Difference between 'expiration date' and 'Password expiration date'?

[Mitchell E Berger]

> > If you know that at a certain time, the individual with that principal
> > is going to be leaving your company/school/whatever, this is a good way
> > to ensure that they can no longer authenticate to your KDC after that
> > time.
...
> Why would I expire the PRINCIPAL, when I solve the above issue by expiring the
> password? If the password is expired, the account can't be used... I'm not
> getting it...

This isn't actually the case; an expired password can be reset by the user,
while the user can't do anything about an expired principal.  You can convince
yourself with an experiment along these lines:

(On a ZONE.MIT.EDU KDC)
kadmin.local:  ank mitchb/expired at ZONE.MIT.EDU
WARNING: no policy specified for mitchb/expired at ZONE.MIT.EDU; defaulting to no policy
Enter password for principal "mitchb/expired at ZONE.MIT.EDU": 
Re-enter password for principal "mitchb/expired at ZONE.MIT.EDU": 
Principal "mitchb/expired at ZONE.MIT.EDU" created.
kadmin.local:  modprinc -pwexpire yesterday mitchb/expired at ZONE.MIT.EDU
Principal "mitchb/expired at ZONE.MIT.EDU" modified.

(Now on a client machine)
$ kinit mitchb/expired at ZONE.MIT.EDU
Password for mitchb/expired at ZONE.MIT.EDU: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_4347
Default principal: mitchb/expired at ZONE.MIT.EDU

Valid starting     Expires            Service principal
03/19/03 04:10:19  03/19/03 14:10:19  krbtgt/ZONE.MIT.EDU at ZONE.MIT.EDU

However... (back on the kdc)
kadmin.local:  modprinc -expire yesterday mitchb/expired at ZONE.MIT.EDU
Principal "mitchb/expired at ZONE.MIT.EDU" modified.

(and back on the client machine)
$ kinit mitchb/expired at ZONE.MIT.EDU
kinit(v5): Client's entry in database has expired while getting initial credentials

Mitch