Password has expired while getting initial ticket during replication

Greg Hudson ghudson at
Mon Dec 2 15:58:39 EST 2019

On 12/2/19 3:23 PM, Stephen Carville (Kerberos List) wrote:
> It seems that when I add a key to the keytab file the password 
> expiration date for that host is set to somewhen in 1903.  I've never 
> noticed that behavior before and it only seems to happen to KDCs.

I would guess that these principal entries have a policy object
associated with them (as displayed in the Policy field of the getprinc
output), and that the policy (display with "getpol <policyname>") has a
maximum password life of 20 years, likely because whoever set it up
didn't really want a maximum password life but didn't know how to
disable it ("modpol -maxlife 0 <policyname>", or 'modpol -maxlife "0
seconds" <policyname>' for releases before 1.15).

When 20 years is added to the current time, the result is a timestamp
later than the 32-bit signed overflow point in January 2038.  Release
1.16 and later can handle timestamps past that point (up until the year
2106) on 64-bit platforms, but earlier releases wrap around to
historical dates.

More information about the Kerberos mailing list