Account lockout / replication issue

Tom Yu tlyu at mit.edu
Wed Sep 9 07:22:42 EDT 2015


Mark Pröhl <mark at mproehl.net> writes:

> according to http://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html, the account lockout state is represented by the three account properties "The time of last successful authentication", "The time of last failed authentication" and "A counter of failed attempts". And that account lockout state should not be replicated. 

[...]

> However, in my simple test environment (Debian Jessie, MIT Kerberos 1.12.1) after a kprop/kpropd based full replication, all three properties seem to be replicated.

As implemented, "non-replicated" means not replicated by iprop.  I
believe this was the intent.  Full dumps include the non-replicated
lockout state attributes, probably to simplify promoting a slave to a
master.  Currently, the only way to prevent kdb5_util dump from dumping
the lockout state attributes is by using a command line flag that is for
the internal use of iprop.

This seems like it could be either a documentation bug, or a design
flaw, depending on your point of view.  Is it helpful to have an option
to suppress the lockout state attributes from full dumps?  If so, why?

Thanks.

-Tom



More information about the Kerberos mailing list