On Apr 18, 9:24 am, Joshua Hutchins <[EMAIL PROTECTED]> wrote: > pachl wrote: > > When running ``kadmin get <principle>`` for any principle, the "Last > > successful login" and the "Last failed login" lines always equal > > "never." What does the "Last successful login" line mean? Where and > > how would I have to login to change the status of this line from > > "never"? > > > I have used kinit from from several machines and have also used the > > system login at the console, which exclusively uses kerberosV (local > > password file is disabled). > > > All my machines in the Kerberos realm are OpenBSD 4.1 and use Heimdal > > 0.7.2. > > > -pachl > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > >https://mailman.mit.edu/mailman/listinfo/kerberos > > We have the same problem here with Debian and MIT Kerberos Version 5, > Release 1.6.3 (installed from Debian packages). All our principals > require pre-auth. We haven't spent any time debugging it, but if > there's a simple solution, we'd love to know it. > > Thanks, Joshua
A few hours after my original post I found an interestingly relevant tidbit in my "Kerberos - The Definitive Guide" book on page 231. *Last successful login, Last failed login, and Failed login count* Unfortunately, these fields will always show never (or zero). The reason for this is that while all of the other updates to a principle's information, such as password changes or policy changes, must be made through the master KDC, any KDC (master or slave) can perform authentication. There is currently no way for a slave KDC to report back to the master KDC that an authentication has occurred, so the Heimdal code disables these fields. The same is said about the MIT implementation. -pachl ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
