Password has expired while getting initial ticket during replication

Greg Hudson ghudson at
Mon Dec 2 14:22:33 EST 2019

On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote:
> /usr/sbin/kprop: Password has expired while getting initial ticket

At startup, kprop retrieves a TGT for the client principal
host/<kdchostname>@REALM using the keytab.  You can simulate this with
"kinit -k host/<kdchostname>@REALM".

It sounds like this client principal has a password expiry time, which
has elapsed.  If this hypothesis is true, running "getprinc
host/<kdchostname>" within kadmin.local should display:

Password expiration date: <some date in the past>

You can clear this with "modprinc -pwexpire never host/<kdchostname>".

The password expiration time might have been the result of a password
policy (displayed under "Policy:" in the getprinc output).  You might
not want to apply password policies to service principals which use
random keys.

More information about the Kerberos mailing list