[37101] in Kerberos
Re: Managing account lockout
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Sat Jun 20 21:20:38 2015
Date: Sat, 20 Jun 2015 18:43:18 -0400
From: John Devitofranceschi <jdvf@optonline.net>
In-reply-to: <B4F47D22-82E2-4580-BEF6-F2CA705EBBFE@optonline.net>
To: kerberos@mit.edu
Message-id: <B7A95FD1-7C23-4AFD-B132-9052B5AFA834@optonline.net>
MIME-version: 1.0
Content-Type: multipart/mixed; boundary="===============1719489175=="
Errors-To: kerberos-bounces@mit.edu
--===============1719489175==
Content-type: multipart/signed;
boundary="Apple-Mail=_10784BE3-F843-4FCB-A9EE-11C5EE232866";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_10784BE3-F843-4FCB-A9EE-11C5EE232866
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> On Jun 20, 2015, at 11:15 AM, John Devitofranceschi =
<jdvf@optonline.net> wrote:
> ...
> It seems that this can be done by kinit=E2=80=99ing against all the =
KDCs as the target principal like this and checking the error message:
>=20
> echo =E2=80=9C=E2=80=9D | kinit princ 2>&1 | grep revoke =3D> account =
is locked
>=20
> ...
> Once I find a (non-kadmind) kdc where the account is locked, I cannot =
unlock it using a standard kadmin -q =E2=80=9Cmodprinc -unlock princ=E2=80=
=9D The principal state is not propagated via iprop.
> ...
> But I am not seeing the principal getting unlocked on the slave,=E2=80=A6=
So, after some more experimentation I have determined that things ARE =
working as intended. It=E2=80=99s just that the failed password attempt =
count is not reset until the user actually tries to authenticate.=20
The test I have (above) cannot tell if a principal is locked or if it =
has *just* been unlocked, since a null password is not considered a =
failed attempt and the count is not reset when that is tried.
So, everything is working as expected, I expect.
jd
--Apple-Mail=_10784BE3-F843-4FCB-A9EE-11C5EE232866
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxBgkDANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNTAzMTQxNDM4MzlaFw0x
NzAzMTMxNDM4MzlaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQCqiwk6dIVSS4Q7t3vXmhNrORxhHD2R44a2h8wd43+P
x19y59yZe9Jio4N7gFTJ2QLrxE6hDbBlJBZ7EgVLfDVqBWVGt2nvERDrCtzPr/uze2KmPEA1Smpk
sLAuWp2gDUKflWNL2NLInGCsuqdYkfqxCB1Kc+ws6DhZtHt83SjktGodh66pBTRrpfDSUEsY/3VR
q+kgjjQyNIYWyi2rsJQ7gP/e8YfGJC43TYwpfpcRM/rKwanUVgSMVwhSow9cQ3m3HYGyHB3+7WcV
orsP9u1I57FXyIHMKWmjmLNizzhVY05pM2Cd/T/7PS3ZNig53kclY4hx/XwRPjY3aHahhZacNKh+
96ImmxgJljJfQkc9avy7zZnsAb4neUUiYOacS1y5wPhGzIYor5gy6nQYT2g/nE6bAsaljNJICHWD
TwUuQqYUq39eN5RUGSxUVPM+sQts/BEAFh2Autk/nM6HWsO/bqpdAJNtE4w8zUFB3Wo72DAauA08
ADIw5UOulnmEqb1p2HlOYy1WdGy5xnuoG6EpppRujEC/a6gWcRvdCj4zrRR+dc9I5sohl3zyikff
I583wuX04H4d81EcLgrJGzUjIvQVSpDCdqgUrG8yOqnWzekZwIWLFwsr17h5vRmE4bruvUsAD4iW
J+fn5bezyENj6haxbkVqhGA98EjWh+0ehjGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMQYJAwCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUw
NjIwMjI0MzE4WjAjBgkqhkiG9w0BCQQxFgQUIYv8N7Mqx300RZELNROpffRqUhEwgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEGCQMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EGCQMA0GCSqGSIb3DQEBAQUABIIBAGazHG3rsP9LGstM7hna/t998fQ5OO1Jp23ir3+CBuoFfGag
YuqFrsgTd11CzyLBLPYpm/rcm8ywQs/Jag9cjlBuAes2uiFU3RVMnYGymCRs2sCTkm4YUc4W9hgH
vZuCeyqDLZThIkxSC5IvdLeWP1yzRFlpJiQVe3YZCR0f3dZvASDHu5nopI/ortspky5ZKT4XFkNB
LdAh/uM2dx/rMDFklW3S3eh6VgrDd8XmWEA1AcX4B1UsGG84GoLyqq+zhVZW8LFjz6jzTu3wfqXm
8hMRFMNrQXTrBC0ZorUqb9g2FFJBIyzqQk8PJiX807K91qnKgAsZbfZmLRKCmivbX3oAAAAAAAA=
--Apple-Mail=_10784BE3-F843-4FCB-A9EE-11C5EE232866--
--===============1719489175==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1719489175==--
