[37221] in Kerberos
Account lockout / replication issue
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Tue Sep 8 09:21:28 2015
MIME-Version: 1.0
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
Date: Tue, 08 Sep 2015 15:21:06 +0200
To: kerberos@mit.edu
Message-ID: <E46EA82B-52C4-4437-89CA-972D22C6CF92@mproehl.net>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
according to http://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html, the account lockout state is represented by the three account properties "The time of last successful authentication", "The time of last failed authentication" and "A counter of failed attempts". And that account lockout state should not be replicated.
I would like to check this and I am trying to run kadmin.local/getprinc on the master and on the slave.
However, in my simple test environment (Debian Jessie, MIT Kerberos 1.12.1) after a kprop/kpropd based full replication, all three properties seem to be replicated.
Before the replication:
root@slave:~# kadmin.local -q 'getprinc mark' | egrep '^Last successful authentication:|^Last failed authentication:|^Failed password attempts:'
Last successful authentication: Tue Sep 08 14:57:31 CEST 2015
Last failed authentication: Tue Sep 08 14:57:35 CEST 2015
Failed password attempts: 2
After doing some successfull and unsuccessfull kinit's against the master and performing a replication, all three properties have new values:
root@slave:~# kadmin.local -q 'getprinc mark' | egrep '^Last successful authentication:|^Last failed authentication:|^Failed password attempts:'
Last successful authentication: Tue Sep 08 14:58:54 CEST 2015
Last failed authentication: Tue Sep 08 14:58:59 CEST 2015
Failed password attempts: 3
root@slave:~#
Am I missing something, or could this be a bug?
--
Mark Pröhl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
