[38636] in Kerberos
Re: Password has expired while getting initial ticket during
daemon@ATHENA.MIT.EDU (Stephen Carville (Kerberos List))
Mon Dec 2 15:24:14 2019
To: <kerberos@mit.edu>
From: "Stephen Carville (Kerberos List)" <b44261a2@opayq.com>
Message-ID: <795e0dae-89d9-3a43-3813-35c157a1790f@opayq.com>
Date: Mon, 2 Dec 2019 12:23:36 -0800
MIME-Version: 1.0
In-Reply-To: <03323a68-2ff0-1786-fafd-0d2c7d3bec1d@mit.edu>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/2/19 11:22 AM, Greg Hudson wrote:
> On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote:
>> /usr/sbin/kprop: Password has expired while getting initial ticket
>
> At startup, kprop retrieves a TGT for the client principal
> host/<kdchostname>@REALM using the keytab. You can simulate this with
> "kinit -k host/<kdchostname>@REALM".
>
> It sounds like this client principal has a password expiry time, which
> has elapsed. If this hypothesis is true, running "getprinc
> host/<kdchostname>" within kadmin.local should display:
>
> Password expiration date: <some date in the past>
>
> You can clear this with "modprinc -pwexpire never host/<kdchostname>".
That worked. Replication is now working normally. Thank you.
It seems that when I add a key to the keytab file the password
expiration date for that host is set to somewhen in 1903. I've never
noticed that behavior before and it only seems to happen to KDCs.
> The password expiration time might have been the result of a password
> policy (displayed under "Policy:" in the getprinc output). You might
> not want to apply password policies to service principals which use
> random keys.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Stephen
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
