[OpenAFS] renaming principals
Christopher D. Clausen
Sun, 29 Apr 2007 22:40:28 -0500
Ken Hornstein <firstname.lastname@example.org> wrote:
>> The point would be to allow users who may not be able to physically
>> come in to the help desk and reset a password be able to change
>> their user id. (Or in some cases, have their user id forcably
>> change by "powers that be."
> Your criteria for a user changing their userid is less stringent
> then a password reset? I dealt with a site like that once, but I
> always thought that if someone is changing their userid, they should
> have to interface with us in a way that doesn't make a password
> reset a big deal.
On forced id changes, yes. UIUC forced a large number of users with a
hyphen in their netid to change to one that did not have the hyphen.
(Usually dropping the hyphen if that id was available.) They also forcd
netid changes where there were conflicts between the 3 campuses (UIC,
>> A rename would also be an atomic operation. Delete / Add isn't
>> atomic b/c there is a point at which the user cannot authenticate
>> b/c a password is not yet set (at least not one that is known to the
> And I think you're being rather optimistic about the user experiencing
> a service outage. Unless you're able to change their Unix account,
> any ACLs, pts entry, etc etc, all at once, the user is going to have
> some kind of outage. You could shorten it, but I don't see how you're
I can change PTS, ACLs, and Unix account for the systems I maintain at
nearly the same time. The user would be able to login to these systems
and work using either the old or the new principal. Persumably, this
would be the case at just about every departmental lab.
Students often need to get things done after the normal 5pm closing time
or just about every University office. Not being able to use a lab for
an entire evening because of a forced password change is a serious
problem. No lab access often means no homework gets done. And
generally you find out about the forced change AFTER it occurs and you
can't access anything anymore.
> going to make it zero without having everything using one mega
> database backend (I'm not talking about Moira ... this would have to
> handle every authorization request).
The user would be able to try either their old account or their new one
and get into the system. And even if the systems aren't all changed at
once, being able to login using the old principal or the new principal
for a period of time would be ideal.
> I'm just trying to put some perspective on things. I understand that
> large sites probably have relatively frequent renames ... but if you
> don't, I don't think doing a delete/add is so bad. Not that I think
> having a rename ability inside of kadmind is a bad idea, but I
> wouldn't bust my hump over it.
Oh, I understand. But being forced to go to a specific location on
campus during specific times (which just happen to be the exact same
hours that I am busy) for a password reset is REALLY annoying. Even if
it only happens once in many years.
And its really bad when it happens on a Friday afternoon and you are
locked out all weekend.