[14917] in Kerberos
Re: Can we rename a principal yet?
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Aug 1 11:39:04 2001
Date: Wed, 1 Aug 2001 11:36:37 -0400
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
To: "Christopher P. Lindsey" <lindsey@mallorn.com>, kerberos@MIT.EDU
Message-ID: <20010801113636.O22964@sm2p1386swk.wdr.com>
Mail-Followup-To: "Christopher P. Lindsey" <lindsey@mallorn.com>,
kerberos@MIT.EDU
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <20010801103515.L22964@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Wed, Aug 01, 2001 at 10:35:16AM -0400
On Wed, Aug 01, 2001 at 10:35:16AM -0400, Nicolas Williams wrote:
> The problem appears to be simply that the KDC does not store a
> principal's key's salt separately from the principal's name.
Well, I'm glad to report that I'm wrong. The KDC does support looking up
the salt associated with a key.
The problem is that kadmind/kadmin.local do not associate a key's salt
with it when renaming a principal.
> That is the crux of the matter. Kadmind needs to save a principal's old
> name (with each key) when renaming that principal (except for keys that
> already had an old principal name associated with them) and the KDC
> needs to be capable of retrieving an old principal name associated with
> a particular key of a any principal and then use that for the
> pa-pw-salt/etype-info items.
So it seems like a small-ish change to kadmind ought to suffice to
enable principal renaming. You can always dump a principal's entry,
modify the dump data to associate a salt with the appropriate keys, and
kdb5util load -update the new record...
Nico
--
.
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
