[31872] in Kerberos
Re: Prematurely locked out by Active Directory
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jan 6 17:31:39 2010
Message-ID: <4B450F46.7090900@anl.gov>
Date: Wed, 06 Jan 2010 16:31:34 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Warren Jones <wjones@fluke.com>
In-Reply-To: <4B450CC4.6040701@fluke.com>
Content-Type: multipart/mixed; boundary="------------010606040409050500080704"
Cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
This is a multi-part message in MIME format.
--------------010606040409050500080704
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Warren Jones wrote:
> Our site has configured Active Directory so that an account is
> temporarily locked after five consecutive failed login attempts. This
> works as expected when I authenticate from a Linux box running MIT
> Kerberos 1.6.3. However, I've noticed a change after updating to
> version 1.7: My account is now locked after a single failed login
> attempt, using either kinit or pam_krb5.
>
> Has anyone else run into this?
>
> I've tried the following combinations:
>
> OS MIT Kerberos Results
> ------------- ------------ --------------------------------
> openSUSE 11.0 1.6.3-50.5 works as expected
> openSUSE 11.2 1.6.3-132.1 works as expected
> openSUSE 11.2 1.7-6.1 account locked after one failure
> openSUSE 11.2 1.7-15.1 account locked after one failure
>
> Any insights will be much appreciated.
I had seen that during testing, and used the attached patch to get around it.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------010606040409050500080704
Content-Type: text/plain;
name="ad.account.lock.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ad.account.lock.txt"
--- ./lib/krb5/krb/,get_in_tkt.c Mon May 11 15:55:59 2009
+++ ./lib/krb5/krb/get_in_tkt.c Wed Oct 21 13:27:23 2009
@@ -483,7 +483,11 @@
return 0;
}
-#define MAX_IN_TKT_LOOPS 16
+/*
+ * DEE tmp fix to keep AD from turning off account
+ * #define MAX_IN_TKT_LOOPS 16
+ */
+#define MAX_IN_TKT_LOOPS 2
static const krb5_enctype get_in_tkt_enctypes[] = {
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
--------------010606040409050500080704
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--------------010606040409050500080704--
