename it back in order
> to hardcode the correct salt before changing the realm name and avoid having
> to reset passwords. Given this bug, I guess I would have to dump the
> database, load it into bdb, do the renames, dump it again, and then load it
> back into ldap?
It seems so.
> Can you think of any easier way to store the correct salt with a principal
> before a realm rename?
For a one-off, you could write a C program which gets a principal entry,
fixes up the salt, and puts it back without changing the name. You
could use the code for kadm5_rename_principal() in svr_principal.c as a
template. (Make sure to also set entry.mask = KADM5_KEY_DATA or the
LDAP put_principal function will ignore the changed key data.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
