Questions about KDC Lockout Support

Mike Friedman mikef at berkeley.edu
Sun Jul 22 23:51:32 EDT 2012


Hi,

I have some questions about the implementation of KDC lockout support in
recent versions of MIT K5.  Some things aren't completely clear to me,
or aren't addressed at all, in the documentation I have.

1.  The docs say that lockout settings for a principal are not
replicated.  So, if I have a user who's been locked on the master /and/
secondary KDCs (presumably the latter would have been done automatically
by the KDC per lockout policy), how would I /manually /unlock this user
on /all/ KDCs?  In particular, how could I do the unlock on a secondary
KDC (which wouldn't be running kadmind)?

2.  When a locked user attempts authentication, what error code is
returned by the KDC?  For example, how would an application that uses
the MIT K5 API to support proxy authN detect a locked user at
authentication time?

Thanks.

Mike

-- 
Mike Friedman
mikef at berkeley.edu
http://mikefberkeley.com



More information about the Kerberos mailing list