[38638] in Kerberos
Re: Password has expired while getting initial ticket during
daemon@ATHENA.MIT.EDU (Stephen Carville (Kerberos List))
Tue Dec 3 15:54:08 2019
To: <kerberos@mit.edu>
From: "Stephen Carville (Kerberos List)" <b44261a2@opayq.com>
Message-ID: <dc4d1dfc-0e0b-bd27-c94c-40d37c1b79f2@opayq.com>
Date: Tue, 3 Dec 2019 12:53:45 -0800
MIME-Version: 1.0
In-Reply-To: <42dda454-1482-a4e8-fe18-c80496139e57@mit.edu>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/2/19 12:58 PM, Greg Hudson wrote:
> Lereta Email Checkpoint: External email. Please make sure you trust this source before clicking links or opening attachments.
>
> **********************************************************************
>
> On 12/2/19 3:23 PM, Stephen Carville (Kerberos List) wrote:
>> It seems that when I add a key to the keytab file the password
>> expiration date for that host is set to somewhen in 1903. I've never
>> noticed that behavior before and it only seems to happen to KDCs.
>
> I would guess that these principal entries have a policy object
> associated with them (as displayed in the Policy field of the getprinc
> output), and that the policy (display with "getpol <policyname>") has a
> maximum password life of 20 years, likely because whoever set it up
> didn't really want a maximum password life but didn't know how to
> disable it ("modpol -maxlife 0 <policyname>", or 'modpol -maxlife "0
> seconds" <policyname>' for releases before 1.15).
You guessed right. I had the policy -maxlife on host policy set to
+7305 days. It never occurred to me that the timestamp would be 32 bit
instead of 64 bit. It is fixed now.
Thank you again.
> When 20 years is added to the current time, the result is a timestamp
> later than the 32-bit signed overflow point in January 2038. Release
> 1.16 and later can handle timestamps past that point (up until the year
> 2106) on 64-bit platforms, but earlier releases wrap around to
> historical dates.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
