expiration of user krbtgt was Re: samba4 Kerberos server and linux computers

Matthieu Patou mat at matws.net
Mon Jan 26 15:12:54 GMT 2009

On 01/12/2009 01:40 PM, Matthieu Patou wrote:
> Today i tried to change the password of my windows account from the 
> command line using kpasswd on the domain controller.
> And it failed, in the log I had :
> Kerberos: AS-REQ mat at smb4.tst from for 
> kadmin/changepw at smb4.tst
> [Mon Jan 12 12:50:57 2009 MSK, 2 
> auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()]
> Kerberos: Server's key has expired at -- 2008-09-07T10:52:53
> I extracted the lastSetPWD field and convert it into an human readable 
> form I see that the expiration date corresponds to the domain 
> controler's one.
> What can be done ?
> Btw I am running samba 4.0.0alpha6-GIT-37f4c70.
> Matthieu.
After some search it appears because of the expiration of user krbtgt, 
using ldbedit and changing pwdLastSet to a fairly recent date (ie. 
128774432490000000) makes kpasswd back to work.

Can the trick used for the non expiration of domain controller can be 
used in this case as well ?


More information about the samba-technical mailing list