[20316] in Kerberos_V5_Development
Re: What does each of the kerberos database column mean?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Sep 1 14:27:31 2021
To: =?UTF-8?B?7Jyk7ISd7LCs?= <yoonsch217@gmail.com>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <53843de1-6be0-25d0-5319-ca567094636a@mit.edu>
Date: Wed, 1 Sep 2021 14:27:17 -0400
MIME-Version: 1.0
In-Reply-To: <CABBjrwh7yKiNOA44cpzpUrK8=U+GCZarndKEvcAVC0RO6LEkEg@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 9/1/21 1:51 AM, 윤석찬 wrote:
> I need to find all the locked principals, so I decided to get that from the
> Kerberos database.
We don't have an explicit "locked" status within principal entries. A
principal is considered lockout if all of the following are true:
* its fail_auth_count is equal to or greater than the policy's max_fail
* the policy's lockout_duration is 0, or the time elapsed since the
principal's last_failed is less than the lockout_duration
* the principal wasn't administratively unlocked since the principal's
last_failed
You can view each principal's last_sucess, last_failed, and fail_count
status with "kdb5_util tabdump princ_lockout". Unfortunately the
administrative unlock timestamp isn't included. You can specify the -n
flag (after "tabdump") for numeric POSIX timestamps, and the -H flag to
suppress headers.
Documenting the full dump file format is on my to-do list, but tabdump
is hoped to cover most of the cases where an administrator needs to
extract bulk principal information from the database.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
