Last Successful Login always equals "never"

pachl clintpachl at gmail.com
Sat Apr 19 04:08:47 EDT 2008


On Apr 18, 9:24 am, Joshua Hutchins <jdhutc... at ugcs.caltech.edu>
wrote:
> pachl wrote:
> > When running ``kadmin get <principle>`` for any principle, the "Last
> > successful login" and the "Last failed login" lines always equal
> > "never." What does the "Last successful login" line mean? Where and
> > how would I have to login to change the status of this line from
> > "never"?
>
> > I have used kinit from from several machines and have also used the
> > system login at the console, which exclusively uses kerberosV (local
> > password file is disabled).
>
> > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal
> > 0.7.2.
>
> > -pachl
> > ________________________________________________
> > Kerberos mailing list           Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> We have the same problem here with Debian and MIT Kerberos Version 5,
> Release 1.6.3 (installed from Debian packages).  All our principals
> require pre-auth.  We haven't spent any time debugging it, but if
> there's a simple solution, we'd love to know it.
>
> Thanks, Joshua

A few hours after my original post I found an interestingly relevant
tidbit in my "Kerberos - The Definitive Guide" book on page 231.

*Last successful login, Last failed login, and Failed login count*
Unfortunately, these fields will always show never (or zero). The
reason for this is that while all of the other updates to a
principle's information, such as password changes or policy changes,
must be made through the master KDC, any KDC (master or slave) can
perform authentication. There is currently no way for a slave KDC to
report back to the master KDC that an authentication has occurred, so
the Heimdal code disables these fields.

The same is said about the MIT implementation.

-pachl



More information about the Kerberos mailing list