Package: sssd Version: 2.4.1-2 Severity: normal I'm using a setup with OpenLDAP + MIT Kerberos on Debian Stable ("Bullseye").
In a nutshell: $ kadmin getprinc bob Principal: b...@example.com Expiration date: [never] Last password change: Wed Mar 08 13:01:47 CET 2023 Password expiration date: [never] ... $ ldapsearch -Z -x -LLL "(uid=bob)" | grep krbPasswordExpiration krbPasswordExpiration: 19700101000000Z IOW, pw expiration never is stored as 19700101000000Z in LDAP (with MIT Kerberos). If I set ldap_pwd_policy = mit_kerberos in /etc/sssd/sssd.conf on test VM qtest: $ ssh bob@qtest ... WARNING: Your password has expired. You must change your password now and login again! Current Password: This has been fixed in the upstream git repo, see: https://github.com/SSSD/sssd/issues/6612 https://github.com/SSSD/sssd/pull/6623 I suggest that this patch be cherry-picked and added to sssd so that it can be included in the upcoming stable release since the consequences are that users are locked out. Cheers, David