"Last successful authentication" always set to "never"

[Wachdorf, Daniel R]

> -----Original Message-----
> From: Donn Cave [mailto:donn at u.washington.edu]
> Sent: Wednesday, October 15, 2003 11:14 AM
> To: kerberos at MIT.EDU
> Subject: Re: "Last successful authentication" always set to "never"
> 
> In article <200310141817.NAA24447 at pvtest.ait.iastate.edu>,
>  john at iastate.edu (John Hascall) wrote:
> 
> > > > When you 'configure' kerberos during the build process,
> > > > you need to include the '--with-kdc-kdb-update' flag to
> > > > enable this.  And then you need to put the 'requires_preauth'
> > > > attribute on your principals.
> 
> [... re propagating success updates between KDCs ]
> >      We are incrementally updating our slave (as well as our
> >      W2K-AD and Novell-NDS) so this is not an issue for us.
> 
> Yes, I remember that, as we are doing this too (minus the
> Novell part), but we only have to deal with passwords.
> 
> [... re logs as an alternative source ]
> >      Without preauth you can't tell a successful from
> >      unsuccessful attempt.
> 
> At all, right?  What would `successful authentication' mean
> at the KDC in the absence of preauthentication?  I am probably
> confused about something here.

Yes - at all.  Without pre-auth, the KDC will send back an AS-REP encrypted
in the users password, the client code the tries to decrypt it with what it
received from the KDC.  Without pre-auth there is now way for the KDC to
know whether that decrypt was successful or not.
If pre-auth is enabled, then the KDC will attempts to decrypt a timestamp
encrypted in the user's password.  It this is successful, then the KDC knows
the user has the correct password and ships back the AS-REP encrypted in the
user's password.


> 
>    Donn Cave, donn at u.washington.edu
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos