Identified the problem to be not setting KADM5_PW_EXPIRATION in the db entry mask.

 

krb5-1.17/src/kadmin/dbutil/dump.c

 

process_k5beta7_princ()

 

Add KADM5_PW_EXPIRATION to mask:

 

Change:

dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |

        KADM5_MAX_LIFE | KADM5_MAX_RLIFE |

        KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |

        KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;

 

To:

 

dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |

        KADM5_MAX_LIFE | KADM5_MAX_RLIFE |

        KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |

        KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT | KADM5_PW_EXPIRATION;