"last log" and other information tracking
Erich Weiler
weiler at soe.ucsc.edu
Sat Jul 29 01:47:39 EDT 2006
Hi Richard,
Yes, I just read somewhere that pre-auth was required... But I tried
adding a user as such:
kadmin: addprinc +require_preauth username
and then authenticated somewhere as the user and it didn't seem to make
a difference... Is my syntax wrong maybe? Or am I maybe missing some
steps?
Thanks for replying!
ciao, erich
Richard E. Silverman wrote:
>> Greetings all!
>> I'm having trouble finding the answer to a problem I'm having...
>> Basically, when I do a "getprinc username" through kadmin, I get:
>>
>> kadmin: getprinc user
>> Principal: user at DOMAIN.COM
>> Expiration date: [never]
>> Last password change: Fri Jul 21 16:26:28 PDT 2006
>> Password expiration date: [none]
>> Maximum ticket life: 1 day 00:00:00
>> Maximum renewable life: 0 days 00:00:00
>> Last modified: Fri Jul 21 16:26:28 PDT 2006 (admin/admin at DOMAIN.COM)
>> Last successful authentication: [never]
>> Last failed authentication: [never]
>> Failed password attempts: 0
>> Number of keys: 6
>> Key: vno 4, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 4, ArcFour with HMAC/md5, no salt
>> Key: vno 4, DES with HMAC/sha1, no salt
>> Key: vno 4, DES cbc mode with RSA-MD5, no salt
>> Key: vno 4, DES cbc mode with CRC-32, Version 4
>> Key: vno 4, DES cbc mode with CRC-32, AFS version 3
>> Attributes:
>> Policy: [none]
>> kadmin:
>>
>> Note that it says "Last successful authentication: [never]" and "Last
>> failed authentication: [never]". That user has in fact authenticated
>> many times, and has failed a few too. Is there a way I can get that
>> information to be logged so it will show up with the above "getprinc
>> user" command? I've looked through the "logging" documentation but am
>> stumped... Thanks in advance for any advice!
>
> I'm just guessing at this one, but I note that this principal does not
> require preauthentication. In this, case the client does not actually
> authenticate itself to the KDC at all: the KDC simply sends out the
> encrypted TGT and relies on the fact that only the intended principal
> can decrypt it. Hence, I would expect these counters to remain zero.
>
--
===================================
Erich Weiler
UNIX Systems Administrator
School of Engineering
University of California Santa Cruz
weiler at soe.ucsc.edu
===================================
More information about the Kerberos
mailing list