From f4bc2917ef68fac86146e6fb5426fdc89f1f2470 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 6 Jun 2018 16:06:44 +0000
Subject: [PATCH] Document Kerberos password reset process

As happens, if you don't use your Kerberos credentials often you may
lose track of your password for them. Document how, as a system
administrator with a shell on one of the KDCs, you can set a new
passwords for your accounts without needing to recreate the
principals.

Change-Id: I843b5be9630c805335a6cca04237477002748242
---
 doc/source/kerberos.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/source/kerberos.rst b/doc/source/kerberos.rst
index 014770075c..8c493895ac 100644
--- a/doc/source/kerberos.rst
+++ b/doc/source/kerberos.rst
@@ -98,6 +98,15 @@ Then save the principal's keytab::
 
   kadmin: ktadd -k /path/to/$NAME.keytab service/$NAME@OPENSTACK.ORG
 
+Resetting A User Principal's Password
+-------------------------------------
+
+If you've forgotten your user password (it happens!) then from a
+shell on one of the KDCs, execute ``sudo kadmin.local`` and use the
+``cpw $USERNAME@OPENSTACK.ORG`` command and enter your new password
+twice as prompted. If you need to reset your admin principal, use
+``cpw $USERNAME/admin@OPENSTACK.ORG`` instead.
+
 No Service Outage Server Maintenance
 ------------------------------------