"Last successful authentication" always set to "never"
John Hascall
john at iastate.edu
Tue Oct 14 14:17:53 EDT 2003
>john at iastate.edu (John Hascall) wrote:
> > > When I do "getprinc" on any principal in our REALM, it prints the
> > > attributes "Last successful authentication" and "Last failed
> > > authentication" set to value "[never]". Similarly, the value of "Failed
> > > password attempts" is "0".
> > > Why the system doesn't update that values?
> > > Thanks.
> > When you 'configure' kerberos during the build process,
> > you need to include the '--with-kdc-kdb-update' flag to
> > enable this. And then you need to put the 'requires_preauth'
> > attribute on your principals.
> > MIT will tell you these features are 'not well tested',
> > but they seem to work fine for me.
> Requires an update to the database for each authentication, right?
Right (for each TGT).
> For us, that would be a fairly radical increase in the number of
> updates per day.
Yes, but the performance difference turned out to be
so small as to not affect us at all (our KDC is still
capable of vastly more operations/sec than it ever gets).
> Seems like there would also be a propagation
> issue, since these updates would automatically apply to the master
> only if the master is also taking all the authentication requests.
We are incrementally updating our slave (as well as our
W2K-AD and Novell-NDS) so this is not an issue for us.
> I would get that information from logs, instead.
Without preauth you can't tell a successful from
unsuccessful attempt.
John
More information about the Kerberos
mailing list