Password has expired while getting initial ticket during replication

Stephen Carville (Kerberos List) b44261a2 at
Mon Dec 2 15:23:36 EST 2019

On 12/2/19 11:22 AM, Greg Hudson wrote:

> On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote:
>> /usr/sbin/kprop: Password has expired while getting initial ticket
> At startup, kprop retrieves a TGT for the client principal
> host/<kdchostname>@REALM using the keytab.  You can simulate this with
> "kinit -k host/<kdchostname>@REALM".
> It sounds like this client principal has a password expiry time, which
> has elapsed.  If this hypothesis is true, running "getprinc
> host/<kdchostname>" within kadmin.local should display:
> Password expiration date: <some date in the past>
> You can clear this with "modprinc -pwexpire never host/<kdchostname>".

That worked. Replication is now working normally. Thank you.

It seems that when I add a key to the keytab file the password 
expiration date for that host is set to somewhen in 1903.  I've never 
noticed that behavior before and it only seems to happen to KDCs.

> The password expiration time might have been the result of a password
> policy (displayed under "Policy:" in the getprinc output).  You might
> not want to apply password policies to service principals which use
> random keys.
> ________________________________________________
> Kerberos mailing list           Kerberos at


More information about the Kerberos mailing list