[37458] in Kerberos
Re: How to expire passwords for Kerberos user accounts
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 28 17:14:01 2016
To: "Ramaiah, Vanna G." <ramaiah@musc.edu>,
"kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <56F99E36.1090106@mit.edu>
Date: Mon, 28 Mar 2016 17:12:22 -0400
MIME-Version: 1.0
In-Reply-To: <AE3FEB1BD25D22479E9F293EBBF869B9F656A000@exg-mb11b.clinlan.local>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 03/28/2016 05:08 PM, Ramaiah, Vanna G. wrote:
> For existing accounts, I can run "kadmin: modprinc -policy userpolicy oldprinc"
> Why do I have to run this command "kadmin: modprinc -expire "180 days" oldprinc", if the policy is already applied?
The KDC only pays attention to the pwexpire field on the principal
entries; it doesn't look at the policy. The policy is applied by
kadmind (or kadmin.local) when passwords are changed, and sets the
pwexpire field on the principals.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
