On 07/22/2012 11:51 PM, Mike Friedman wrote: > 1. The docs say that lockout settings for a principal are not > replicated. So, if I have a user who's been locked on the master /and/ > secondary KDCs (presumably the latter would have been done automatically > by the KDC per lockout policy), how would I /manually /unlock this user > on /all/ KDCs? In particular, how could I do the unlock on a secondary > KDC (which wouldn't be running kadmind)?
In 1.9 and later, if you modprinc -unlock the principal on the master, it will unlock on all slaves as of the next propagation (incremental or standard kprop). This is done by replicating the timestamp of the last administrative unlock operation. If you don't have relatively fast propagation and need to unlock a principal on the slave, you'll have to use kadmin.local on the slave or the equivalent. There's not much we can do about that without creating new communication mechanisms between master and slaves (which would wind up just being a special case of iprop). > 2. When a locked user attempts authentication, what error code is > returned by the KDC? The protocol error returned is 18, "Clients credentials have been revoked". An application would see this as KRB5KDC_ERR_CLIENT_REVOKED. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
