Managing account lockout

Sat Jun 20 18:43:18 EDT 2015

> On Jun 20, 2015, at 11:15 AM, John Devitofranceschi <jdvf at optonline.net> wrote:
> ...
> It seems that this can be done by kinit’ing against all the KDCs as the target principal like this and checking the error message:
> 
> echo “” | kinit princ 2>&1 | grep revoke => account is locked
> 
> ...
> Once I find a (non-kadmind) kdc where the account is locked, I cannot unlock it using a standard kadmin -q “modprinc -unlock princ”  The principal state is not propagated via iprop.
> ...
> But I am not seeing the principal getting unlocked on the slave,…

So, after some more experimentation I have determined that things ARE working as intended.  It’s just that the failed password attempt count is not reset until the user actually tries to authenticate. 

The test I have (above) cannot tell if a principal is locked or if it has *just* been unlocked, since a null password is not considered a failed attempt and the count is not reset when that is tried.

So, everything is working as expected, I expect.

jd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150620/ad31b4e1/attachment.bin