[krbdev.mit.edu #9177] Password expiry date shown as 2100
Jonathan Neuhauser via RT
rt-comment at kerborg-prod-app-1.mit.edu
Mon Jul 7 12:07:32 EDT 2025
Mon Jul 07 12:07:32 2025: Request 9177 was acted upon.
Transaction: Ticket created by jonathan.neuhauser at kit.edu
Queue: krb5
Subject: Password expiry date shown as 2100
Owner: Nobody
Requestors: jonathan.neuhauser at kit.edu
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9177 >
Dear KRB5 team,
I'm running MIT KRB5 on Ubuntu 24.04. The server is joined to an AD
domain with "net ads join" (winbind).
> apt list --installed | grep krb5-user
krb5-user/noble-updates,noble-security,now 1.20.1-6ubuntu2.6 amd64
[installiert]
> cat /etc/krb5.conf
[libdefaults]
default_realm = KIT.EDU
kdc_timesync = 1
ccache_type = 4
forward = true
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
default_ccache_name = FILE:/tmp/krb5cc_%{euid}
[appdefaults]
pam = {
ccache = FILE:/tmp/krb5cc_%u
ccname_template = FILE:%d/krb5cc_%U
}
When I do
> kinit
and enter my password, I'm greeted with the message
Warning: Your password will expire in less than one hour on Tue Sep 14
04:48:05 2100
but apart from that everything (mostly) works.
Looking on a Windows host, and doing
> net user <account> /domain
I see:
Password last set 29.04.2021 04:02:36
Password expires Never
Password changeable 29.04.2021 04:02:36
Password required Yes
So I don't think I should be getting that message. At the very least,
this might be an integer overflow in
https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L1518.
Best regards
Jonathan Neuhauser
PS: Setting a default ccache name was an attempt to fix autofs, where
cifs.upcall doesn't find the (randomized) ticket location because it
doesn't have access to the KRB5CCNAME environment variable in the
calling process. This works for locally created tickets (pam_krb5) but
is ignored for SSH forwarded tickets (and I did not find a way to change
that), leaving me again with a broken cifs.upcall. I don't think it's
relevant to the issue.
More information about the krb5-bugs
mailing list