Password has expired while getting initial ticket during replication

Stephen Carville (Kerberos List) b44261a2 at
Tue Dec 3 15:53:45 EST 2019

On 12/2/19 12:58 PM, Greg Hudson wrote:
> Lereta Email Checkpoint: External email. Please make sure you trust this source before clicking links or opening attachments.
> **********************************************************************
> On 12/2/19 3:23 PM, Stephen Carville (Kerberos List) wrote:
>> It seems that when I add a key to the keytab file the password
>> expiration date for that host is set to somewhen in 1903.  I've never
>> noticed that behavior before and it only seems to happen to KDCs.
> I would guess that these principal entries have a policy object
> associated with them (as displayed in the Policy field of the getprinc
> output), and that the policy (display with "getpol <policyname>") has a
> maximum password life of 20 years, likely because whoever set it up
> didn't really want a maximum password life but didn't know how to
> disable it ("modpol -maxlife 0 <policyname>", or 'modpol -maxlife "0
> seconds" <policyname>' for releases before 1.15).

You guessed right.  I had the policy -maxlife on host policy set to 
+7305 days.  It never occurred to me that the timestamp would be 32 bit 
instead of 64 bit.  It is fixed now.

Thank you again.

> When 20 years is added to the current time, the result is a timestamp
> later than the 32-bit signed overflow point in January 2038.  Release
> 1.16 and later can handle timestamps past that point (up until the year
> 2106) on 64-bit platforms, but earlier releases wrap around to
> historical dates.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list