[31973] in Kerberos
Re: find inactive accounts
daemon@ATHENA.MIT.EDU (Steve Glasser)
Thu Jan 21 12:16:10 2010
MIME-Version: 1.0
In-Reply-To: <F3742516-48CA-4BE2-A2E8-205B5BF28533@mit.edu>
Date: Thu, 21 Jan 2010 09:16:03 -0800
Message-ID: <c789fd71001210916q3855d80y6959975482d38872@mail.gmail.com>
From: Steve Glasser <sgla9347@gmail.com>
To: Ken Raeburn <raeburn@mit.edu>
Cc: John Hascall <john@iastate.edu>, Osamu Iwasa <osamu.iwasa@fox.com>,
kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi all,
Thanks for your thoughtful replies and suggestions.
It appears that we can use the REQUIRES_PRE_AUTH attribute without
also recompiling Kerberos with "--with-kdc-kdb-update". This changes
logging of user login attempts; when first attempting login there is a
log entry which includes "Additional pre-authentication required"
* Successful user login creates an additional "AS_REQ" log entry.
* Failed user login creates an additional log entry which includes
"PREAUTH_FAILED".
This solves part of our problem. Now we can tell the difference
between successful and failed logins.
I have only tested this in a very small dev environment. Please let
me know if I have missed something.
On Wed, Jan 20, 2010 at 6:47 AM, Ken Raeburn <raeburn@mit.edu> wrote:
> On Jan 20, 2010, at 09:15, John Hascall wrote:
>> Ah yes, I'd forgotten that.
>> so:
>> 1a) I would use an incremental propagation technique.
>
Thanks,
--
Steve Glasser
sgla9347@gmail.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
