[37462] in Kerberos
Re: How to expire passwords for Kerberos user accounts
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Mar 29 15:20:45 2016
To: William Clark <majorgearhead@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <56FAD578.2040504@mit.edu>
Date: Tue, 29 Mar 2016 15:20:24 -0400
MIME-Version: 1.0
In-Reply-To: <085D1B97-9587-46E3-A104-CFE99FCBCB78@gmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 03/29/2016 03:10 PM, William Clark wrote:
> I believe there is an error in the commands you have given out. If you use the -expire switch it sets an expiry date on the principal itself and not the principal PW. I believe the switch you need is -pwexpire. Correct me if I am wrong, but I tested with my KDC’s and confirmed.
Whoops, you're right; I was thinking -pwexpire, but typed -expire in the
mail buffer.
I should also mention that 'kadmin modprinc -pwexpire "180 days"' will
set a password expiration of 180 days from the current date, not from
the date of last password modification. Retroactively applying a
password expiration policy to the last password modification date is
possible in theory, but not simple.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
