> On Jun 20, 2015, at 11:15 AM, John Devitofranceschi <j...@optonline.net> > wrote: > ... > It seems that this can be done by kinit’ing against all the KDCs as the > target principal like this and checking the error message: > > echo “” | kinit princ 2>&1 | grep revoke => account is locked > > ... > Once I find a (non-kadmind) kdc where the account is locked, I cannot unlock > it using a standard kadmin -q “modprinc -unlock princ” The principal state > is not propagated via iprop. > ... > But I am not seeing the principal getting unlocked on the slave,…
So, after some more experimentation I have determined that things ARE working as intended. It’s just that the failed password attempt count is not reset until the user actually tries to authenticate. The test I have (above) cannot tell if a principal is locked or if it has *just* been unlocked, since a null password is not considered a failed attempt and the count is not reset when that is tried. So, everything is working as expected, I expect. jd
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
