find inactive accounts

John Hascall john at iastate.edu
Wed Jan 20 09:15:37 EST 2010


> On Jan 20, 2010, at 08:47, John Hascall wrote:
> > What I would do is:
> >    1) make sure my KDCs were configured "--with-kdc-kdb-update" when  
> > built
> 
> Last I looked, this information still gets stored locally on each KDC,  
> and is overwritten when the master->slave propagation happens.  So a  
> successful "login" that happened to use a slave KDC might go unnoticed.

   Ah yes, I'd forgotten that.
   so:
       1a) I would use an incremental propagation technique. 
   and
       1b) I'd bug the Kerb team to fix this :)


John



More information about the Kerberos mailing list