[Freeipa-users] Kerberos problem with account with changed attributes
Simo Sorce
simo at redhat.com
Thu Jun 9 12:29:50 UTC 2011
On Thu, 2011-06-09 at 13:04 +0200, tomasz.napierala at allegro.pl wrote:
> Hi,
>
> Due to a bug in one of our maintanace scripts, I had to manually change some attributes for one of the users, e.g.: uid and uidNumber. I did it using
> /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221
>
> (yeah, last argument is really user's uid ;)
>
> After that user canno use any of the ipa-* scripts, he's getting:
> "Connection to database failed: Invalid credentials: SASL(-14): authorization failure:"
>
> I suppose is a problem with inconsistency in ldap and Kerberos database (probably Kerberos still has old data)
>
> My question is how to fix that without generating new user (I really have to avoid that due to fact that this environment has some compliance restictions)
Use ldapsearch to check what is the DN, it is probably still something
like: cn=1211,cn=users,cn=accounts, ...
then use ldapmodrdn -r cn=1211,cn=users,cn=acc..... cn=username
This will rename the user properly and a plugin will take care of
renaming also the kerberos principal.
Local client caches may need some purging to properly pick up the new
value.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list