Password has expired while getting initial ticket during replication
Stephen Carville (Kerberos List)
b44261a2 at opayq.com
Mon Dec 2 15:23:36 EST 2019
On 12/2/19 11:22 AM, Greg Hudson wrote:
> On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote:
>> /usr/sbin/kprop: Password has expired while getting initial ticket
>
> At startup, kprop retrieves a TGT for the client principal
> host/<kdchostname>@REALM using the keytab. You can simulate this with
> "kinit -k host/<kdchostname>@REALM".
>
> It sounds like this client principal has a password expiry time, which
> has elapsed. If this hypothesis is true, running "getprinc
> host/<kdchostname>" within kadmin.local should display:
>
> Password expiration date: <some date in the past>
>
> You can clear this with "modprinc -pwexpire never host/<kdchostname>".
That worked. Replication is now working normally. Thank you.
It seems that when I add a key to the keytab file the password
expiration date for that host is set to somewhen in 1903. I've never
noticed that behavior before and it only seems to happen to KDCs.
> The password expiration time might have been the result of a password
> policy (displayed under "Policy:" in the getprinc output). You might
> not want to apply password policies to service principals which use
> random keys.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Stephen
More information about the Kerberos
mailing list