Warren Jones wrote:
Our site has configured Active Directory so that an account is
temporarily locked after five consecutive failed login attempts. This
works as expected when I authenticate from a Linux box running MIT
Kerberos 1.6.3. However, I've noticed a change after updating to
version 1.7: My account is now locked after a single failed login
attempt, using either kinit or pam_krb5.
Has anyone else run into this?
I've tried the following combinations:
OS MIT Kerberos Results
------------- ------------ --------------------------------
openSUSE 11.0 1.6.3-50.5 works as expected
openSUSE 11.2 1.6.3-132.1 works as expected
openSUSE 11.2 1.7-6.1 account locked after one failure
openSUSE 11.2 1.7-15.1 account locked after one failure
Any insights will be much appreciated.
I had seen that during testing, and used the attached patch to get around it.
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ./lib/krb5/krb/,get_in_tkt.c Mon May 11 15:55:59 2009
+++ ./lib/krb5/krb/get_in_tkt.c Wed Oct 21 13:27:23 2009
@@ -483,7 +483,11 @@
return 0;
}
-#define MAX_IN_TKT_LOOPS 16
+/*
+ * DEE tmp fix to keep AD from turning off account
+ * #define MAX_IN_TKT_LOOPS 16
+ */
+#define MAX_IN_TKT_LOOPS 2
static const krb5_enctype get_in_tkt_enctypes[] = {
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
