I was able to sit down with Alf Tonny and look at this issue, and we believe we figured out the problem. The Kerberos passwords are set in policy to expire after two days (172800 seconds). To see if this is the case for your user(s), use this (replace ldapuser with one of your local users):
root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw Authenticating as principal root/admin@INTERN with password. Last password change: Tue Feb 21 19:05:00 CET 2012 Password expiration date: Thu Feb 23 19:05:00 CET 2012 Failed password attempts: 0 root@tjener:~# If I understand this correctly, one can fix it locally by running this as root on tjener: echo modify_policy -maxlife never users | kadmin.local It should change the policy to never expire passwords. But I am unsure if this is really working, as the getprinc call then start to claim the users passwords will expire around 1970. And the user can not log in using the password, and setting a new password do not change the password expiration date. Setting it to '180days' instead of 'never' work, thought. Anyone got any ideas how to properly fix this? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120320193928.ge18...@login2.uio.no