[1634] in Kerberos_V5_Development
krb5 databases and kadmin
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sun Aug 25 11:45:58 1996
Date: Sun, 25 Aug 1996 11:45:55 -0400
From: Sam Hartman <hartmans@MIT.EDU>
To: krbcore@MIT.EDU
I recently converted a database that started its life as a
krb4 over to Beta 7 with the new admin system. I noticed a few things
that were somewhat surprising, and while I'm not sure they are bugs,
admins would certainly appreciate reading about them instead of
experiencing them unwarned.
* Most implementations of KRB4 code use 1/1/2000 or 12/31/1999 as the
expiration date for new principals. (BTW, will anyone be using
Kerberos in the year 2000?:-) I guess this had always been an issue,
but I just recently noticed that I should probably update my
expiration dates before the year 2000 rolled around. I guess the
loadv4 code could covert that date to never, although I'm not sure
that it should do this.
* I had never used the Beta 6 kadmin on my database, and the Beta 6
version of kdb5_edit didn't update the password change date when the
cpw command was used. Thus, all the last-password-cahnged dates in
the database were never. I didn't notice this, and I created a policy
and added most of my users to the policy. I created a 2-year maximum
life for passwords. Unfortunately, never == 1970, so all my passwords
suddently expired.
* I tried to fix the problem by changing the maxlife on the policy.
However, this doesn't do anything for principals that already have the
policy; you need to re-modify these principals for it to take effect.
* If a principal has a policy, the -pwexpire flag doesn't do anything
useful.
--Sam
