Password has expired while getting initial ticket during replication
Greg Hudson
ghudson at mit.edu
Mon Dec 2 15:58:39 EST 2019
On 12/2/19 3:23 PM, Stephen Carville (Kerberos List) wrote:
> It seems that when I add a key to the keytab file the password
> expiration date for that host is set to somewhen in 1903. I've never
> noticed that behavior before and it only seems to happen to KDCs.
I would guess that these principal entries have a policy object
associated with them (as displayed in the Policy field of the getprinc
output), and that the policy (display with "getpol <policyname>") has a
maximum password life of 20 years, likely because whoever set it up
didn't really want a maximum password life but didn't know how to
disable it ("modpol -maxlife 0 <policyname>", or 'modpol -maxlife "0
seconds" <policyname>' for releases before 1.15).
When 20 years is added to the current time, the result is a timestamp
later than the 32-bit signed overflow point in January 2038. Release
1.16 and later can handle timestamps past that point (up until the year
2106) on 64-bit platforms, but earlier releases wrap around to
historical dates.
More information about the Kerberos
mailing list