On 2012-07-22 21:12, Greg Hudson wrote: > On 07/22/2012 11:51 PM, Mike Friedman wrote: >> 1. The docs say that lockout settings for a principal are not >> replicated. So, if I have a user who's been locked on the master /and/ >> secondary KDCs (presumably the latter would have been done automatically >> by the KDC per lockout policy), how would I /manually /unlock this user >> on /all/ KDCs? In particular, how could I do the unlock on a secondary >> KDC (which wouldn't be running kadmind)? > In 1.9 and later, if you modprinc -unlock the principal on the master, > it will unlock on all slaves as of the next propagation (incremental or > standard kprop). This is done by replicating the timestamp of the last > administrative unlock operation.
Greg, Thanks, that's how I would expect it to work. The documentation I saw said (or implied) that the locking status wouldn't be replicated by kprop, which is what confused me. Anyway, the above is fine as far as it goes. Unfortunately, if I wanted to do the unlock remotely, or via the API, kadmin.local on the slave wouldn't be good enough. >> 2. When a locked user attempts authentication, what error code is >> returned by the KDC? > The protocol error returned is 18, "Clients credentials have been > revoked". An application would see this as KRB5KDC_ERR_CLIENT_REVOKED. Good, that's what I wanted to know. Thanks again. Mike -- Mike Friedman [email protected] http://mikefberkeley.com ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
