[38635] in Kerberos
Re: Password has expired while getting initial ticket during
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 2 14:22:56 2019
To: "Stephen Carville (Kerberos List)" <b44261a2@opayq.com>,
<kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <03323a68-2ff0-1786-fafd-0d2c7d3bec1d@mit.edu>
Date: Mon, 2 Dec 2019 14:22:33 -0500
MIME-Version: 1.0
In-Reply-To: <fc34866b-dde4-c670-19e6-ef1473e7d19a@opayq.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote:
> /usr/sbin/kprop: Password has expired while getting initial ticket
At startup, kprop retrieves a TGT for the client principal
host/<kdchostname>@REALM using the keytab. You can simulate this with
"kinit -k host/<kdchostname>@REALM".
It sounds like this client principal has a password expiry time, which
has elapsed. If this hypothesis is true, running "getprinc
host/<kdchostname>" within kadmin.local should display:
Password expiration date: <some date in the past>
You can clear this with "modprinc -pwexpire never host/<kdchostname>".
The password expiration time might have been the result of a password
policy (displayed under "Policy:" in the getprinc output). You might
not want to apply password policies to service principals which use
random keys.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
