On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote: > /usr/sbin/kprop: Password has expired while getting initial ticket
At startup, kprop retrieves a TGT for the client principal host/<kdchostname>@REALM using the keytab. You can simulate this with "kinit -k host/<kdchostname>@REALM". It sounds like this client principal has a password expiry time, which has elapsed. If this hypothesis is true, running "getprinc host/<kdchostname>" within kadmin.local should display: Password expiration date: <some date in the past> You can clear this with "modprinc -pwexpire never host/<kdchostname>". The password expiration time might have been the result of a password policy (displayed under "Policy:" in the getprinc output). You might not want to apply password policies to service principals which use random keys. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
