Questions about KDC Lockout Support
Mike Friedman
mikef at berkeley.edu
Mon Jul 23 00:18:38 EDT 2012
On 2012-07-22 21:12, Greg Hudson wrote:
> On 07/22/2012 11:51 PM, Mike Friedman wrote:
>> 1. The docs say that lockout settings for a principal are not
>> replicated. So, if I have a user who's been locked on the master /and/
>> secondary KDCs (presumably the latter would have been done automatically
>> by the KDC per lockout policy), how would I /manually /unlock this user
>> on /all/ KDCs? In particular, how could I do the unlock on a secondary
>> KDC (which wouldn't be running kadmind)?
> In 1.9 and later, if you modprinc -unlock the principal on the master,
> it will unlock on all slaves as of the next propagation (incremental or
> standard kprop). This is done by replicating the timestamp of the last
> administrative unlock operation.
Greg,
Thanks, that's how I would expect it to work. The documentation I saw
said (or implied) that the locking status wouldn't be replicated by
kprop, which is what confused me. Anyway, the above is fine as far as
it goes. Unfortunately, if I wanted to do the unlock remotely, or via
the API, kadmin.local on the slave wouldn't be good enough.
>> 2. When a locked user attempts authentication, what error code is
>> returned by the KDC?
> The protocol error returned is 18, "Clients credentials have been
> revoked". An application would see this as KRB5KDC_ERR_CLIENT_REVOKED.
Good, that's what I wanted to know.
Thanks again.
Mike
--
Mike Friedman
mikef at berkeley.edu
http://mikefberkeley.com
More information about the Kerberos
mailing list