[OpenAFS] Bad max lifetime when using afs2k5db

[Evan Anderson]

I've been attempting to make the transition from kaserver to MIT 
Kerberos 5, using version 2.0 of Ken Hornstein's AFS->K5 toolkit.  I 
have Kerberos 5 working with users I've created in Kerberos 5, and even 
working through a cross-realm trust with an Active Directory.  I'm still 
working on the best way to convert our management tools from kas to 
kadmin, but I have a couple clues that may make it easier.   :-)

Unfortunately, I think I've hit a snag importing users from our kaserver 
database to the MIT Kerberos 5 server.  I can copy over the kaserver.DB0 
and run `afs2k5db ./kaserver.DB0 <list of accounts>`, and save the 
resulting output to a file.  But when I import those accounts to the MIT 
database with `krb5_util load -update testa2k.out`, the accounts which 
are created in the MIT database have bogus 'max lifetime' values like 
'-21676 days -4:-20:-16' or '-15441 days -3:-48:-16'.

Obviously, this leads the K5 client to be rather upset, complaining
"ASN.1 failed called to system time library while getting initial 
credentials".  The expiry date of the accounts seems to be set oddly 
into the future (Wed, Dec. 30, 19:00:00 EST 2037), but I'm not too 
worried about that right now.

I can easily set these to the appropriate value (1 day) using kadmin, 
but I'm looking at moving 2000 users over, and I don't want to have to 
do this one-by-one.  Am I hitting an odd bug, or do I just lose this 
information (we have some users who get tokens that don't expire for a 
week, because they have long-running AFS jobs)?