[31260] in Kerberos
Re: Kerberos User Stats never get updated
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Jun 16 07:57:48 2009
From: Ken Raeburn <raeburn@mit.edu>
To: Matthew.GARRETT@external.total.com
In-Reply-To: <OF5BFE4BE6.FCB9DC96-ON802575D7.003E2ED3-802575D7.003EA4B7@total.com>
Message-Id: <90A915B9-F0B3-4B0E-AD48-8BA39BC52E8D@mit.edu>
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 16 Jun 2009 07:56:55 -0400
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jun 16, 2009, at 07:24, Matthew.GARRETT@external.total.com wrote:
> Using MIT Kerberos Server on a RedHat Linux Server
> The following stats never seem to get updated
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
The KDC normally doesn't even get such information, but with
preauthentication in use it may be possible to figure it out.
However, the KDC is also normally built to access the database in read-
only fashion, so it doesn't actually update these fields even if the
information is available. Third, even if the KDC is rebuilt with the
options to make it update the database (and I'm not 100% sure if it
still compiles in that mode), at least in the db2-based database
implementation, the statistics from the master server would be pushed
out to the slaves with the rest of the database info, and the
statistics from the slaves would simply be discarded; the LDAP-based
database would better support updates from both master and slaves, but
with a race condition (two KDCs could try incrementing the failed-
attempt counter simultaneously by both reading the old value at the
same time, and then both writing the incremented value, causing one
increment to be lost).
So, in short, the current implementation doesn't really support these
fields well at all.
--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
