account lockout problem with solaris and active directory
Jeffrey Altman
jaltman2 at nyc.rr.com
Wed Jul 19 18:48:57 EDT 2006
tulanian at gmail.com wrote:
> I don't know if this is a kerberos problem or not. I've gotten kerberos
> authentication to work on my Solaris 9 box to an Active Directory
> domain but we're having problem with account lockouts. The threshold in
> AD is set to 10 failed login attempts, but a single bad password at the
> unix login prompt generates a flurry of failed attempts via kerberos,
> locking the account. Does anyone know why this could be happening?
There are several possibilities that I can think of off the top
of my head. The most likely is that Solaris doesn't know that
Microsoft AD is a multi-master implementation and it doesn't know
which of the KDCs is the master, therefore when it attempts to
authentication the user it tries all of the listed KDCs in turn
just in case the user has changed the password and the new keys
have not been propagated to the replicas.
If you can better describe the message exchanges I could provide
you a more accurate response.
Jeffrey Altman
More information about the Kerberos
mailing list