Account lockout / replication issue

Mark Pröhl mark at mproehl.net
Tue Sep 8 09:21:06 EDT 2015


Hi,

according to http://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html, the account lockout state is represented by the three account properties "The time of last successful authentication", "The time of last failed authentication" and "A counter of failed attempts". And that account lockout state should not be replicated. 

I would like to check this and I am trying to run kadmin.local/getprinc on the master and on the slave.

However, in my simple test environment (Debian Jessie, MIT Kerberos 1.12.1) after a kprop/kpropd based full replication, all three properties seem to be replicated.

Before the replication:

root at slave:~# kadmin.local -q 'getprinc mark' | egrep '^Last successful authentication:|^Last failed authentication:|^Failed password attempts:'
Last successful authentication: Tue Sep 08 14:57:31 CEST 2015
Last failed authentication: Tue Sep 08 14:57:35 CEST 2015
Failed password attempts: 2

After doing some successfull and unsuccessfull kinit's against the master and performing a replication, all three properties have new values:

root at slave:~# kadmin.local -q 'getprinc mark' | egrep '^Last successful authentication:|^Last failed authentication:|^Failed password attempts:'
Last successful authentication: Tue Sep 08 14:58:54 CEST 2015
Last failed authentication: Tue Sep 08 14:58:59 CEST 2015
Failed password attempts: 3
root at slave:~# 

Am I missing something, or could this be a bug?

--
Mark Pröhl


More information about the Kerberos mailing list