Questions about KDC Lockout Support

Greg Hudson ghudson at MIT.EDU
Mon Jul 23 00:12:01 EDT 2012


On 07/22/2012 11:51 PM, Mike Friedman wrote:
> 1.  The docs say that lockout settings for a principal are not
> replicated.  So, if I have a user who's been locked on the master /and/
> secondary KDCs (presumably the latter would have been done automatically
> by the KDC per lockout policy), how would I /manually /unlock this user
> on /all/ KDCs?  In particular, how could I do the unlock on a secondary
> KDC (which wouldn't be running kadmind)?

In 1.9 and later, if you modprinc -unlock the principal on the master,
it will unlock on all slaves as of the next propagation (incremental or
standard kprop).  This is done by replicating the timestamp of the last
administrative unlock operation.

If you don't have relatively fast propagation and need to unlock a
principal on the slave, you'll have to use kadmin.local on the slave or
the equivalent.  There's not much we can do about that without creating
new communication mechanisms between master and slaves (which would wind
up just being a special case of iprop).

> 2.  When a locked user attempts authentication, what error code is
> returned by the KDC?

The protocol error returned is 18, "Clients credentials have been
revoked".  An application would see this as KRB5KDC_ERR_CLIENT_REVOKED.



More information about the Kerberos mailing list