> pachl wrote: > > When running ``kadmin get <principle>`` for any principle, the "Last > > successful login" and the "Last failed login" lines always equal > > "never." What does the "Last successful login" line mean? Where and > > how would I have to login to change the status of this line from > > "never"? > > > > I have used kinit from from several machines and have also used the > > system login at the console, which exclusively uses kerberosV (local > > password file is disabled). > > > > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal > > 0.7.2.
> We have the same problem here with Debian and MIT Kerberos Version 5, > Release 1.6.3 (installed from Debian packages). All our principals > require pre-auth. We haven't spent any time debugging it, but if > there's a simple solution, we'd love to know it. By default the MIT KDC operates in ReadOnly mode which means that it will never update these fields: Last successful authentication: Fri Apr 18 08:07:13 CDT 2008 Last failed authentication: Thu Apr 17 14:38:29 CDT 2008 Failed password attempts: 0 to get it do so so, you need to rebuild the KDC from source using the "--with-kdc-kdb-update" option when you run configure. In the past, some MIT folks have made dire statements about how this code is untested and unsafe and blah blah blah, but we've been doing it for years. Note that doing so will turn on a hardcoded! 5-strikes and an principal is disabled 'feature' which provides an attacker a nice DoS attack vector. We modified our KDC to re-enable the principal after a minute. YMMV. John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
