[37461] in Kerberos
Re: How to expire passwords for Kerberos user accounts
daemon@ATHENA.MIT.EDU (William Clark)
Tue Mar 29 15:10:38 2016
From: William Clark <majorgearhead@gmail.com>
Message-Id: <085D1B97-9587-46E3-A104-CFE99FCBCB78@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Date: Tue, 29 Mar 2016 15:10:18 -0400
To: kerberos@mit.edu
In-Reply-To: <mailman.326.1459199843.29302.kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I believe there is an error in the commands you have given out. If you use the -expire switch it sets an expiry date on the principal itself and not the principal PW. I believe the switch you need is -pwexpire. Correct me if I am wrong, but I tested with my KDC’s and confirmed.
William Clark
>
> You need to make sure this policy object is associated with all existing and future user principals. Example commands:
>
> kadmin: modprinc -policy userpolicy oldprinc
> kadmin: addprinc -policy userpolicy newprinc
>
> If you name a policy object "default", the kadmin addprinc command will use it by default, but applies to all principals (e.g. server principals), not just user principals.
>
> 2. Set a password expiration time on existing principals. For example:
>
> kadmin: modprinc -expire "180 days" oldprinc
>
> Unfortunately, we do not have any batch modification facilities in kadmin, so it's up to you to script these commands to run over existing principals. Some features which might help are:
>
> * You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to create a ccache, and then use "kadmin -c /path/to/ccache" to avoid having to authenticate for each command. Alternatively, you can just use kadmin.local on the master KDC.
>
> * In 1.14, you can specify a command on the kadmin or kadmin.local command line after the options, like:
>
> kadmin.local modprinc -expire "180 days" oldprinc
>
> In prior releases, you must use the slightly more awkward:
>
> kadmin.local -q 'modprinc -expire "180 days" oldprinc'
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
