Last Successful Login always equals "never"

pachl clintpachl at
Sat Apr 19 04:08:47 EDT 2008

On Apr 18, 9:24 am, Joshua Hutchins <jdhutc... at>
> pachl wrote:
> > When running ``kadmin get <principle>`` for any principle, the "Last
> > successful login" and the "Last failed login" lines always equal
> > "never." What does the "Last successful login" line mean? Where and
> > how would I have to login to change the status of this line from
> > "never"?
> > I have used kinit from from several machines and have also used the
> > system login at the console, which exclusively uses kerberosV (local
> > password file is disabled).
> > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal
> > 0.7.2.
> > -pachl
> > ________________________________________________
> > Kerberos mailing list           Kerbe... at
> >
> We have the same problem here with Debian and MIT Kerberos Version 5,
> Release 1.6.3 (installed from Debian packages).  All our principals
> require pre-auth.  We haven't spent any time debugging it, but if
> there's a simple solution, we'd love to know it.
> Thanks, Joshua

A few hours after my original post I found an interestingly relevant
tidbit in my "Kerberos - The Definitive Guide" book on page 231.

*Last successful login, Last failed login, and Failed login count*
Unfortunately, these fields will always show never (or zero). The
reason for this is that while all of the other updates to a
principle's information, such as password changes or policy changes,
must be made through the master KDC, any KDC (master or slave) can
perform authentication. There is currently no way for a slave KDC to
report back to the master KDC that an authentication has occurred, so
the Heimdal code disables these fields.

The same is said about the MIT implementation.


More information about the Kerberos mailing list