expiration of user krbtgt was Re: samba4 Kerberos server and linux computers

Andrew Bartlett abartlet at samba.org
Mon Feb 2 04:38:36 GMT 2009


On Mon, 2009-01-26 at 18:12 +0300, Matthieu Patou wrote:
> On 01/12/2009 01:40 PM, Matthieu Patou wrote:
> > Today i tried to change the password of my windows account from the 
> > command line using kpasswd on the domain controller.
> > And it failed, in the log I had :
> >
> > Kerberos: AS-REQ mat at smb4.tst from 192.168.0.254 for 
> > kadmin/changepw at smb4.tst
> > [Mon Jan 12 12:50:57 2009 MSK, 2 
> > auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
> > Kerberos: Server's key has expired at -- 2008-09-07T10:52:53
> >
> > I extracted the lastSetPWD field and convert it into an human readable 
> > form I see that the expiration date corresponds to the domain 
> > controler's one.
> >
> > What can be done ?
> >
> > Btw I am running samba 4.0.0alpha6-GIT-37f4c70.
> >
> > Matthieu.
> After some search it appears because of the expiration of user krbtgt, 
> using ldbedit and changing pwdLastSet to a fairly recent date (ie. 
> 128774432490000000) makes kpasswd back to work.
> 
> Can the trick used for the non expiration of domain controller can be 
> used in this case as well ?

Yes.  I wonder what changed here - I'm sure I had logic to always have
this key not expire...

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090202/9e5eb679/attachment.bin


More information about the samba-technical mailing list