Unable to change Kerberos Ticket Life and Renewal Life

Dennis Davis D.H.Davis at bath.ac.uk
Thu Apr 18 07:22:00 EDT 2013


On Thu, 18 Apr 2013, Tiago Elvas wrote:

> From: Tiago Elvas <tiagoelvas at gmail.com>
> To: rohit sarewar <rohitsarewar at gmail.com>
> Cc: "kerberos at mit.edu" <kerberos at mit.edu>
> Date: Thu, 18 Apr 2013 10:00:02
> Subject: Re: Unable to change Kerberos Ticket Life and Renewal Life
> 
> I honestly don't know how to update all the users at the same time inside
> kadmin. However....
> 
> My guess would be to:
> 
>    - Create a keytab with root/admin credentials (I would suggest you
>    create a principal named root_script/admin or something)
>    - List all the principals in a bash script
>    - Loop in the list and modify all the principals using the keytab
>    previously created to connect through kadmin using the command:
>       - kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
>       - <query> should be something a command as you were inside kadmin:
>       "modprinc...." to do whatever you want

That should work.  An alternative is to write a perl program for
this kind of work.  You'll need a couple of perl modules:

http://search.cpan.org/~jhorwitz/Krb5-1.9/Krb5.pm

http://search.cpan.org/~sjquinney/Authen-Krb5-Admin-0.17/Admin.pm

I've just removed a large number of obsolete principals from our MIT
kerberos database using such perl program built against the above
perl modules.  Worked a treat.

In a similar vein, we've recently introduced a simple default
kerberos policy to add password histories to our kerberos
principals.  I used a perl program to retro-actively apply this
policy to all existing principals.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101


More information about the Kerberos mailing list