Skip to content

Commit

Permalink
Clarify lockout replication issues in docs
Browse files Browse the repository at this point in the history 
In the "KDC replication and account lockout" section of lockout.rst,
specifically call out kprop and incremental propagation as the
mechanisms which do not replicate account lockout state, and add a
note that KDCs using LDAP may not be affected by that section's
concerns.

(cherry picked from commit 8eb9e6f)

ticket: 7773
version_fixed: 1.12
status: resolved
  • Loading branch information
@greghudson @tlyu
greghudson authored and tlyu committed Nov 20, 2013
1 parent f1399a8 commit 59a811e
Showing 1 changed file with 13 additions and 7 deletions.
20 changes: 13 additions & 7 deletions doc/admin/lockout.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,19 +95,25 @@ This command will reset the number of failed attempts to 0.
KDC replication and account lockout
-----------------------------------

The account lockout state of a principal is not replicated between
KDCs. Because of this, the number of attempts an attacker can make
within a time period is multiplied by the number of KDCs. For
instance, if the **maxfailure** parameter on a policy is 10 and there
are four KDCs in the environment (a master and three slaves), an
attacker could make as many as 40 attempts before the principal is
locked out on all four KDCs.
The account lockout state of a principal is not replicated by either
traditional :ref:`kprop(8)` or incremental propagation. Because of
this, the number of attempts an attacker can make within a time period
is multiplied by the number of KDCs. For instance, if the
**maxfailure** parameter on a policy is 10 and there are four KDCs in
the environment (a master and three slaves), an attacker could make as
many as 40 attempts before the principal is locked out on all four
KDCs.

An administrative unlock is propagated from the master to the slave
KDCs during the next propagation. Propagation of an administrative
unlock will cause the counter of failed attempts on each slave to
reset to 1 on the next failure.

If a KDC environment uses a replication strategy other than kprop or
incremental propagation, such as the LDAP KDB module with multi-master
LDAP replication, then account lockout state may be replicated between
KDCs and the concerns of this section may not apply.


KDC performance and account lockout
-----------------------------------
Expand Down

0 comments on commit 59a811e

Please sign in to comment.