Open AdrianVollmer opened 4 years ago
Good point. I can make the error message clearer. Maybe a better implementation of --safe
would be to check if we get ERR_CLIENT_REVOKED
a certain number of times in a row (maybe 3? 5?). That would more likely indicate that our current scan is causing these and we're locking accounts out one-by-one
I noticed that a lot of accounts are reported as locked out, which isn't really possible with a lockout duration of 30 minutes. I checked a few accounts and noticed that they have expired months or years ago. This makes the use of
--safe
pretty pointless. I guess the Kerberos error codeERR_CLIENT_REVOKED
doesn't really tell us why the credentials have been revoked, so there is not much that can be done about this. But it could be mentioned in the console output that account isn't necessarily locked, but could also be expired (or possibly disabled?).