Bug 737997

Summary: should enforce some naming constraints on users and groups
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, mkosek, nalin
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-2.1.2-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user Fix: Normalize both new user login and his principal Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.
Story Points: ---
Clone Of: 532811 Environment:
Last Closed: 2011-12-06 18:31:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 532811    
Bug Blocks: 431020    

Comment 4 Martin Kosek 2011-11-01 11:38:16 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login
Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user
Fix: Normalize both new user login and his principal
Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.

Comment 5 Gowrishankar Rajaiyan 2011-11-07 13:13:14 UTC
[root@decepticons ~]# ipa user-add --first=Foo --last=Bar FbAr
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar@LAB.ENG.PNQ.REDHAT.COM
  UID: 323800004
  GID: 323800004
  Keytab: False
  Password: False
[root@decepticons ~]# ipa passwd fbar
New Password: 
Enter New Password again to verify: 
--------------------------------------------------
Changed password for "fbar@LAB.ENG.PNQ.REDHAT.COM"
--------------------------------------------------
[root@decepticons ~]# kinit fbar
Password for fbar@LAB.ENG.PNQ.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/07/11 18:39:50  11/08/11 18:39:50  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]# 

Verified.
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 6 errata-xmlrpc 2011-12-06 18:31:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html