Account Lockout Problems with 1.9.1

Tom Parker tparker at cbnco.com
Sat Nov 19 22:32:34 EST 2011 

Sorry this is so long.  Here are the results of my testing with both my 
KDCs active.   I can still get a successful authentication after I 
should be locked out.

If there is any way to trace the KDC let me know and I can run that.

Tom

kadmin.local:  getpol default
Policy: default
Maximum password life: 15552000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 1
Reference count: 0
Maximum password failures before lockout: 10
Password failure count reset interval: 0
Password lockout duration: 0

KDC 1
anubis:~ # kadmin.local
Authenticating as principal host/admin at LS.CBN with password.
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:07:02 EST 2011
Last failed authentication: Fri Nov 18 16:51:40 EST 2011
Failed password attempts: 0
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

KDC 2
charon:~ # kadmin.local
Authenticating as principal root/admin at LS.CBN with password.
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Fri Nov 18 16:51:40 EST 2011
Failed password attempts: 0
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

KDC 1 After 10 Attempts
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 10
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

KDC 2 After 10 Attempts
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 10
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

Attempt 11 (Wrong Password)

tparker at tparker:~> KRB5_TRACE=/dev/stdout kinit tparker at LS.CBN
[11769] 1321759257.353652: Getting initial credentials for tparker at LS.CBN
[11769] 1321759257.354303: Sending request (170 bytes) to LS.CBN
[11769] 1321759257.534976: Sending initial UDP request to dgram 
172.30.26.12:88
[11769] 1321759257.584713: Received answer from dgram 172.30.26.12:88
[11769] 1321759257.711175: Response was from master KDC
[11769] 1321759257.711237: Received error from KDC: 
-1765328359/Additional pre-authentication required
[11769] 1321759257.711288: Processing preauth types: 2, 136, 19, 133
[11769] 1321759257.711316: Selected etype info: etype aes256-cts, salt 
"LS.CBNtparker", params ""
[11769] 1321759257.711327: Received cookie: MIT
Password for tparker at LS.CBN:
[11769] 1321759259.254675: AS key obtained for encrypted timestamp: 
aes256-cts/2526
[11769] 1321759259.254838: Encrypted timestamp (for 1321759259.254756): 
plain 301AA011180F32303131313132303033323035395AA105020303E324, 
encrypted 
374DE47FB0DDF294AC802F3A13C7CE2127B17579737F693E2B2110ADBB22D91136EF1F88870EC33CD2BFAF78A8840F8312EB7127D4C10D89
[11769] 1321759259.254870: Produced preauth for next request: 133, 2
[11769] 1321759259.254988: Sending request (265 bytes) to LS.CBN (master)
[11769] 1321759259.446455: Sending initial UDP request to dgram 
172.20.23.10:88
[11769] 1321759259.489672: Received answer from dgram 172.20.23.10:88
[11769] 1321759259.489794: Received error from KDC: -1765328353/Decrypt 
integrity check failed
kinit: Password incorrect while getting initial credentials

KDC 1 After 11 Attempts (Note, no change on last failed)
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 10
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

KDC 2 After 11 Attempts (Note, not change on last failed)
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 10
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

Attempt 12 (Correct Password: Succesful Auth.  Should be locked out.)
tparker at tparker:~> KRB5_TRACE=/dev/stdout kinit tparker at LS.CBN
[11796] 1321759415.467622: Getting initial credentials for tparker at LS.CBN
[11796] 1321759415.468062: Sending request (170 bytes) to LS.CBN
[11796] 1321759415.653116: Sending initial UDP request to dgram 
172.20.23.10:88
[11796] 1321759415.706370: Received answer from dgram 172.20.23.10:88
[11796] 1321759415.947036: Response was from master KDC
[11796] 1321759415.947098: Received error from KDC: 
-1765328359/Additional pre-authentication required
[11796] 1321759415.947138: Processing preauth types: 2, 136, 19, 133
[11796] 1321759415.947156: Selected etype info: etype aes256-cts, salt 
"LS.CBNtparker", params ""
[11796] 1321759415.947162: Received cookie: MIT
Password for tparker at LS.CBN:
[11796] 1321759418.481413: AS key obtained for encrypted timestamp: 
aes256-cts/50AF
[11796] 1321759418.481499: Encrypted timestamp (for 1321759418.481438): 
plain 301AA011180F32303131313132303033323333385AA105020307589E, 
encrypted 
4DE3B4592F3A4AF2CBF0436E3CF0B074EDEABF31A323E48599EFCE7E582693B12250974C9F4B35F0DF0D22C0A17DF1F9AA3C3B7EAB8DB928
[11796] 1321759418.481520: Produced preauth for next request: 133, 2
[11796] 1321759418.481550: Sending request (265 bytes) to LS.CBN (master)
[11796] 1321759418.688169: Sending initial UDP request to dgram 
172.20.23.10:88
[11796] 1321759418.754025: Received answer from dgram 172.20.23.10:88
[11796] 1321759418.754098: Processing preauth types: 19
[11796] 1321759418.754109: Selected etype info: etype aes256-cts, salt 
"LS.CBNtparker", params ""
[11796] 1321759418.754114: Produced preauth for next request: (empty)
[11796] 1321759418.754126: AS key determined by preauth: aes256-cts/50AF
[11796] 1321759418.754197: Decrypted AS reply; session key is: 
aes256-cts/B757
[11796] 1321759418.754218: FAST negotiation: available
[11796] 1321759418.754249: Initializing FILE:/tmp/krb5cc_1000 with 
default princ tparker at LS.CBN
[11796] 1321759418.754533: Removing tparker at LS.CBN -> 
krbtgt/LS.CBN at LS.CBN from FILE:/tmp/krb5cc_1000
[11796] 1321759418.754543: Storing tparker at LS.CBN -> 
krbtgt/LS.CBN at LS.CBN in FILE:/tmp/krb5cc_1000
[11796] 1321759418.754616: Storing config in FILE:/tmp/krb5cc_1000 for 
krbtgt/LS.CBN at LS.CBN: fast_avail: yes
[11796] 1321759418.754640: Removing tparker at LS.CBN -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN at X-CACHECONF: 
from FILE:/tmp/krb5cc_1000
[11796] 1321759418.754648: Storing tparker at LS.CBN -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN at X-CACHECONF: in 
FILE:/tmp/krb5cc_1000

KDC 1 After succesful auth (Note no change in last succesful or last 
failed dates)
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 18 15:38:18 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 10
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

kadmin.local:  modify_principal -unlock tparker
Principal "tparker at LS.CBN" modified.

kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Nov 19 22:27:05 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:12:24 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 0
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

tparker at tparker:~> KRB5_TRACE=/dev/stdout kinit tparker at LS.CBN
[11813] 1321759645.93243: Getting initial credentials for tparker at LS.CBN
[11813] 1321759645.93815: Sending request (170 bytes) to LS.CBN
[11813] 1321759645.266587: Sending initial UDP request to dgram 
172.30.26.12:88
[11813] 1321759645.315523: Received answer from dgram 172.30.26.12:88
[11813] 1321759645.434509: Response was from master KDC
[11813] 1321759645.434561: Received error from KDC: 
-1765328359/Additional pre-authentication required
[11813] 1321759645.434602: Processing preauth types: 2, 136, 19, 133
[11813] 1321759645.434626: Selected etype info: etype aes256-cts, salt 
"LS.CBNtparker", params ""
[11813] 1321759645.434635: Received cookie: MIT
Password for tparker at LS.CBN:
[11813] 1321759647.403288: AS key obtained for encrypted timestamp: 
aes256-cts/50AF
[11813] 1321759647.403416: Encrypted timestamp (for 1321759647.403357): 
plain 301AA011180F32303131313132303033323732375AA105020306279D, 
encrypted 
CFB68B0D9E6B7D870FDC2228BB88EE9969EAA5FBB73ABEAFB1ED86029898DDA70E67A75788E78EB25F8BDF56554DB504E341B074435E835A
[11813] 1321759647.403437: Produced preauth for next request: 133, 2
[11813] 1321759647.403467: Sending request (265 bytes) to LS.CBN (master)
[11813] 1321759647.576887: Sending initial UDP request to dgram 
172.20.23.10:88
[11813] 1321759647.646546: Received answer from dgram 172.20.23.10:88
[11813] 1321759647.646638: Processing preauth types: 19
[11813] 1321759647.646654: Selected etype info: etype aes256-cts, salt 
"LS.CBNtparker", params ""
[11813] 1321759647.646661: Produced preauth for next request: (empty)
[11813] 1321759647.646677: AS key determined by preauth: aes256-cts/50AF
[11813] 1321759647.646792: Decrypted AS reply; session key is: 
aes256-cts/5A85
[11813] 1321759647.646824: FAST negotiation: available
[11813] 1321759647.646866: Initializing FILE:/tmp/krb5cc_1000 with 
default princ tparker at LS.CBN
[11813] 1321759647.647291: Removing tparker at LS.CBN -> 
krbtgt/LS.CBN at LS.CBN from FILE:/tmp/krb5cc_1000
[11813] 1321759647.647307: Storing tparker at LS.CBN -> 
krbtgt/LS.CBN at LS.CBN in FILE:/tmp/krb5cc_1000
[11813] 1321759647.647420: Storing config in FILE:/tmp/krb5cc_1000 for 
krbtgt/LS.CBN at LS.CBN: fast_avail: yes
[11813] 1321759647.647456: Removing tparker at LS.CBN -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN at X-CACHECONF: 
from FILE:/tmp/krb5cc_1000
[11813] 1321759647.647469: Storing tparker at LS.CBN -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN at X-CACHECONF: in 
FILE:/tmp/krb5cc_1000

KDC 1 After unlock.  Everything working as expected again.
kadmin.local:  getprinc tparker
Principal: tparker at LS.CBN
Expiration date: [never]
Last password change: Sat Oct 01 16:40:32 EDT 2011
Password expiration date: Thu Mar 29 16:40:32 EDT 2012
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Nov 19 22:27:05 EST 2011 (host/admin at LS.CBN)
Last successful authentication: Sat Nov 19 22:27:39 EST 2011
Last failed authentication: Sat Nov 19 22:18:27 EST 2011
Failed password attempts: 0
Number of keys: 4
Key: vno 26, aes256-cts-hmac-sha1-96, Version 5
Key: vno 26, aes128-cts-hmac-sha1-96, Version 5
Key: vno 26, des3-cbc-sha1, Version 5
Key: vno 26, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default


On 11/19/2011 01:04 PM, Greg Hudson wrote:
> On 11/18/2011 04:48 PM, Tom Parker wrote:
>> I have my default policy set to 10 password attempts before a lockout.
>> When a user hits the 10 attempts, the failed attempt counter stops
>> incrementing, the last failed count stops changing however they are
>> still able to get a TGT and TGS and log in.
> That's certainly not the expected behavior or the behavior in tests
> here.  Two guesses:
>
> 1. The client code has fallback to try the master KDC if it gets a
> failure response from the KDC it tries first.  Lockout failure counters
> are per-KDC.  Perhaps the client still had some attempts on one KDC when
> it hit the lockout count on the other?
>
> For various reasons I'm not sure if this explanation is really very
> likely, but make sure to check the logs and counters on both KDCs.
>
> 2. If you have a lockout duration in the policy and the duration has
> expired (it's in seconds), the client would be allowed to make more
> attempts.  A successful attempt should reset the counter to 0.
>
> If a particular KDC really is issuing tickets in a situation where the
> principal should be locked out, I don't really have a clue why; the next
> step for me if I could reproduce it here would be stepping through the
> KDC code in a debugger, or failing that, adding a lot of temporary
> logging code to the KDC.

More information about the Kerberos mailing list