Bug 737997 – should enforce some naming constraints on users and groups

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 737997 - should enforce some naming constraints on users and groups

Summary:	should enforce some naming constraints on users and groups

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	532811
Blocks:	431020
	Show dependency tree / graph

Reported:	2011-09-13 11:23 EDT by Dmitri Pal
Modified:	2015-01-04 18:51 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	ipa-2.1.2-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user Fix: Normalize both new user login and his principal Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.
Story Points:	---
Clone Of:	532811
Environment:
Last Closed:	2011-12-06 13:31:23 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-05 20:23:31 EST

Groups: None (edit)

Comment 1 Martin Kosek 2011-09-22 09:45:08 EDT

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/a1430dcb2c8e63e3077d00878431c0698944a07d
ipa-2-1: https://fedorahosted.org/freeipa/changeset/fb6abb2acc190d1c397f9e4e170c03bfcd39048d

Comment 4 Martin Kosek 2011-11-01 07:38:16 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login
Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user
Fix: Normalize both new user login and his principal
Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.

Comment 5 Gowrishankar Rajaiyan 2011-11-07 08:13:14 EST

[root@decepticons ~]# ipa user-add --first=Foo --last=Bar FbAr
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar@LAB.ENG.PNQ.REDHAT.COM
  UID: 323800004
  GID: 323800004
  Keytab: False
  Password: False
[root@decepticons ~]# ipa passwd fbar
New Password: 
Enter New Password again to verify: 
--------------------------------------------------
Changed password for "fbar@LAB.ENG.PNQ.REDHAT.COM"
--------------------------------------------------
[root@decepticons ~]# kinit fbar
Password for fbar@LAB.ENG.PNQ.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/07/11 18:39:50  11/08/11 18:39:50  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]# 

Verified.
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 6 errata-xmlrpc 2011-12-06 13:31:23 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.