Propagate modprinc -unlock from master to slave KDCs

Create a new tl-data type to hold the time of the last administrative unlock, and factor it into decisions about account lockout. Since tl-data values are propagated from master to slave, this will cause modprinc -unlock operations to reach slave KDCs on the next propagation. ticket: 6795 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24424 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2010-10-05 14:53:09 +0000
committer: Greg Hudson <ghudson@mit.edu> 2010-10-05 14:53:09 +0000
commit: 96f2a016991c199be477b6abd48824ec1cb6641f (patch)
tree: c1d70a4b27bf8befad040b06c4831e842506fd51 /src/plugins/kdb/db2
parent: 0ce5cb2e9dc040f35a91bca8dcad68d10ed7ea8a (diff)
download: krb5-96f2a016991c199be477b6abd48824ec1cb6641f.tar.gz
krb5-96f2a016991c199be477b6abd48824ec1cb6641f.tar.xz
krb5-96f2a016991c199be477b6abd48824ec1cb6641f.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
index 3ba53d214..b47361124 100644
--- a/src/plugins/kdb/db2/lockout.c
+++ b/src/plugins/kdb/db2/lockout.c
@@ -100,6 +100,13 @@ locked_check_p(krb5_context context,
                krb5_timestamp lockout_duration,
                krb5_db_entry *entry)
 {
+    krb5_timestamp unlock_time;
+
+    /* If the entry was unlocked since the last failure, it's not locked. */
+    if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
+        entry->last_failed <= unlock_time)
+        return FALSE;
+
     if (max_fail == 0 || entry->fail_auth_count < max_fail)
         return FALSE;
 
@@ -147,6 +154,7 @@ krb5_db2_lockout_audit(krb5_context context,
     krb5_deltat lockout_duration = 0;
     krb5_db2_context *db_ctx = context->dal_handle->db_context;
     krb5_boolean need_update = FALSE;
+    krb5_timestamp unlock_time;
 
     switch (status) {
     case 0:
@@ -182,6 +190,13 @@ krb5_db2_lockout_audit(krb5_context context,
     } else if (!db_ctx->disable_lockout &&
                (status == KRB5KDC_ERR_PREAUTH_FAILED ||
                 status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
+        if (krb5_dbe_lookup_last_admin_unlock(context, entry,
+                                              &unlock_time) == 0 &&
+            entry->last_failed <= unlock_time) {
+            /* Reset fail_auth_count after administrative unlock. */
+            entry->fail_auth_count = 0;
+        }
+
         if (failcnt_interval != 0 &&
             stamp > entry->last_failed + failcnt_interval) {
             /* Reset fail_auth_count after failcnt_interval. */
author	Greg Hudson <ghudson@mit.edu>	2010-10-05 14:53:09 +0000
committer	Greg Hudson <ghudson@mit.edu>	2010-10-05 14:53:09 +0000
commit	96f2a016991c199be477b6abd48824ec1cb6641f (patch)
tree	c1d70a4b27bf8befad040b06c4831e842506fd51 /src/plugins/kdb/db2
parent	0ce5cb2e9dc040f35a91bca8dcad68d10ed7ea8a (diff)
download	krb5-96f2a016991c199be477b6abd48824ec1cb6641f.tar.gz krb5-96f2a016991c199be477b6abd48824ec1cb6641f.tar.xz krb5-96f2a016991c199be477b6abd48824ec1cb6641f.zip