On Mon, Dec 10, 2007 at 05:11:21PM -0600, Douglas E. Engert wrote:
> Yu, Ming wrote:
> > Does anybody know how to implement account lockout
> > features on Solaris 10 when the user authenticates against Kerberos?

> See "man shadow". /etc/passwd, NIS or LDAP can have *LK* to indicate
> it is locked. I think it is the pam_unix_account that checks for this.
> For a Kerberos account without a local password use something like NP
> for the password.

Right, but what the poster was asking, effectively, was how to make the
KDC lock out the user after N failed [pre-]authentication attempts.

The answer is that an MIT KDC with plain old db2 backend can't do it.
An MIT KDC with an LDAP backend could do it, but it doesn't yet.

The user should scrape logs on the KDC and lock accounts (principals)