[OpenAFS] One of my users has married - what to do?

Tracy Di Marco White gendalia@iastate.edu
Sun, 29 Apr 2007 13:07:36 -0500


I keep seeing this subject in my mail, and I've kept wanting to
reply "Congratulate them!"... Since I was replying anyway, I
decided not to restrain myself.

On 4/29/07, Marcus Watts <mdw@umich.edu> wrote:
> John Hascall <john@iastate.edu> writes:
> > > > On Thu, 19 Apr 2007, Helmut Jarausch wrote:
> > > >> what do I have to do to rename a user.
> > > >> It was easy with pts but how to rename a user
> > > >> with kas.
> >
> > > > You can't. My old trick was to use a tool which we had hacked up to
> > > > pull a key from the database, and reinject that key for the new
> > > > username, then delete the old one.
> >
> > > Is it possible to perform a similar trick directly on true Kerberos 5
> > > principals?
> >
> > Not in any recent from-MIT version.  There used to be a
> >
> >    rename_principal ${oldname} ${newname}
> >
> > command in kadmin[.local] but it vanished at some point.
> > We've been adding it back in ever since here as we end
> > up doing a couple hundred renames a year.
> ...
>
> Oddly enough, we also add in support for rename_principal to our copy
> of MIT kerberos (umich.edu).  The main interesting complication is
> handling salt right.  We probably do several hundred of these a year.
> In addition to handling kerberos and pts, it's also necessary (in our
> environment) to rename the user volume, its mount point, the entry in
> the password file, the imap mailbox, the ldap directory entry, and to
> locate and change any ldap directory attributes that point to that
> directory entry.  Also there's a local oracle database with billing
> information, and some data in peoplesoft, and an entry in MS active
> directory, and another directory entry in Novell eDir, and...

We use moira to handle all the changes in our central services,
which include kerberos, moira mailing lists, nfs groups if there is
one, creating a moira mailing list for the old name that gets
forwarded for a year, rename disk & print quota grants, afs
filesystem, pts entry, groups & mountpoint, updating locker
ownership, updating ldap attributes, updating active directory & novell,
change webct, update name servers (we do username.mail.iastate.edu
for mail servers, we use hesiod directory services, and we provide
username.public.iastate.edu for web services), update majordomo
lists, update mailbox names, change the finger server with .plan &
.project files, rename all the possible kerberos instances as well as
the base instance, update the online phone book, propagating the
username changes off to everyone else's databases and there's
probably more that I'm missing. All of that is automated, and I'm
working on giving privileges to do it to all of the full time employees
at our help desk, rather than just a couple. John has done most of
heavy lifting on making it work though, I just ask for what I want it
to do.

> Needless to say we also discourage login changes.
> We don't yet have a way to change cached data in meatware.

We do a couple hundred every year.  We used to require proof of
name change, or a fee. Now we don't. The most we've ever done
in a year was 1644, and the number we do now is down probably
because everyone comes in more savvy about usernames, and
we point out fairly obviously that this is going on your placement
account, therefore companies you are going to be applying to work
for will see this.

If I recall correctly, our method for handling the salt correctly for
any enctype now involves having the person set a new password
when they change their username.

-Tracy