adclient.krb5.password.change.verify.retries

This configuration parameter controls how many times adkeytab tries to verify password changes running in the background.

In some Active Directory environments, such as those employing a read-only domain controller (RODC), Kerberos password changes may not be verified through adclient due to a replication delay. As a result of this delay, the new password is not saved to the keytab file. When this parameter is set to a value other than 0, adclient will retry verification of the new password a corresponding number of times.

If your RODC has latency problems, you may want to address this by setting adkeytab to attempt to verify password changes multiple times. For example, to direct adkeytab to attempt a total of 4 password change verifications, you would set this parameter to 3 as follows:

adclient.krb5.password.change.verify.retries: 3

The time between verification attempts can be set using the adclient.krb5.password.change.verify.interval configuration parameter.

The default setting for this parameter is 0, meaning that adkeytab will not try to verify password changes after the initial attempt.