Before we commit to changing the default or making it configurable, I would like to know what version of Kerberos is being used on the back end. Prior to release 1.9, the LDAP KDB module takes O(N^2) time to iterate over N principals due to a combination of questionable design features. It is possible that retrieving even a hundred thousand principal names could be done in less than 120 seconds without this bug. If we do need to make a change, I would suggest using a very long timeout or (if possible) disable the timeout entirely. Since kadmin runs over TCP, there isn't really a strong need to time out if kadmind takes a long time to respond.