expiration of user krbtgt was Re: samba4 Kerberos server and
abartlet at samba.org
Mon Feb 2 04:38:36 GMT 2009
On Mon, 2009-01-26 at 18:12 +0300, Matthieu Patou wrote:
> On 01/12/2009 01:40 PM, Matthieu Patou wrote:
> > Today i tried to change the password of my windows account from the
> > command line using kpasswd on the domain controller.
> > And it failed, in the log I had :
> > Kerberos: AS-REQ mat at smb4.tst from 192.168.0.254 for
> > kadmin/changepw at smb4.tst
> > [Mon Jan 12 12:50:57 2009 MSK, 2
> > auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
> > Kerberos: Server's key has expired at -- 2008-09-07T10:52:53
> > I extracted the lastSetPWD field and convert it into an human readable
> > form I see that the expiration date corresponds to the domain
> > controler's one.
> > What can be done ?
> > Btw I am running samba 4.0.0alpha6-GIT-37f4c70.
> > Matthieu.
> After some search it appears because of the expiration of user krbtgt,
> using ldbedit and changing pwdLastSet to a fairly recent date (ie.
> 128774432490000000) makes kpasswd back to work.
> Can the trick used for the non expiration of domain controller can be
> used in this case as well ?
Yes. I wonder what changed here - I'm sure I had logic to always have
this key not expire...
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090202/9e5eb679/attachment.bin
More information about the samba-technical