kadmin not working after server migration, but kdc works

Greg Hudson ghudson at mit.edu
Wed Sep 21 10:29:57 EDT 2022

On 9/21/22 03:45, Wouter Verhelst wrote:
>         default_principal_expiration = 0

This value is failing to parse as a timestamp.  Removing this line
appears to clear up the config parsing error, and the default should
have the same effect.

I see that the documentation for default_principal_expiration says "The
default value is 0, which means no expiration date."  I see how someone
would get that from the code when writing the documentation, but clearly
the documented default should be something that parses.  (I think you'd
have to write out the beginning of the POSIX time epoch--in local
time--in something like yyyymmddhhmmss format to get this default.)  The
whole concept of default_principal_expiration as an absolute time seems
suspect to me; I have trouble imagining a productive realm configuration
where every new principal by default expires on some particular fixed date.

I don't see any meaningful differences between the current code in this
area and the code going back fifteen years or so.  So I'm not sure how
this broke during a migration.

More information about the Kerberos mailing list