On 12/2/19 11:22 AM, Greg Hudson wrote: > On 12/2/19 12:02 PM, Stephen Carville (Kerberos List) wrote: >> /usr/sbin/kprop: Password has expired while getting initial ticket > > At startup, kprop retrieves a TGT for the client principal > host/<kdchostname>@REALM using the keytab. You can simulate this with > "kinit -k host/<kdchostname>@REALM". > > It sounds like this client principal has a password expiry time, which > has elapsed. If this hypothesis is true, running "getprinc > host/<kdchostname>" within kadmin.local should display: > > Password expiration date: <some date in the past> > > You can clear this with "modprinc -pwexpire never host/<kdchostname>".
That worked. Replication is now working normally. Thank you. It seems that when I add a key to the keytab file the password expiration date for that host is set to somewhen in 1903. I've never noticed that behavior before and it only seems to happen to KDCs. > The password expiration time might have been the result of a password > policy (displayed under "Policy:" in the getprinc output). You might > not want to apply password policies to service principals which use > random keys. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Stephen ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
