Password Lockout

Tue Jul 8 19:55:39 EDT 2003

I need to set a password lockout scheme , such that on a configured 
entry the KDC should limit the number of password attempts , I did not 
find any explicit settings on policies as well as principal add/modify  
commands , Is this parameter settable ? . I also went through the 
source code and found this at  do_as_req.c

#ifdef KRBCONF_KDC_MODIFIES_KDB
	    /*
	     * Note: this doesn't work if you're using slave servers!!!
	     * It also causes the database to be modified (and thus
	     * need to be locked) frequently.
	     */
	    if (client.fail_auth_count < KRB5_MAX_FAIL_COUNT) {
		client.fail_auth_count = client.fail_auth_count + 1;
		if (client.fail_auth_count == KRB5_MAX_FAIL_COUNT) {
		    client.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
		}
	    }
	    client.last_failed = kdc_time;
	    update_client = 1;
#endif

Under what condition does KRBCONF_KDC_MODIFIES_KDB gets enabled

Thanks

Nirmalan