Disabling db updates on auth
Jaap Winius
jwinius at umrk.nl
Mon Aug 6 10:28:04 EDT 2012
Hi folks,
My site has the problem that, if an office with a KDC slave server is
temporarily cut off from its master, the users there can't log in.
Apparently, when users or hosts attempt to authenticate, the system
insists on updating the master KDC. I'm using an LDAP backend and
after enabling heavy trace debugging (level 4) on the slapd provider,
which hosts the Kerberos master, I kept seeing entries in its log like
the following every time authentication took place at a slave site:
connection_get(33)
send_ldap_result: err=0 matched="" text=""
connection_get(33)
conn=1048 op=1 do_modify: dn
(krbPrincipalName=host/north.example.com at EXAMPLE.COM,cn=EXAMPLE.COM,ou=krb5,dc=example,dc=com)
conn=1048 op=1 modifications:
#011replace: krbLastSuccessfulAuth
#011#011one value, length 15
#011replace: krbLoginFailedCount
#011#011one value, length 1
#011replace: krbExtraData
#011#011multiple values
send_ldap_result: err=8 matched="" text="modifications require authentication"
connection_get(33)
While it's interesting that the final error never seems to matter, the
problem for me is that it wants to replace the values for those three
attributes at all. How can this be prevented?
I'm using Debian squeeze (with krb5-kdc v1.8.3) and have tried adding
both "disable_last_success = true" and "disable_lockout = true" to the
[dbmodules] section of /etc/krb5.conf on both the master and the slave
KDC, but it makes no difference.
Any suggestions?
Thanks,
Jaap
More information about the Kerberos
mailing list