Hi, according to http://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html, the account lockout state is represented by the three account properties "The time of last successful authentication", "The time of last failed authentication" and "A counter of failed attempts". And that account lockout state should not be replicated.
I would like to check this and I am trying to run kadmin.local/getprinc on the master and on the slave. However, in my simple test environment (Debian Jessie, MIT Kerberos 1.12.1) after a kprop/kpropd based full replication, all three properties seem to be replicated. Before the replication: root@slave:~# kadmin.local -q 'getprinc mark' | egrep '^Last successful authentication:|^Last failed authentication:|^Failed password attempts:' Last successful authentication: Tue Sep 08 14:57:31 CEST 2015 Last failed authentication: Tue Sep 08 14:57:35 CEST 2015 Failed password attempts: 2 After doing some successfull and unsuccessfull kinit's against the master and performing a replication, all three properties have new values: root@slave:~# kadmin.local -q 'getprinc mark' | egrep '^Last successful authentication:|^Last failed authentication:|^Failed password attempts:' Last successful authentication: Tue Sep 08 14:58:54 CEST 2015 Last failed authentication: Tue Sep 08 14:58:59 CEST 2015 Failed password attempts: 3 root@slave:~# Am I missing something, or could this be a bug? -- Mark Pröhl ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
