[31955] in Kerberos
Re: find inactive accounts
daemon@ATHENA.MIT.EDU (John Hascall)
Wed Jan 20 08:47:42 2010
To: Steve Glasser <sgla9347@gmail.com>
In-reply-to: Your message of Tue, 19 Jan 2010 21:41:21 -0800.
<c789fd71001192141q7d0be6a7vb96febc25157c457@mail.gmail.com>
Date: Wed, 20 Jan 2010 07:47:32 CST
Message-ID: <22087.1263995252@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> For PCI reasons I have to report all accounts which have been inactive
> (i.e. no logins) for three months. The goal here is to automate the
> process... [...grubbing through logs...]
What I would do is:
1) make sure my KDCs were configured "--with-kdc-kdb-update" when built
2) make sure all users' principals had the REQUIRES_PRE_AUTH attribute
3) then I would look through my latest krop dump for lines starting with
"princ" and grab the 7th and 13th fileds. For example:
princ 38 16 3 1 0 john@IASTATE.EDU 128 2592000 2592000 2019707940 0 1263942513 1263938175 0 ... -1;
in this case, field 13 is "1263942513" which is:
Tue Jan 19 17:08:33 CST 2010
same as you can see in kadmin[.local]:
kadmin.local: getprinc john
Principal: john@IASTATE.EDU
Expiration date: Sat Dec 31 23:59:00 CST 2033
Last password change: Fri Jan 15 18:27:54 CST 2010
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 30 days 00:00:00
Last modified: Fri Jan 15 18:27:54 CST 2010 (kadmind@IASTATE.EDU)
Last successful authentication: Tue Jan 19 17:08:33 CST 2010 <<<<<<<<<<
Last failed authentication: Tue Jan 19 15:56:15 CST 2010
Failed password attempts: 0
...
Attributes: REQUIRES_PRE_AUTH
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
