DSfW: kinit failes "Client's entry in database has expired while getting initial credentials"

Document ID:7015541
Creation Date:15-Aug-2014
Modified Date:15-Aug-2014
- Micro Focus Products:
  eDirectory
  NetIQ
  Open Enterprise Server
- SUSE Products:
  SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 SP2 (OES 11SP2)

Novell Open Enterprise Server 11 SP1 (OES 11SP1)
Domain Services for Windows
DSFW

Situation

kinit failes "Client's entry in database has expired while getting initial credentials"

kdc.log reports - Aug 15 10:53:57 server1 krb5kdc[5865](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.10.0.5: CLIENT EXPIRED: user33\@novell.com@NOVELL.COM for krbtgt/NOVELL.COM@NOVELL.COM, Client's entry in database has expired

packet trace reports - "error_code: KRB5KDC_ERR_NAME_EXP (1)" " e-text: CLIENT EXPIRED"

LoginExpirationTime has a value of 21060207062814Z

Resolution

Either the LoginExpirationTime attribute has a time in the past (login time is expired) and their for valid or the value is set to 21060207062814Z.

If the time is set to 21060207062814Z the account will be treated as if the password is expired. Resetting the password will not remove this value. The value must be deleted.

Additional Information

A script to delete loginExpirationTime with values greater than current date can be found at DSfWDude.com