Password has expired while getting initial ticket during replication
Greg Hudson
ghudson at mit.edu
Mon Dec 2 14:22:33 EST 2019
On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote:
> /usr/sbin/kprop: Password has expired while getting initial ticket
At startup, kprop retrieves a TGT for the client principal
host/<kdchostname>@REALM using the keytab. You can simulate this with
"kinit -k host/<kdchostname>@REALM".
It sounds like this client principal has a password expiry time, which
has elapsed. If this hypothesis is true, running "getprinc
host/<kdchostname>" within kadmin.local should display:
Password expiration date: <some date in the past>
You can clear this with "modprinc -pwexpire never host/<kdchostname>".
The password expiration time might have been the result of a password
policy (displayed under "Policy:" in the getprinc output). You might
not want to apply password policies to service principals which use
random keys.
More information about the Kerberos
mailing list