Sorry this is so long. Here are the results of my testing with both my KDCs active. I can still get a successful authentication after I should be locked out.
If there is any way to trace the KDC let me know and I can run that. Tom kadmin.local: getpol default Policy: default Maximum password life: 15552000 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 1 Reference count: 0 Maximum password failures before lockout: 10 Password failure count reset interval: 0 Password lockout duration: 0 KDC 1 anubis:~ # kadmin.local Authenticating as principal host/[email protected] with password. kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:07:02 EST 2011 Last failed authentication: Fri Nov 18 16:51:40 EST 2011 Failed password attempts: 0 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default KDC 2 charon:~ # kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Fri Nov 18 16:51:40 EST 2011 Failed password attempts: 0 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default KDC 1 After 10 Attempts kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 10 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default KDC 2 After 10 Attempts kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 10 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default Attempt 11 (Wrong Password) tparker@tparker:~> KRB5_TRACE=/dev/stdout kinit [email protected] [11769] 1321759257.353652: Getting initial credentials for [email protected] [11769] 1321759257.354303: Sending request (170 bytes) to LS.CBN [11769] 1321759257.534976: Sending initial UDP request to dgram 172.30.26.12:88 [11769] 1321759257.584713: Received answer from dgram 172.30.26.12:88 [11769] 1321759257.711175: Response was from master KDC [11769] 1321759257.711237: Received error from KDC: -1765328359/Additional pre-authentication required [11769] 1321759257.711288: Processing preauth types: 2, 136, 19, 133 [11769] 1321759257.711316: Selected etype info: etype aes256-cts, salt "LS.CBNtparker", params "" [11769] 1321759257.711327: Received cookie: MIT Password for [email protected]: [11769] 1321759259.254675: AS key obtained for encrypted timestamp: aes256-cts/2526 [11769] 1321759259.254838: Encrypted timestamp (for 1321759259.254756): plain 301AA011180F32303131313132303033323035395AA105020303E324, encrypted 374DE47FB0DDF294AC802F3A13C7CE2127B17579737F693E2B2110ADBB22D91136EF1F88870EC33CD2BFAF78A8840F8312EB7127D4C10D89 [11769] 1321759259.254870: Produced preauth for next request: 133, 2 [11769] 1321759259.254988: Sending request (265 bytes) to LS.CBN (master) [11769] 1321759259.446455: Sending initial UDP request to dgram 172.20.23.10:88 [11769] 1321759259.489672: Received answer from dgram 172.20.23.10:88 [11769] 1321759259.489794: Received error from KDC: -1765328353/Decrypt integrity check failed kinit: Password incorrect while getting initial credentials KDC 1 After 11 Attempts (Note, no change on last failed) kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 10 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default KDC 2 After 11 Attempts (Note, not change on last failed) kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 10 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default Attempt 12 (Correct Password: Succesful Auth. Should be locked out.) tparker@tparker:~> KRB5_TRACE=/dev/stdout kinit [email protected] [11796] 1321759415.467622: Getting initial credentials for [email protected] [11796] 1321759415.468062: Sending request (170 bytes) to LS.CBN [11796] 1321759415.653116: Sending initial UDP request to dgram 172.20.23.10:88 [11796] 1321759415.706370: Received answer from dgram 172.20.23.10:88 [11796] 1321759415.947036: Response was from master KDC [11796] 1321759415.947098: Received error from KDC: -1765328359/Additional pre-authentication required [11796] 1321759415.947138: Processing preauth types: 2, 136, 19, 133 [11796] 1321759415.947156: Selected etype info: etype aes256-cts, salt "LS.CBNtparker", params "" [11796] 1321759415.947162: Received cookie: MIT Password for [email protected]: [11796] 1321759418.481413: AS key obtained for encrypted timestamp: aes256-cts/50AF [11796] 1321759418.481499: Encrypted timestamp (for 1321759418.481438): plain 301AA011180F32303131313132303033323333385AA105020307589E, encrypted 4DE3B4592F3A4AF2CBF0436E3CF0B074EDEABF31A323E48599EFCE7E582693B12250974C9F4B35F0DF0D22C0A17DF1F9AA3C3B7EAB8DB928 [11796] 1321759418.481520: Produced preauth for next request: 133, 2 [11796] 1321759418.481550: Sending request (265 bytes) to LS.CBN (master) [11796] 1321759418.688169: Sending initial UDP request to dgram 172.20.23.10:88 [11796] 1321759418.754025: Received answer from dgram 172.20.23.10:88 [11796] 1321759418.754098: Processing preauth types: 19 [11796] 1321759418.754109: Selected etype info: etype aes256-cts, salt "LS.CBNtparker", params "" [11796] 1321759418.754114: Produced preauth for next request: (empty) [11796] 1321759418.754126: AS key determined by preauth: aes256-cts/50AF [11796] 1321759418.754197: Decrypted AS reply; session key is: aes256-cts/B757 [11796] 1321759418.754218: FAST negotiation: available [11796] 1321759418.754249: Initializing FILE:/tmp/krb5cc_1000 with default princ [email protected] [11796] 1321759418.754533: Removing [email protected] -> krbtgt/[email protected] from FILE:/tmp/krb5cc_1000 [11796] 1321759418.754543: Storing [email protected] -> krbtgt/[email protected] in FILE:/tmp/krb5cc_1000 [11796] 1321759418.754616: Storing config in FILE:/tmp/krb5cc_1000 for krbtgt/[email protected]: fast_avail: yes [11796] 1321759418.754640: Removing [email protected] -> krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN@X-CACHECONF: from FILE:/tmp/krb5cc_1000 [11796] 1321759418.754648: Storing [email protected] -> krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN@X-CACHECONF: in FILE:/tmp/krb5cc_1000 KDC 1 After succesful auth (Note no change in last succesful or last failed dates) kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 18 15:38:18 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 10 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default kadmin.local: modify_principal -unlock tparker Principal "[email protected]" modified. kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sat Nov 19 22:27:05 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:12:24 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 0 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default tparker@tparker:~> KRB5_TRACE=/dev/stdout kinit [email protected] [11813] 1321759645.93243: Getting initial credentials for [email protected] [11813] 1321759645.93815: Sending request (170 bytes) to LS.CBN [11813] 1321759645.266587: Sending initial UDP request to dgram 172.30.26.12:88 [11813] 1321759645.315523: Received answer from dgram 172.30.26.12:88 [11813] 1321759645.434509: Response was from master KDC [11813] 1321759645.434561: Received error from KDC: -1765328359/Additional pre-authentication required [11813] 1321759645.434602: Processing preauth types: 2, 136, 19, 133 [11813] 1321759645.434626: Selected etype info: etype aes256-cts, salt "LS.CBNtparker", params "" [11813] 1321759645.434635: Received cookie: MIT Password for [email protected]: [11813] 1321759647.403288: AS key obtained for encrypted timestamp: aes256-cts/50AF [11813] 1321759647.403416: Encrypted timestamp (for 1321759647.403357): plain 301AA011180F32303131313132303033323732375AA105020306279D, encrypted CFB68B0D9E6B7D870FDC2228BB88EE9969EAA5FBB73ABEAFB1ED86029898DDA70E67A75788E78EB25F8BDF56554DB504E341B074435E835A [11813] 1321759647.403437: Produced preauth for next request: 133, 2 [11813] 1321759647.403467: Sending request (265 bytes) to LS.CBN (master) [11813] 1321759647.576887: Sending initial UDP request to dgram 172.20.23.10:88 [11813] 1321759647.646546: Received answer from dgram 172.20.23.10:88 [11813] 1321759647.646638: Processing preauth types: 19 [11813] 1321759647.646654: Selected etype info: etype aes256-cts, salt "LS.CBNtparker", params "" [11813] 1321759647.646661: Produced preauth for next request: (empty) [11813] 1321759647.646677: AS key determined by preauth: aes256-cts/50AF [11813] 1321759647.646792: Decrypted AS reply; session key is: aes256-cts/5A85 [11813] 1321759647.646824: FAST negotiation: available [11813] 1321759647.646866: Initializing FILE:/tmp/krb5cc_1000 with default princ [email protected] [11813] 1321759647.647291: Removing [email protected] -> krbtgt/[email protected] from FILE:/tmp/krb5cc_1000 [11813] 1321759647.647307: Storing [email protected] -> krbtgt/[email protected] in FILE:/tmp/krb5cc_1000 [11813] 1321759647.647420: Storing config in FILE:/tmp/krb5cc_1000 for krbtgt/[email protected]: fast_avail: yes [11813] 1321759647.647456: Removing [email protected] -> krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN@X-CACHECONF: from FILE:/tmp/krb5cc_1000 [11813] 1321759647.647469: Storing [email protected] -> krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN@X-CACHECONF: in FILE:/tmp/krb5cc_1000 KDC 1 After unlock. Everything working as expected again. kadmin.local: getprinc tparker Principal: [email protected] Expiration date: [never] Last password change: Sat Oct 01 16:40:32 EDT 2011 Password expiration date: Thu Mar 29 16:40:32 EDT 2012 Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sat Nov 19 22:27:05 EST 2011 (host/[email protected]) Last successful authentication: Sat Nov 19 22:27:39 EST 2011 Last failed authentication: Sat Nov 19 22:18:27 EST 2011 Failed password attempts: 0 Number of keys: 4 Key: vno 26, aes256-cts-hmac-sha1-96, Version 5 Key: vno 26, aes128-cts-hmac-sha1-96, Version 5 Key: vno 26, des3-cbc-sha1, Version 5 Key: vno 26, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default On 11/19/2011 01:04 PM, Greg Hudson wrote: > On 11/18/2011 04:48 PM, Tom Parker wrote: >> I have my default policy set to 10 password attempts before a lockout. >> When a user hits the 10 attempts, the failed attempt counter stops >> incrementing, the last failed count stops changing however they are >> still able to get a TGT and TGS and log in. > That's certainly not the expected behavior or the behavior in tests > here. Two guesses: > > 1. The client code has fallback to try the master KDC if it gets a > failure response from the KDC it tries first. Lockout failure counters > are per-KDC. Perhaps the client still had some attempts on one KDC when > it hit the lockout count on the other? > > For various reasons I'm not sure if this explanation is really very > likely, but make sure to check the logs and counters on both KDCs. > > 2. If you have a lockout duration in the policy and the duration has > expired (it's in seconds), the client would be allowed to make more > attempts. A successful attempt should reset the counter to 0. > > If a particular KDC really is issuing tickets in a situation where the > principal should be locked out, I don't really have a clue why; the next > step for me if I could reproduce it here would be stepping through the > KDC code in a debugger, or failing that, adding a lot of temporary > logging code to the KDC. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
