[OpenAFS] Account never locked from Windows OpenAFS client
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 27 Apr 2005 17:02:08 -0400
On Wednesday, April 27, 2005 04:18:18 PM -0400 Jeffrey Altman
<jaltman@columbia.edu> wrote:
> Raghu S wrote:
>
>> Thanks for the response.
>>
>> We are not using IBM Kerberos. We are just using kaserver authentication.
>> Server (1.2.11) installed on Redhat 3. Windows clients uses OpenAFS
>> client 1.3.77 to connect to their file space. Maximum consecutive
>> unsuccessful authentications value is ineffective for windows users.
>>
>> Do we have to install MIT kerberos to resolve this? Do we have to
>> consider using MIT kerberos because kaserver going to be discontinued in
>> near future?
>>
>> Thanks
>> Raghu
>
> The OpenAFS for Windows authentication to kaserver uses IBM's
> implementation of Kerberos 4 over UDP. It does not use the kauth (krb4
> over rx) implementation.
The key thing here is that the kaserver speaks both straight krb4 and an
AFS-specific rx-based authentication protocol. While UNIX clients use the
AFS-specific protocol, Windows clients speak essentially unmodified krb4 to
the kaserver.
Unfortunately, due to the design of the Kerberos v4 protocol, the kaserver
is unable to tell when clients authenticating using krb4 fail because of a
bad password. Thus, it cannot update the failed-authentication counter in
the authentication database or lock out accounts with too many failed
authentications.
-- Jeff