Currently the KDC will only populate the key expiration field in the 
AS-REP with the account expiration information.  It should provide 
either account exp or pw exp, whichever expires first.

These are diffs of the fix based on the 1.6 release:
kdc/do_as_req.c:
@@ -70,11 +70,11 @@
 #ifdef KRBCONF_KDC_MODIFIES_KDB
     krb5_boolean update_client = 0;
 #endif /* KRBCONF_KDC_MODIFIES_KDB */
     krb5_data e_data;
     register int i;
-    krb5_timestamp until, rtime;
+    krb5_timestamp until, rtime, etime = 0;
     char *cname = 0, *sname = 0;
     const char *fromstring = 0;
     char ktypestr[128];
     char rep_etypestr[128];
     char fromstringbuf[70];
@@ -369,11 +369,18 @@
     if ((errcode = fetch_last_req_info(&client, 
&reply_encpart.last_req))) {
        status = "FETCH_LAST_REQ";
        goto errout;
     }
     reply_encpart.nonce = request->nonce;
-    reply_encpart.key_exp = client.expiration;
+
+    /* Take the minimum of expiration or pw_expiration if not zero. */
+    if (client.expiration != 0 && client.pw_expiration != 0)
+       etime = min(client.expiration, client.pw_expiration);
+    else
+       etime = client.expiration ? client.expiration : 
client.pw_expiration;
+
+    reply_encpart.key_exp = etime;
     reply_encpart.flags = enc_tkt_reply.flags;
     reply_encpart.server = ticket_reply.server;

     /* copy the time fields EXCEPT for authtime; it's location
        is used for ktime */

Shawn.
--