find inactive accounts
Ken Raeburn
raeburn at mit.edu
Wed Jan 20 08:59:31 EST 2010
On Jan 20, 2010, at 08:47, John Hascall wrote:
> What I would do is:
> 1) make sure my KDCs were configured "--with-kdc-kdb-update" when
> built
Last I looked, this information still gets stored locally on each KDC,
and is overwritten when the master->slave propagation happens. So a
successful "login" that happened to use a slave KDC might go unnoticed.
There was some work going on to make the propagation not trash this
per-KDC data; I don't know if it's done yet or if it got into the 1.8
branch.
(Also, the "--with-kdc-kdb-update" code didn't compile, for a while.)
> 3) then I would look through my latest krop dump for lines
> starting with
> "princ" and grab the 7th and 13th fileds. For example:
We really should make it easier to extract these data in a more
helpful form... :-)
Ken
--
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium
More information about the Kerberos
mailing list