On 12/2/19 12:58 PM, Greg Hudson wrote:
> Lereta Email Checkpoint: External email. Please make sure you trust this
> source before clicking links or opening attachments.
>
> **********************************************************************
>
> On 12/2/19 3:23 PM, Stephen Carville (Kerberos List) wrote:
>> It seems that when I add a key to the keytab file the password
>> expiration date for that host is set to somewhen in 1903. I've never
>> noticed that behavior before and it only seems to happen to KDCs.
>
> I would guess that these principal entries have a policy object
> associated with them (as displayed in the Policy field of the getprinc
> output), and that the policy (display with "getpol <policyname>") has a
> maximum password life of 20 years, likely because whoever set it up
> didn't really want a maximum password life but didn't know how to
> disable it ("modpol -maxlife 0 <policyname>", or 'modpol -maxlife "0
> seconds" <policyname>' for releases before 1.15).
You guessed right. I had the policy -maxlife on host policy set to
+7305 days. It never occurred to me that the timestamp would be 32 bit
instead of 64 bit. It is fixed now.
Thank you again.
> When 20 years is added to the current time, the result is a timestamp
> later than the 32-bit signed overflow point in January 2038. Release
> 1.16 and later can handle timestamps past that point (up until the year
> 2106) on 64-bit platforms, but earlier releases wrap around to
> historical dates.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
