Unable to change Kerberos Ticket Life and Renewal Life
Dennis Davis
D.H.Davis at bath.ac.uk
Thu Apr 18 07:22:00 EDT 2013
On Thu, 18 Apr 2013, Tiago Elvas wrote:
> From: Tiago Elvas <tiagoelvas at gmail.com>
> To: rohit sarewar <rohitsarewar at gmail.com>
> Cc: "kerberos at mit.edu" <kerberos at mit.edu>
> Date: Thu, 18 Apr 2013 10:00:02
> Subject: Re: Unable to change Kerberos Ticket Life and Renewal Life
>
> I honestly don't know how to update all the users at the same time inside
> kadmin. However....
>
> My guess would be to:
>
> - Create a keytab with root/admin credentials (I would suggest you
> create a principal named root_script/admin or something)
> - List all the principals in a bash script
> - Loop in the list and modify all the principals using the keytab
> previously created to connect through kadmin using the command:
> - kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
> - <query> should be something a command as you were inside kadmin:
> "modprinc...." to do whatever you want
That should work. An alternative is to write a perl program for
this kind of work. You'll need a couple of perl modules:
http://search.cpan.org/~jhorwitz/Krb5-1.9/Krb5.pm
http://search.cpan.org/~sjquinney/Authen-Krb5-Admin-0.17/Admin.pm
I've just removed a large number of obsolete principals from our MIT
kerberos database using such perl program built against the above
perl modules. Worked a treat.
In a similar vein, we've recently introduced a simple default
kerberos policy to add password histories to our kerberos
principals. I used a perl program to retro-actively apply this
policy to all existing principals.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk Phone: +44 1225 386101
More information about the Kerberos
mailing list