How to disallow users?

Austin Gonyou austin at
Fri Mar 8 19:10:01 EST 2002

I've got everything working, and my test users can indeed login and be
authenticated by the kerberos server. The problem I'm facing now is that
a client who's principal is something like someone/admin at HOST.DOMAIN.COM
is able to login, but I get a message like this:

login: Client not found in Kerberos database while getting initial

I've read several FAQ's and install docs for kerberos, but I didn't see
anything exactly like this covered. (BTW, test application is telnet)

What I'd expect to happen is that I should be able to deny this user to
login since they're not using username 'admin', but rather 'someone'. 

A user with only a single principle not of user/admin(etc), so just
joe at HOST.DOMAIN.COM can login with no errors and he gets a new ticket,

A user who's sole principal is user/admin at HOST.DOMAIN.COM is err'd,
since user at HOST.DOMAIN.COM doesn't exist. 

1. Should I be adding user at HOST.DOMAIN.COM *first*, then add another
principal that allows them admin rights?(as in
user/admin at HOST.DOMAIN.COM)?

2. If I wish to *lock* someone's kerberos account, to ensure they can
not login to a kerberos authenticating workstation, or prevent those
with NO kerberos principal from logging in, what's a good pointer for

Thanks much. So far, my kerberos experience and understanding has been
far better than previous experiments. 

Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb

More information about the krbdev mailing list