Mark Michael wrote: > First post ... forgive any unintentional netiquette faux pas here ... > > Is there any way to configure a policy in its attributes (or failing that, > something specific in a principal's attributes) that would mandate that the > KDC would set -allow_all_tix after a maximum number of failed password > attempts? I spent about two hours looking around, re-reading what I could > find on the web and docs.sun.com as well as the ORA owl book, and couldn't > find anything. I know I can use kadmin modprinc -allow_all_tix on a > principal to lock the principal, and +allow_all_tix to unlock it, but I can't > seem to find anything that will do the lock for me automatically. > There is nothing that will do this automatically, alas the "failed password attempts" field in the principal's record is not updated given that a multi-master environment currently does not exist. Please have yourself added to RFE:
4892447 Implement account lockout feature in SUN SEAM kerberos. so that we can keep track of this demand. Shawn. --
