[31958] in Kerberos
Re: find inactive accounts
daemon@ATHENA.MIT.EDU (John Hascall)
Wed Jan 20 09:17:53 2010
To: kerberos@mit.edu
In-reply-to: Your message of Wed, 20 Jan 2010 08:59:31 -0500.
<D356D2F0-8C69-4955-BB9A-B5FDF4F013EB@mit.edu>
Date: Wed, 20 Jan 2010 08:15:37 CST
Message-ID: <25591.1263996937@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On Jan 20, 2010, at 08:47, John Hascall wrote:
> > What I would do is:
> > 1) make sure my KDCs were configured "--with-kdc-kdb-update" when
> > built
>
> Last I looked, this information still gets stored locally on each KDC,
> and is overwritten when the master->slave propagation happens. So a
> successful "login" that happened to use a slave KDC might go unnoticed.
Ah yes, I'd forgotten that.
so:
1a) I would use an incremental propagation technique.
and
1b) I'd bug the Kerb team to fix this :)
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
