Problems when using kadmin instead of kadmin.local

Tom Yu tlyu at
Thu Dec 18 09:36:54 EST 2014

Marc Richter <mail at> writes:

> your answer seems to have pointed me into the right direction: It
> seems as if it stands in relation with the very large values I
> assigned:


> Not sure if this has to be classified as a bug or not now
> ... normally, kadmin and kadmin.local should behave the same way, so
> I'd say it is, even though the value I used is stupid, it shouldn't
> lead to that behavior.

I think this is probably a bug; I haven't figured out yet the best way
to fix it because it's due to multiple pieces of code interacting badly.
It might even count as multiple bugs.  One possible source of confusion
is that kadmind reports failure of the XDR functions in the RPC library
as "communication failure".

This failure happens because the pw_max_life field of the policy record
is a long, and xdr_long() gets used to encode the value, but xdr_long()
explicitly checks for a signed 32-bit value.  The long type is 64 bits
on amd64 Linux.  Another contributing factor is that the code that
stores the policy record into the KDB inconsistently uses xdr_u_int32()
instead of xdr_long().

Thanks for the confirmation!

More information about the Kerberos mailing list