Dump to slave fails; "Password has expired while getting initial ticket"

Yeechang Lee ylee at pobox.com
Sat Sep 17 17:31:01 EDT 2005


Jeffrey Hutzelman wrote:
> >     /usr/kerberos/sbin/kprop: Password has expired while getting
> >     initial ticket
> 
> I believe the principal you're looking for is kprop/fqdn.of.master.kdc

Close; it turned out to be host/fqdn.of.master.kdc at EXAMPLE.COM.

> You should probably arrange for it not to have a password expiration 
> policy.

For others benefit, here's how I did this:

kadmin: listprincs

    [...]

    host/fqdn.of.master.kdc at EXAMPLE.COM
    host/fqdn.of.slave.kdc at EXAMPLE.COM
    host/another.machine.in.realm at EXAMPLE.COM

    [...]

kadmin: getprinc host/fqdn.of.master.kdc at EXAMPLE.COM

[...]

    Password expiration date: Thu Aug 25 12:30:07 PDT 2005

[...]

kadmin:	modify_principal -pwexpire never host/fqdn.of.master.kdc at EXAMPLE.COM
    Principal "host/fqdn.of.master.kdc at EXAMPLE.COM" modified.

kadmin:	modify_principal -pwexpire never host/fqdn.of.slave.kdc at EXAMPLE.COM
    Principal "host/fqdn.of.slave.kdc at EXAMPLE.COM" modified.

kadmin:	modify_principal -pwexpire never \ 
	host/another.machine.in.realm at EXAMPLE.COM
    Principal "host/another.machine.in.network at EXAMPLE.COM" modified.

I then copied /var/kerberos/krb5kdc/principal from the master to the
slave KDC. Now the database propagation works again.

(I don't know if I only had to turn off password expiration for the
master or slave KDC's host principal, and I surely didn't have to do
so for the third, non-KDC machine in my home network/realm. However, I
figured it made sense to be consistent across the board; after all,
who knows if I'll one day run a slave KDC on the third machinhe as
well?)

-- 
<URL:http://www.pobox.com/~ylee/>			PERTH ----> *

Homemade 2.8TB RAID 5 storage array:
<URL:http://groups.google.ca/groups?selm=slrnd1g04a.5mt.ylee%40pobox.com>


More information about the Kerberos mailing list