Printable View
I don't know if this is a kerberos problem or not. I've gotten kerberos
authentication to work on my Solaris 9 box to an Active Directory
domain but we're having problem with account lockouts. The threshold in
AD is set to 10 failed login attempts, but a single bad password at the
unix login prompt generates a flurry of failed attempts via kerberos,
locking the account. Does anyone know why this could be happening?
[email]tulanian@gmail.com[/email] wrote:[color=blue]
> I don't know if this is a kerberos problem or not. I've gotten kerberos
> authentication to work on my Solaris 9 box to an Active Directory
> domain but we're having problem with account lockouts. The threshold in
> AD is set to 10 failed login attempts, but a single bad password at the
> unix login prompt generates a flurry of failed attempts via kerberos,
> locking the account. Does anyone know why this could be happening?[/color]
There are several possibilities that I can think of off the top
of my head. The most likely is that Solaris doesn't know that
Microsoft AD is a multi-master implementation and it doesn't know
which of the KDCs is the master, therefore when it attempts to
authentication the user it tries all of the listed KDCs in turn
just in case the user has changed the password and the new keys
have not been propagated to the replicas.
If you can better describe the message exchanges I could provide
you a more accurate response.
Jeffrey Altman
[email]tulanian@gmail.com[/email] wrote:
[color=blue]
> I don't know if this is a kerberos problem or not. I've gotten kerberos
> authentication to work on my Solaris 9 box to an Active Directory
> domain but we're having problem with account lockouts. The threshold in
> AD is set to 10 failed login attempts, but a single bad password at the
> unix login prompt generates a flurry of failed attempts via kerberos,
> locking the account. Does anyone know why this could be happening?[/color]
Could be PAM is trying more then once, or if you are using openssh, it
cold be trying Password authentication, then PAM.
[color=blue]
>
> ________________________________________________
> Kerberos mailing list [email]Kerberos@mit.edu[/email]
> [url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
>
>[/color]
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
[color=blue]
> [email]tulanian@gmail.com[/email] wrote:[color=green]
> > I don't know if this is a kerberos problem or not. I've gotten kerberos
> > authentication to work on my Solaris 9 box to an Active Directory
> > domain but we're having problem with account lockouts. The threshold in
> > AD is set to 10 failed login attempts, but a single bad password at the
> > unix login prompt generates a flurry of failed attempts via kerberos,
> > locking the account. Does anyone know why this could be happening?[/color][/color]
[color=blue]
> Could be PAM is trying more then once, or if you are using openssh, it
> cold be trying Password authentication, then PAM.[/color]
Also there was a bug in the krb5_get_init_creds_password() routine
that maked it try twice. It seems to have been fixed somewhere in
the 1.3-ish versions.
John
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]