Bug 737997 - should enforce some naming constraints on users and groups
should enforce some naming constraints on users and groups
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.1
All Linux
low Severity medium
: rc
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On: 532811
Blocks: 431020
  Show dependency treegraph
 
Reported: 2011-09-13 11:23 EDT by Dmitri Pal
Modified: 2015-01-04 18:51 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user Fix: Normalize both new user login and his principal Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.
Story Points: ---
Clone Of: 532811
Environment:
Last Closed: 2011-12-06 13:31:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 4 Martin Kosek 2011-11-01 07:38:16 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login
Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user
Fix: Normalize both new user login and his principal
Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.
Comment 5 Gowrishankar Rajaiyan 2011-11-07 08:13:14 EST
[root@decepticons ~]# ipa user-add --first=Foo --last=Bar FbAr
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar@LAB.ENG.PNQ.REDHAT.COM
  UID: 323800004
  GID: 323800004
  Keytab: False
  Password: False
[root@decepticons ~]# ipa passwd fbar
New Password: 
Enter New Password again to verify: 
--------------------------------------------------
Changed password for "fbar@LAB.ENG.PNQ.REDHAT.COM"
--------------------------------------------------
[root@decepticons ~]# kinit fbar
Password for fbar@LAB.ENG.PNQ.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/07/11 18:39:50  11/08/11 18:39:50  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]# 

Verified.
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#
Comment 6 errata-xmlrpc 2011-12-06 13:31:23 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.