Bug#664596: User seems to missing ability to login via ssh/console after some days

[Petter Reinholdtsen <pere@hungry.com>]

I was able to sit down with Alf Tonny and look at this issue, and we
believe we figured out the problem.  The Kerberos passwords are set in
policy to expire after two days (172800 seconds).  To see if this is
the case for your user(s), use this (replace ldapuser with one of your
local users):

  root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw
  Authenticating as principal root/admin@INTERN with password.
  Last password change: Tue Feb 21 19:05:00 CET 2012
  Password expiration date: Thu Feb 23 19:05:00 CET 2012
  Failed password attempts: 0
  root@tjener:~# 

If I understand this correctly, one can fix it locally by running this
as root on tjener:

  echo modify_policy -maxlife never users | kadmin.local

It should change the policy to never expire passwords.  But I am
unsure if this is really working, as the getprinc call then start to
claim the users passwords will expire around 1970.  And the user can
not log in using the password, and setting a new password do not
change the password expiration date.  Setting it to '180days' instead
of 'never' work, thought.

Anyone got any ideas how to properly fix this?
-- 
Happy hacking
Petter Reinholdtsen