"Last successful authentication" always set to "never"

John Hascall john at iastate.edu
Tue Oct 14 14:17:53 EDT 2003

>john at iastate.edu (John Hascall) wrote:
> > > When I do "getprinc" on any principal in our REALM, it prints the
> > > attributes "Last successful authentication" and "Last failed
> > > authentication" set to value "[never]". Similarly, the value of "Failed
> > > password attempts" is "0".
> > > Why the system doesn't update that values?
> > > Thanks.

> > When you 'configure' kerberos during the build process,
> > you need to include the '--with-kdc-kdb-update' flag to
> > enable this.  And then you need to put the 'requires_preauth'
> > attribute on your principals.

> > MIT will tell you these features are 'not well tested',
> > but they seem to work fine for me.

> Requires an update to the database for each authentication, right?

     Right (for each TGT).

> For us, that would be a fairly radical increase in the number of
> updates per day.

     Yes, but the performance difference turned out to be
     so small as to not affect us at all (our KDC is still
     capable of vastly more operations/sec than it ever gets).

>                   Seems like there would also be a propagation
> issue, since these updates would automatically apply to the master
> only if the master is also taking all the authentication requests.

     We are incrementally updating our slave (as well as our
     W2K-AD and Novell-NDS) so this is not an issue for us.

> I would get that information from logs, instead.

     Without preauth you can't tell a successful from
     unsuccessful attempt.


More information about the Kerberos mailing list