The password server does not publish the information you need. However, it is often possible to figure out the expiration date by checking the kerberos database. If you run:
kadmin.local -q "getprinc <principal-name>"
(notice the command after the -q is quoted)
it returns:
Authenticating as principal root/admin@EXAMPLE.COM with password.
Principal: principal@EXAMPLE.COM
Expiration date: [never]
Last password change: Sun Feb 26 16:16:07 PST 2006
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Feb 26 16:16:07 PST 2006 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes:
Policy: [none]
Now, if you know the policy is set to expire passwords every 30 days, you can use the "Last password change" field to calculate when the password will expire.
Mac OS X (10.4.6)