Problems when using kadmin instead of kadmin.local

Marc Richter mail at
Thu Dec 18 05:36:34 EST 2014

Hi Tom,

your answer seems to have pointed me into the right direction: It seems 
as if it stands in relation with the very large values I assigned:

kadmin:  get_policy admin
Policy: admin
Maximum password life: 2592000
Minimum password life: 86400
Minimum password length: 10
Minimum number of password character classes: 3
Number of old keys kept: 10
Reference count: 0
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin: modify_policy -maxlife 36500days -minlife 1day -minlength 12 
-minclasses 3 -history 30 admin
modify_policy: Communication failure with server while modifying policy 
kadmin:  modify_policy -maxlife 31days -minlife 1day -minlength 12 
-minclasses 3 -history 30 admin

Thank you for pointing me to that!
The OS running is Debian amd64 x86_64, so yeah: 64-bit platform.

When I was playing around with the possible policy features, I searched 
for a value like "forever" for '-maxlife'. Since I didn't find that, I 
set 100 years instead (36500days). That I can set it to '0' or leave it 
away completely to achieve that, hasn't come to my mind.
Not sure if this has to be classified as a bug or not now ... normally, 
kadmin and kadmin.local should behave the same way, so I'd say it is, 
even though the value I used is stupid, it shouldn't lead to that behavior.

Thanks for your help!

Am 17.12.2014 um 20:32 schrieb Tom Yu:
> Marc Richter <mail at> writes:
>> root at deb-krb:/etc# kadmin.local -m -p user/admin at EXAMPLE.COM
>> Authenticating as principal user/admin at EXAMPLE.COM with password.
>> Enter KDC database master key:
>> kadmin.local:  get_policy admin
>> Policy: admin
>> Maximum password life: 3153600000
> Do you get a failure when attempting to do any remote kadmin operation
> that doesn't involve setting or retrieving a password life that is
> greater than 2**31?  Also, is this a 64-bit platform?

More information about the Kerberos mailing list