Questions about KDC Lockout Support

Mike Friedman mikef at berkeley.edu
Mon Jul 23 00:18:38 EDT 2012


On 2012-07-22 21:12, Greg Hudson wrote:
> On 07/22/2012 11:51 PM, Mike Friedman wrote:
>> 1.  The docs say that lockout settings for a principal are not
>> replicated.  So, if I have a user who's been locked on the master /and/
>> secondary KDCs (presumably the latter would have been done automatically
>> by the KDC per lockout policy), how would I /manually /unlock this user
>> on /all/ KDCs?  In particular, how could I do the unlock on a secondary
>> KDC (which wouldn't be running kadmind)?
> In 1.9 and later, if you modprinc -unlock the principal on the master,
> it will unlock on all slaves as of the next propagation (incremental or
> standard kprop).  This is done by replicating the timestamp of the last
> administrative unlock operation.

Greg,

Thanks, that's how I would expect it to work.  The documentation I saw
said (or implied) that the locking status wouldn't be replicated by
kprop, which is what confused me.  Anyway, the above is fine as far as
it goes.  Unfortunately, if I wanted to do the unlock remotely, or via
the API, kadmin.local on the slave wouldn't be good enough. 

>> 2.  When a locked user attempts authentication, what error code is
>> returned by the KDC?
> The protocol error returned is 18, "Clients credentials have been
> revoked".  An application would see this as KRB5KDC_ERR_CLIENT_REVOKED.

Good, that's what I wanted to know.

Thanks again.

Mike

-- 
Mike Friedman
mikef at berkeley.edu
http://mikefberkeley.com



More information about the Kerberos mailing list