How to expire passwords for Kerberos user accounts

Ramaiah, Vanna G. ramaiah at musc.edu
Mon Mar 28 17:00:47 EDT 2016


Thank you. How to exclude service accounts from this password expiration? I guess, If I don't run the command "kadmin: modprinc -policy userpolicy oldprinc" for service accounts and create a policy with name other than default, service accounts will remain untouched. Is that correct?


-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu] 
Sent: Monday, March 28, 2016 4:54 PM
To: Ramaiah, Vanna G.; kerberos at mit.edu
Subject: Re: How to expire passwords for Kerberos user accounts



On 03/28/2016 02:30 PM, Ramaiah, Vanna G. wrote:
> We have a state mandated rule that we have to expire the password of user accounts every 180 days. Could you please let me know how to do that for all current users and new users in Kerberos? Should I apply a policy using -maxlife?

You likely want to do two things:

1. Modify an existing password policy object, or create a new one, with a maximum life of 180 days.  For example:

    kadmin: modpol -maxlife "180 days" userpolicy

or

    kadmin: addpol -maxlife "180 days" userpolicy

You need to make sure this policy object is associated with all existing and future user principals.  Example commands:

    kadmin: modprinc -policy userpolicy oldprinc
    kadmin: addprinc -policy userpolicy newprinc

If you name a policy object "default", the kadmin addprinc command will use it by default, but applies to all principals (e.g. server principals), not just user principals.

2. Set a password expiration time on existing principals.  For example:

    kadmin: modprinc -expire "180 days" oldprinc

Unfortunately, we do not have any batch modification facilities in kadmin, so it's up to you to script these commands to run over existing principals.  Some features which might help are:

* You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to create a ccache, and then use "kadmin -c /path/to/ccache" to avoid having to authenticate for each command.  Alternatively, you can just use kadmin.local on the master KDC.

* In 1.14, you can specify a command on the kadmin or kadmin.local command line after the options, like:

    kadmin.local modprinc -expire "180 days" oldprinc

In prior releases, you must use the slightly more awkward:

    kadmin.local -q 'modprinc -expire "180 days" oldprinc'





More information about the Kerberos mailing list