How to expire passwords for Kerberos user accounts

[Greg Hudson]

On 03/28/2016 02:30 PM, Ramaiah, Vanna G. wrote:
> We have a state mandated rule that we have to expire the password of user accounts every 180 days. Could you please let me know how to do that for all current users and new users in Kerberos? Should I apply a policy using -maxlife?

You likely want to do two things:

1. Modify an existing password policy object, or create a new one, with
a maximum life of 180 days.  For example:

    kadmin: modpol -maxlife "180 days" userpolicy

or

    kadmin: addpol -maxlife "180 days" userpolicy

You need to make sure this policy object is associated with all existing
and future user principals.  Example commands:

    kadmin: modprinc -policy userpolicy oldprinc
    kadmin: addprinc -policy userpolicy newprinc

If you name a policy object "default", the kadmin addprinc command will
use it by default, but applies to all principals (e.g. server
principals), not just user principals.

2. Set a password expiration time on existing principals.  For example:

    kadmin: modprinc -expire "180 days" oldprinc

Unfortunately, we do not have any batch modification facilities in
kadmin, so it's up to you to script these commands to run over existing
principals.  Some features which might help are:

* You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to
create a ccache, and then use "kadmin -c /path/to/ccache" to avoid
having to authenticate for each command.  Alternatively, you can just
use kadmin.local on the master KDC.

* In 1.14, you can specify a command on the kadmin or kadmin.local
command line after the options, like:

    kadmin.local modprinc -expire "180 days" oldprinc

In prior releases, you must use the slightly more awkward:

    kadmin.local -q 'modprinc -expire "180 days" oldprinc'