[31957] in Kerberos
Re: find inactive accounts
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Wed Jan 20 08:59:38 2010
From: Ken Raeburn <raeburn@mit.edu>
To: John Hascall <john@iastate.edu>
In-Reply-To: <22087.1263995252@malison.ait.iastate.edu>
Message-Id: <D356D2F0-8C69-4955-BB9A-B5FDF4F013EB@mit.edu>
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 20 Jan 2010 08:59:31 -0500
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jan 20, 2010, at 08:47, John Hascall wrote:
> What I would do is:
> 1) make sure my KDCs were configured "--with-kdc-kdb-update" when
> built
Last I looked, this information still gets stored locally on each KDC,
and is overwritten when the master->slave propagation happens. So a
successful "login" that happened to use a slave KDC might go unnoticed.
There was some work going on to make the propagation not trash this
per-KDC data; I don't know if it's done yet or if it got into the 1.8
branch.
(Also, the "--with-kdc-kdb-update" code didn't compile, for a while.)
> 3) then I would look through my latest krop dump for lines
> starting with
> "princ" and grab the 7th and 13th fileds. For example:
We really should make it easier to extract these data in a more
helpful form... :-)
Ken
--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
