"Last successful authentication" always set to "never"

[John Hascall]

> When I do "getprinc" on any principal in our REALM, it prints the
> attributes "Last successful authentication" and "Last failed
> authentication" set to value "[never]". Similarly, the value of "Failed
> password attempts" is "0".
> Why the system doesn't update that values?
> Thanks.

When you 'configure' kerberos during the build process,
you need to include the '--with-kdc-kdb-update' flag to
enable this.  And then you need to put the 'requires_preauth'
attribute on your principals.

MIT will tell you these features are 'not well tested',
but they seem to work fine for me.

John