find inactive accounts
Steve Glasser
sgla9347 at gmail.com
Thu Jan 21 12:16:03 EST 2010
Hi all,
Thanks for your thoughtful replies and suggestions.
It appears that we can use the REQUIRES_PRE_AUTH attribute without
also recompiling Kerberos with "--with-kdc-kdb-update". This changes
logging of user login attempts; when first attempting login there is a
log entry which includes "Additional pre-authentication required"
* Successful user login creates an additional "AS_REQ" log entry.
* Failed user login creates an additional log entry which includes
"PREAUTH_FAILED".
This solves part of our problem. Now we can tell the difference
between successful and failed logins.
I have only tested this in a very small dev environment. Please let
me know if I have missed something.
On Wed, Jan 20, 2010 at 6:47 AM, Ken Raeburn <raeburn at mit.edu> wrote:
> On Jan 20, 2010, at 09:15, John Hascall wrote:
>> Ah yes, I'd forgotten that.
>> so:
>> 1a) I would use an incremental propagation technique.
>
Thanks,
--
Steve Glasser
sgla9347 at gmail.com
More information about the Kerberos
mailing list