Annoying password expiry messages.
Greg Hudson
ghudson at MIT.EDU
Mon Mar 5 12:27:58 EST 2012
On 03/05/2012 06:16 AM, Mark Davies wrote:
> Principal expires: 2012-12-02 10:59:59 UTC
> Password expires: never
> Warning: Your password will expire in less than one hour on Thu Jan 1
> 12:00:00 1970
That's a bug introduced in MIT krb5 1.9. I'm fixing it now and marking
it for pullup to 1.9 and 1.10.
> Principal expires: 2012-12-02 10:59:59 UTC
> Password expires: 2012-12-01 00:00:00 UTC
> Warning: Your password will expire in 270 days on Sat Dec 1 13:00:00 2012
This is controllable with the kdc_warn_expire option in the [kdc]
section of your KCS's krb5.conf (if I read the Heimdal code correctly),
but if you were to turn it off, you'd just run into the aforementioned bug.
> We don't see these warnings on our other systems. Any idea whats
> causing them and how to shut them up?
Unfortunately, I think your options for shutting them up aren't great:
(1) Avoid the use of principal expiry times
(2) Patch your KDC not to send principal expiry times in AS replies
(3) Deploy the MIT krb5 fix to your client systems
I can send a patch for (2) or (3) if you decide to go that route. (3)
should happen by itself eventually as the fix makes its way through the
pipeline, of course.
More information about the Kerberos
mailing list