Disabling db updates on auth

Jaap Winius jwinius at umrk.nl
Mon Aug 6 10:28:04 EDT 2012


Hi folks,

My site has the problem that, if an office with a KDC slave server is  
temporarily cut off from its master, the users there can't log in.  
Apparently, when users or hosts attempt to authenticate, the system  
insists on updating the master KDC. I'm using an LDAP backend and  
after enabling heavy trace debugging (level 4) on the slapd provider,  
which hosts the Kerberos master, I kept seeing entries in its log like  
the following every time authentication took place at a slave site:

connection_get(33)
send_ldap_result: err=0 matched="" text=""
connection_get(33)
conn=1048 op=1 do_modify: dn  
(krbPrincipalName=host/north.example.com at EXAMPLE.COM,cn=EXAMPLE.COM,ou=krb5,dc=example,dc=com)
conn=1048 op=1 modifications:
#011replace: krbLastSuccessfulAuth
#011#011one value, length 15
#011replace: krbLoginFailedCount
#011#011one value, length 1
#011replace: krbExtraData
#011#011multiple values
send_ldap_result: err=8 matched="" text="modifications require authentication"
connection_get(33)

While it's interesting that the final error never seems to matter, the  
problem for me is that it wants to replace the values for those three  
attributes at all. How can this be prevented?

I'm using Debian squeeze (with krb5-kdc v1.8.3) and have tried adding  
both "disable_last_success = true" and "disable_lockout = true" to the  
[dbmodules] section of /etc/krb5.conf on both the master and the slave  
KDC, but it makes no difference.

Any suggestions?

Thanks,

Jaap


More information about the Kerberos mailing list