[29697] in Kerberos
Re: Last Successful Login always equals "never"
daemon@ATHENA.MIT.EDU (pachl)
Sat Apr 19 04:15:29 2008
From: pachl <clintpachl@gmail.com>
Date: Sat, 19 Apr 2008 01:08:47 -0700 (PDT)
Message-ID: <f1273ad8-37d6-4825-80c2-d4201303b3da@u12g2000prd.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Apr 18, 9:24 am, Joshua Hutchins <jdhutc...@ugcs.caltech.edu>
wrote:
> pachl wrote:
> > When running ``kadmin get <principle>`` for any principle, the "Last
> > successful login" and the "Last failed login" lines always equal
> > "never." What does the "Last successful login" line mean? Where and
> > how would I have to login to change the status of this line from
> > "never"?
>
> > I have used kinit from from several machines and have also used the
> > system login at the console, which exclusively uses kerberosV (local
> > password file is disabled).
>
> > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal
> > 0.7.2.
>
> > -pachl
> > ________________________________________________
> > Kerberos mailing list Kerbe...@mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> We have the same problem here with Debian and MIT Kerberos Version 5,
> Release 1.6.3 (installed from Debian packages). All our principals
> require pre-auth. We haven't spent any time debugging it, but if
> there's a simple solution, we'd love to know it.
>
> Thanks, Joshua
A few hours after my original post I found an interestingly relevant
tidbit in my "Kerberos - The Definitive Guide" book on page 231.
*Last successful login, Last failed login, and Failed login count*
Unfortunately, these fields will always show never (or zero). The
reason for this is that while all of the other updates to a
principle's information, such as password changes or policy changes,
must be made through the master KDC, any KDC (master or slave) can
perform authentication. There is currently no way for a slave KDC to
report back to the master KDC that an authentication has occurred, so
the Heimdal code disables these fields.
The same is said about the MIT implementation.
-pachl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
