Per the log message for r14936, this is intentional behavior: --- Note that the intent is that the last-req type will only be included by the KDC when the time until password expiration reaches some threshold (e.g, one week), so this code will display the password expiration anytime the last-req type is included. --- (A classic case of "code documentation belongs in comments, not commit logs.") Now, I don't know if that statement reflects reality. Allowing the KDC to control when expiration notification happens seems well and fine, but RFC 4120 doesn't appear to say that last-req expiration times should be used that way.