> For PCI reasons I have to report all accounts which have been inactive
> (i.e. no logins) for three months. The goal here is to automate the
> process... [...grubbing through logs...]
What I would do is:
1) make sure my KDCs were configured "--with-kdc-kdb-update" when built
2) make sure all users' principals had the REQUIRES_PRE_AUTH attribute
3) then I would look through my latest krop dump for lines starting with
"princ" and grab the 7th and 13th fileds. For example:
princ 38 16 3 1 0 [email protected] 128
2592000 2592000 2019707940 0 1263942513 1263938175 0
... -1;
in this case, field 13 is "1263942513" which is:
Tue Jan 19 17:08:33 CST 2010
same as you can see in kadmin[.local]:
kadmin.local: getprinc john
Principal: [email protected]
Expiration date: Sat Dec 31 23:59:00 CST 2033
Last password change: Fri Jan 15 18:27:54 CST 2010
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 30 days 00:00:00
Last modified: Fri Jan 15 18:27:54 CST 2010 ([email protected])
Last successful authentication: Tue Jan 19 17:08:33 CST 2010 <<<<<<<<<<
Last failed authentication: Tue Jan 19 15:56:15 CST 2010
Failed password attempts: 0
...
Attributes: REQUIRES_PRE_AUTH
John
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
