What does each of the kerberos database column mean?

Greg Hudson ghudson at mit.edu
Wed Sep 1 14:27:17 EDT 2021

On 9/1/21 1:51 AM, 윤석찬 wrote:
> I need to find all the locked principals, so I decided to get that from the
> Kerberos database.

We don't have an explicit "locked" status within principal entries.  A
principal is considered lockout if all of the following are true:

* its fail_auth_count is equal to or greater than the policy's max_fail
* the policy's lockout_duration is 0, or the time elapsed since the
principal's last_failed is less than the lockout_duration
* the principal wasn't administratively unlocked since the principal's

You can view each principal's last_sucess, last_failed, and fail_count
status with "kdb5_util tabdump princ_lockout".  Unfortunately the
administrative unlock timestamp isn't included.  You can specify the -n
flag (after "tabdump") for numeric POSIX timestamps, and the -H flag to
suppress headers.

Documenting the full dump file format is on my to-do list, but tabdump
is hoped to cover most of the cases where an administrator needs to
extract bulk principal information from the database.

More information about the krbdev mailing list