Sadique Puthen notes that the warning on the client side seems to be correspond to the wrong attribute on the KDC. Do what RFC4120 says we should do. --- krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:06.000000000 -0400 +++ krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:08.000000000 -0400 @@ -371,7 +371,14 @@ process_as_req(krb5_kdc_req *request, kr goto errout; } reply_encpart.nonce = request->nonce; - reply_encpart.key_exp = client.expiration; + if (client.expiration == 0) { + reply_encpart.key_exp = client.pw_expiration; + } else if (client.pw_expiration == 0) { + reply_encpart.key_exp = client.expiration; + } else { + reply_encpart.key_exp = client.pw_expiration < client.expiration ?; + client.pw_expiration : client.expiration; + } reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server;