Last Successful Login always equals "never"
pachl
clintpachl at gmail.com
Sat Apr 19 04:08:47 EDT 2008
On Apr 18, 9:24 am, Joshua Hutchins <jdhutc... at ugcs.caltech.edu>
wrote:
> pachl wrote:
> > When running ``kadmin get <principle>`` for any principle, the "Last
> > successful login" and the "Last failed login" lines always equal
> > "never." What does the "Last successful login" line mean? Where and
> > how would I have to login to change the status of this line from
> > "never"?
>
> > I have used kinit from from several machines and have also used the
> > system login at the console, which exclusively uses kerberosV (local
> > password file is disabled).
>
> > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal
> > 0.7.2.
>
> > -pachl
> > ________________________________________________
> > Kerberos mailing list Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> We have the same problem here with Debian and MIT Kerberos Version 5,
> Release 1.6.3 (installed from Debian packages). All our principals
> require pre-auth. We haven't spent any time debugging it, but if
> there's a simple solution, we'd love to know it.
>
> Thanks, Joshua
A few hours after my original post I found an interestingly relevant
tidbit in my "Kerberos - The Definitive Guide" book on page 231.
*Last successful login, Last failed login, and Failed login count*
Unfortunately, these fields will always show never (or zero). The
reason for this is that while all of the other updates to a
principle's information, such as password changes or policy changes,
must be made through the master KDC, any KDC (master or slave) can
perform authentication. There is currently no way for a slave KDC to
report back to the master KDC that an authentication has occurred, so
the Heimdal code disables these fields.
The same is said about the MIT implementation.
-pachl
More information about the Kerberos
mailing list