Hi! ---- This was discovered with test "t_kdb.py" that is new on krb5-1.12.x and I can imagine that it was not executed on big-endian architectures so far. But this is not a regression the same issue was observed on s390x and ppc64 on krb5-1.11.x and krb5-1.10.x. Either run the test suite and the test "t_kdb.py" should fail (make sure openldap is installed) or manually create a test realm with LDAP database backend, then: -- snip -- [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol Ticket policy: tktpol Maximum ticket life: 536870912 days 00:00:00 Maximum renewable life: 1073741824 days 00:00:00 Ticket flags: -- snip -- It looks like the policy flags are correct in the database only they are not displayed (note the "krbTicketFlags" in the ldapsearch result below), so this is more less a cosmetic issue: -- snip -- [root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\# dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com cn: tktpol objectClass: krbTicketPolicy objectClass: krbTicketPolicyAux krbMaxTicketLife: 10800 krbMaxRenewableAge: 21600 krbTicketFlags: 2 search: 2 result: 0 Success [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" modify_policy -maxtktlife 4hour -maxrenewlife 8hour +requires_preauth tktpol [root@rhel7]# ldapsearch -h localhost -x -D "cn=Manager,dc=example,dc=com" -w "secret" -b "cn=Kerberos,dc=example,dc=com" "(cn=tktpol)" | grep -v ^\# dn: cn=tktpol,cn=EXAMPLE.COM,cn=Kerberos,dc=example,dc=com cn: tktpol objectClass: krbTicketPolicy objectClass: krbTicketPolicyAux krbMaxTicketLife: 14400 krbMaxRenewableAge: 28800 krbTicketFlags: 128 search: 2 result: 0 Success [root@rhel7]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol Ticket policy: tktpol Maximum ticket life: 715827882 days 16:00:00 Maximum renewable life: 1431655765 days 08:00:00 Ticket flags: -- snip -- Expected results: Like on x86_64 and ppc64le: -- snip -- # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" create_policy -maxtktlife 3hour -maxrenewlife 6hour -allow_forwardable tktpol [root@rhel70 LDAP-backend]# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" -w "secret" view_policy tktpol Ticket policy: tktpol Maximum ticket life: 0 days 03:00:00 Maximum renewable life: 0 days 06:00:00 Ticket flags: DISALLOW_FORWARDABLE -- snip -- ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) rmainz@redhat.com \__\/\/__/ IPA/Kerberos5 team /O /==\ O\ (;O/ \/ \O;)