> -----Original Message----- > From: Donn Cave [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 15, 2003 11:14 AM > To: [EMAIL PROTECTED] > Subject: Re: "Last successful authentication" always set to "never" > > In article <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] (John Hascall) wrote: > > > > > When you 'configure' kerberos during the build process, > > > > you need to include the '--with-kdc-kdb-update' flag to > > > > enable this. And then you need to put the 'requires_preauth' > > > > attribute on your principals. > > [... re propagating success updates between KDCs ] > > We are incrementally updating our slave (as well as our > > W2K-AD and Novell-NDS) so this is not an issue for us. > > Yes, I remember that, as we are doing this too (minus the > Novell part), but we only have to deal with passwords. > > [... re logs as an alternative source ] > > Without preauth you can't tell a successful from > > unsuccessful attempt. > > At all, right? What would `successful authentication' mean > at the KDC in the absence of preauthentication? I am probably > confused about something here.
Yes - at all. Without pre-auth, the KDC will send back an AS-REP encrypted in the users password, the client code the tries to decrypt it with what it received from the KDC. Without pre-auth there is now way for the KDC to know whether that decrypt was successful or not. If pre-auth is enabled, then the KDC will attempts to decrypt a timestamp encrypted in the user's password. It this is successful, then the KDC knows the user has the correct password and ships back the AS-REP encrypted in the user's password. > > Donn Cave, [EMAIL PROTECTED] > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
