Hi all, Thanks for your thoughtful replies and suggestions.
It appears that we can use the REQUIRES_PRE_AUTH attribute without also recompiling Kerberos with "--with-kdc-kdb-update". This changes logging of user login attempts; when first attempting login there is a log entry which includes "Additional pre-authentication required" * Successful user login creates an additional "AS_REQ" log entry. * Failed user login creates an additional log entry which includes "PREAUTH_FAILED". This solves part of our problem. Now we can tell the difference between successful and failed logins. I have only tested this in a very small dev environment. Please let me know if I have missed something. On Wed, Jan 20, 2010 at 6:47 AM, Ken Raeburn <[email protected]> wrote: > On Jan 20, 2010, at 09:15, John Hascall wrote: >> Ah yes, I'd forgotten that. >> so: >> 1a) I would use an incremental propagation technique. > Thanks, -- Steve Glasser [email protected] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
