[38637] in Kerberos
Re: Password has expired while getting initial ticket during
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 2 15:59:43 2019
To: "Stephen Carville (Kerberos List)" <b44261a2@opayq.com>,
<kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <42dda454-1482-a4e8-fe18-c80496139e57@mit.edu>
Date: Mon, 2 Dec 2019 15:58:39 -0500
MIME-Version: 1.0
In-Reply-To: <795e0dae-89d9-3a43-3813-35c157a1790f@opayq.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/2/19 3:23 PM, Stephen Carville (Kerberos List) wrote:
> It seems that when I add a key to the keytab file the password
> expiration date for that host is set to somewhen in 1903. I've never
> noticed that behavior before and it only seems to happen to KDCs.
I would guess that these principal entries have a policy object
associated with them (as displayed in the Policy field of the getprinc
output), and that the policy (display with "getpol <policyname>") has a
maximum password life of 20 years, likely because whoever set it up
didn't really want a maximum password life but didn't know how to
disable it ("modpol -maxlife 0 <policyname>", or 'modpol -maxlife "0
seconds" <policyname>' for releases before 1.15).
When 20 years is added to the current time, the result is a timestamp
later than the 32-bit signed overflow point in January 2038. Release
1.16 and later can handle timestamps past that point (up until the year
2106) on 64-bit platforms, but earlier releases wrap around to
historical dates.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
