Hi folks, My site has the problem that, if an office with a KDC slave server is temporarily cut off from its master, the users there can't log in. Apparently, when users or hosts attempt to authenticate, the system insists on updating the master KDC. I'm using an LDAP backend and after enabling heavy trace debugging (level 4) on the slapd provider, which hosts the Kerberos master, I kept seeing entries in its log like the following every time authentication took place at a slave site:
connection_get(33) send_ldap_result: err=0 matched="" text="" connection_get(33) conn=1048 op=1 do_modify: dn (krbPrincipalName=host/[email protected],cn=EXAMPLE.COM,ou=krb5,dc=example,dc=com) conn=1048 op=1 modifications: #011replace: krbLastSuccessfulAuth #011#011one value, length 15 #011replace: krbLoginFailedCount #011#011one value, length 1 #011replace: krbExtraData #011#011multiple values send_ldap_result: err=8 matched="" text="modifications require authentication" connection_get(33) While it's interesting that the final error never seems to matter, the problem for me is that it wants to replace the values for those three attributes at all. How can this be prevented? I'm using Debian squeeze (with krb5-kdc v1.8.3) and have tried adding both "disable_last_success = true" and "disable_lockout = true" to the [dbmodules] section of /etc/krb5.conf on both the master and the slave KDC, but it makes no difference. Any suggestions? Thanks, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
