Bug 737997 - should enforce some naming constraints on users and groups
Summary: should enforce some naming constraints on users and groups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 532811
Blocks: 431020
TreeView+ depends on / blocked
 
Reported: 2011-09-13 15:23 UTC by Dmitri Pal
Modified: 2015-01-04 23:51 UTC (History)
6 users (show)

Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user Fix: Normalize both new user login and his principal Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.
Clone Of: 532811
Environment:
Last Closed: 2011-12-06 18:31:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Comment 4 Martin Kosek 2011-11-01 11:38:16 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When a new user is added, its login is normalized and put to lower-case. However, its principal is not normalized and contains original login
Consequence: If user adds a new user with uppercase letter in its login, a disconnect between a user login and his principal is created. IPA server then refuses to create a password for that user
Fix: Normalize both new user login and his principal
Result: When a new user with upper-case letter in his login is added, both login and principal are normalized and put to lower-case. IPA server is then able to create a Kerberos password for the user.

Comment 5 Gowrishankar Rajaiyan 2011-11-07 13:13:14 UTC
[root@decepticons ~]# ipa user-add --first=Foo --last=Bar FbAr
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar@LAB.ENG.PNQ.REDHAT.COM
  UID: 323800004
  GID: 323800004
  Keytab: False
  Password: False
[root@decepticons ~]# ipa passwd fbar
New Password: 
Enter New Password again to verify: 
--------------------------------------------------
Changed password for "fbar@LAB.ENG.PNQ.REDHAT.COM"
--------------------------------------------------
[root@decepticons ~]# kinit fbar
Password for fbar@LAB.ENG.PNQ.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@decepticons ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
11/07/11 18:39:50  11/08/11 18:39:50  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
[root@decepticons ~]# 

Verified.
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 6 errata-xmlrpc 2011-12-06 18:31:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.