[OpenAFS] One of my users has married - what to do?

Marcus Watts mdw@umich.edu
Sun, 29 Apr 2007 02:11:42 -0400

John Hascall <john@iastate.edu> writes:
> > > On Thu, 19 Apr 2007, Helmut Jarausch wrote:
> > >> what do I have to do to rename a user.
> > >> It was easy with pts but how to rename a user
> > >> with kas.
> > > You can't. My old trick was to use a tool which we had hacked up to
> > > pull a key from the database, and reinject that key for the new
> > > username, then delete the old one.
> > Is it possible to perform a similar trick directly on true Kerberos 5 
> > principals?
> Not in any recent from-MIT version.  There used to be a
>    rename_principal ${oldname} ${newname}
> command in kadmin[.local] but it vanished at some point.
> We've been adding it back in ever since here as we end
> up doing a couple hundred renames a year.

Oddly enough, we also add in support for rename_principal to our copy
of MIT kerberos (umich.edu).  The main interesting complication is
handling salt right.  We probably do several hundred of these a year.
In addition to handling kerberos and pts, it's also necessary (in our
environment) to rename the user volume, its mount point, the entry in
the password file, the imap mailbox, the ldap directory entry, and to
locate and change any ldap directory attributes that point to that
directory entry.  Also there's a local oracle database with billing
information, and some data in peoplesoft, and an entry in MS active
directory, and another directory entry in Novell eDir, and...

Needless to say we also discourage login changes.
We don't yet have a way to change cached data in meatware.

				-Marcus Watts