account lockout problem with solaris and active directory - Kerberos

This is a discussion on account lockout problem with solaris and active directory - Kerberos ; I don't know if this is a kerberos problem or not. I've gotten kerberos authentication to work on my Solaris 9 box to an Active Directory domain but we're having problem with account lockouts. The threshold in AD is set ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: account lockout problem with solaris and active directory

  1. account lockout problem with solaris and active directory

    I don't know if this is a kerberos problem or not. I've gotten kerberos
    authentication to work on my Solaris 9 box to an Active Directory
    domain but we're having problem with account lockouts. The threshold in
    AD is set to 10 failed login attempts, but a single bad password at the
    unix login prompt generates a flurry of failed attempts via kerberos,
    locking the account. Does anyone know why this could be happening?


  2. Re: account lockout problem with solaris and active directory

    tulanian@gmail.com wrote:
    > I don't know if this is a kerberos problem or not. I've gotten kerberos
    > authentication to work on my Solaris 9 box to an Active Directory
    > domain but we're having problem with account lockouts. The threshold in
    > AD is set to 10 failed login attempts, but a single bad password at the
    > unix login prompt generates a flurry of failed attempts via kerberos,
    > locking the account. Does anyone know why this could be happening?


    There are several possibilities that I can think of off the top
    of my head. The most likely is that Solaris doesn't know that
    Microsoft AD is a multi-master implementation and it doesn't know
    which of the KDCs is the master, therefore when it attempts to
    authentication the user it tries all of the listed KDCs in turn
    just in case the user has changed the password and the new keys
    have not been propagated to the replicas.

    If you can better describe the message exchanges I could provide
    you a more accurate response.

    Jeffrey Altman

  3. Re: account lockout problem with solaris and active directory



    tulanian@gmail.com wrote:

    > I don't know if this is a kerberos problem or not. I've gotten kerberos
    > authentication to work on my Solaris 9 box to an Active Directory
    > domain but we're having problem with account lockouts. The threshold in
    > AD is set to 10 failed login attempts, but a single bad password at the
    > unix login prompt generates a flurry of failed attempts via kerberos,
    > locking the account. Does anyone know why this could be happening?



    Could be PAM is trying more then once, or if you are using openssh, it
    cold be trying Password authentication, then PAM.

    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: account lockout problem with solaris and active directory



    > tulanian@gmail.com wrote:
    > > I don't know if this is a kerberos problem or not. I've gotten kerberos
    > > authentication to work on my Solaris 9 box to an Active Directory
    > > domain but we're having problem with account lockouts. The threshold in
    > > AD is set to 10 failed login attempts, but a single bad password at the
    > > unix login prompt generates a flurry of failed attempts via kerberos,
    > > locking the account. Does anyone know why this could be happening?


    > Could be PAM is trying more then once, or if you are using openssh, it
    > cold be trying Password authentication, then PAM.


    Also there was a bug in the krb5_get_init_creds_password() routine
    that maked it try twice. It seems to have been fixed somewhere in
    the 1.3-ish versions.

    John
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread