[37455] in Kerberos
RE: How to expire passwords for Kerberos user accounts
daemon@ATHENA.MIT.EDU (Ramaiah, Vanna G.)
Mon Mar 28 17:01:11 2016
From: "Ramaiah, Vanna G." <ramaiah@musc.edu>
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 28 Mar 2016 21:00:47 +0000
Message-ID: <AE3FEB1BD25D22479E9F293EBBF869B9F6569FB6@exg-mb11b.clinlan.local>
In-Reply-To: <56F999DE.9040209@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thank you. How to exclude service accounts from this password expiration? I guess, If I don't run the command "kadmin: modprinc -policy userpolicy oldprinc" for service accounts and create a policy with name other than default, service accounts will remain untouched. Is that correct?
-----Original Message-----
From: Greg Hudson [mailto:ghudson@mit.edu]
Sent: Monday, March 28, 2016 4:54 PM
To: Ramaiah, Vanna G.; kerberos@mit.edu
Subject: Re: How to expire passwords for Kerberos user accounts
On 03/28/2016 02:30 PM, Ramaiah, Vanna G. wrote:
> We have a state mandated rule that we have to expire the password of user accounts every 180 days. Could you please let me know how to do that for all current users and new users in Kerberos? Should I apply a policy using -maxlife?
You likely want to do two things:
1. Modify an existing password policy object, or create a new one, with a maximum life of 180 days. For example:
kadmin: modpol -maxlife "180 days" userpolicy
or
kadmin: addpol -maxlife "180 days" userpolicy
You need to make sure this policy object is associated with all existing and future user principals. Example commands:
kadmin: modprinc -policy userpolicy oldprinc
kadmin: addprinc -policy userpolicy newprinc
If you name a policy object "default", the kadmin addprinc command will use it by default, but applies to all principals (e.g. server principals), not just user principals.
2. Set a password expiration time on existing principals. For example:
kadmin: modprinc -expire "180 days" oldprinc
Unfortunately, we do not have any batch modification facilities in kadmin, so it's up to you to script these commands to run over existing principals. Some features which might help are:
* You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to create a ccache, and then use "kadmin -c /path/to/ccache" to avoid having to authenticate for each command. Alternatively, you can just use kadmin.local on the master KDC.
* In 1.14, you can specify a command on the kadmin or kadmin.local command line after the options, like:
kadmin.local modprinc -expire "180 days" oldprinc
In prior releases, you must use the slightly more awkward:
kadmin.local -q 'modprinc -expire "180 days" oldprinc'
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
