[37097] in Kerberos
Managing account lockout
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Sat Jun 20 11:24:42 2015
Date: Sat, 20 Jun 2015 11:15:37 -0400
From: John Devitofranceschi <jdvf@optonline.net>
To: kerberos@mit.edu
Message-id: <B4F47D22-82E2-4580-BEF6-F2CA705EBBFE@optonline.net>
MIME-version: 1.0
Content-Type: multipart/mixed; boundary="===============1390339676=="
Errors-To: kerberos-bounces@mit.edu
--===============1390339676==
Content-type: multipart/signed;
boundary="Apple-Mail=_BF53B9A0-C158-4DC1-9E5E-0B4F6596F857";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_BF53B9A0-C158-4DC1-9E5E-0B4F6596F857
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
I find myself needing to implement principal password lockout (standard =
setup with 1.13.2 w/8 KDCs)
The powers that be want us to implement self-service account unlocking =
(w/out password changing)
We have a password self-service portal and we would like for it to be =
able to detect if accounts are locked or not.
It seems that this can be done by kinit=E2=80=99ing against all the KDCs =
as the target principal like this and checking the error message:
echo =E2=80=9C=E2=80=9D | kinit princ 2>&1 | grep revoke =3D> account is =
locked
(this is done in a loop and each invocation uses a different krb5.conf =
with a different kdc)
Is this too brittle? is the error message likely to change? Is there a =
better way to do this?
Once I find a (non-kadmind) kdc where the account is locked, I cannot =
unlock it using a standard kadmin -q =E2=80=9Cmodprinc -unlock princ=E2=80=
=9D The principal state is not propagated via iprop.
The documentation says:=20
=20
"An administrative unlock is propagated from the master to the slave =
KDCs during the next propagation.=E2=80=9D
But I am not seeing the principal getting unlocked on the slave, so I am =
not sure what to think here. I=E2=80=99m not even seeing the account =
getting unlocked when the password is changed, which used to be the case =
in 1.11.3, according to my testing.
jd=
--Apple-Mail=_BF53B9A0-C158-4DC1-9E5E-0B4F6596F857
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxBgkDANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNTAzMTQxNDM4MzlaFw0x
NzAzMTMxNDM4MzlaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQCqiwk6dIVSS4Q7t3vXmhNrORxhHD2R44a2h8wd43+P
x19y59yZe9Jio4N7gFTJ2QLrxE6hDbBlJBZ7EgVLfDVqBWVGt2nvERDrCtzPr/uze2KmPEA1Smpk
sLAuWp2gDUKflWNL2NLInGCsuqdYkfqxCB1Kc+ws6DhZtHt83SjktGodh66pBTRrpfDSUEsY/3VR
q+kgjjQyNIYWyi2rsJQ7gP/e8YfGJC43TYwpfpcRM/rKwanUVgSMVwhSow9cQ3m3HYGyHB3+7WcV
orsP9u1I57FXyIHMKWmjmLNizzhVY05pM2Cd/T/7PS3ZNig53kclY4hx/XwRPjY3aHahhZacNKh+
96ImmxgJljJfQkc9avy7zZnsAb4neUUiYOacS1y5wPhGzIYor5gy6nQYT2g/nE6bAsaljNJICHWD
TwUuQqYUq39eN5RUGSxUVPM+sQts/BEAFh2Autk/nM6HWsO/bqpdAJNtE4w8zUFB3Wo72DAauA08
ADIw5UOulnmEqb1p2HlOYy1WdGy5xnuoG6EpppRujEC/a6gWcRvdCj4zrRR+dc9I5sohl3zyikff
I583wuX04H4d81EcLgrJGzUjIvQVSpDCdqgUrG8yOqnWzekZwIWLFwsr17h5vRmE4bruvUsAD4iW
J+fn5bezyENj6haxbkVqhGA98EjWh+0ehjGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMQYJAwCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUw
NjIwMTUxNTM3WjAjBgkqhkiG9w0BCQQxFgQUaAEdOfX1uQMUp/kuDWhew6kkoYEwgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEGCQMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EGCQMA0GCSqGSIb3DQEBAQUABIIBAJoKxm+7tBvl4tmCfxGRLZBUiQFKqckuJHsScBSzkrIyVkvH
aFqg6JqGem2It/me/4q3brGdelYPka0cSltpgdoqUt42T3MG5l7PoAWDg8hPWJg1cW14CiuGnboq
p42TnuCWFUiQ0zwAZHXRbnfrhqvikt4g7NC2XVaLdw0oVIQE3iOh2V6jDHBJdUQwTFLkipHC6Tiz
8YX186czbnP+b0nZg4hiTHAaBwsGdGt0MBMmk8CHYTpUEcNzIENPWj2imXWi3dwBDGs7GsrpCy4T
jDhGUF1YKxl/VHHWM1xFPvOLW3cqGfeqXBZVHkEgig+l9ERa52D1ORmkIF3Paj0Sb0oAAAAAAAA=
--Apple-Mail=_BF53B9A0-C158-4DC1-9E5E-0B4F6596F857--
--===============1390339676==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1390339676==--
