How to expire passwords for Kerberos user accounts

Greg Hudson ghudson at mit.edu
Mon Mar 28 17:12:22 EDT 2016


On 03/28/2016 05:08 PM, Ramaiah, Vanna G. wrote:
> For existing accounts, I can run  "kadmin: modprinc -policy userpolicy oldprinc"
> Why do I have to run this command "kadmin: modprinc -expire "180 days" oldprinc", if the policy is already applied?

The KDC only pays attention to the pwexpire field on the principal
entries; it doesn't look at the policy.  The policy is applied by
kadmind (or kadmin.local) when passwords are changed, and sets the
pwexpire field on the principals.


More information about the Kerberos mailing list