What does each of the kerberos database column mean?
Greg Hudson
ghudson at mit.edu
Wed Sep 1 14:27:17 EDT 2021
On 9/1/21 1:51 AM, 윤석찬 wrote:
> I need to find all the locked principals, so I decided to get that from the
> Kerberos database.
We don't have an explicit "locked" status within principal entries. A
principal is considered lockout if all of the following are true:
* its fail_auth_count is equal to or greater than the policy's max_fail
* the policy's lockout_duration is 0, or the time elapsed since the
principal's last_failed is less than the lockout_duration
* the principal wasn't administratively unlocked since the principal's
last_failed
You can view each principal's last_sucess, last_failed, and fail_count
status with "kdb5_util tabdump princ_lockout". Unfortunately the
administrative unlock timestamp isn't included. You can specify the -n
flag (after "tabdump") for numeric POSIX timestamps, and the -H flag to
suppress headers.
Documenting the full dump file format is on my to-do list, but tabdump
is hoped to cover most of the cases where an administrator needs to
extract bulk principal information from the database.
More information about the krbdev
mailing list