How to expire passwords for Kerberos user accounts

Ramaiah, Vanna G. ramaiah at musc.edu
Mon Mar 28 17:17:18 EDT 2016


Got it. For the new users, do I have to run  "kadmin: modprinc -expire "180 days" newprinc" or will the pwexpire field be set when the account is created?


-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu] 
Sent: Monday, March 28, 2016 5:12 PM
To: Ramaiah, Vanna G.; kerberos at mit.edu
Subject: Re: How to expire passwords for Kerberos user accounts



On 03/28/2016 05:08 PM, Ramaiah, Vanna G. wrote:
> For existing accounts, I can run  "kadmin: modprinc -policy userpolicy oldprinc"
> Why do I have to run this command "kadmin: modprinc -expire "180 days" oldprinc", if the policy is already applied?

The KDC only pays attention to the pwexpire field on the principal entries; it doesn't look at the policy.  The policy is applied by kadmind (or kadmin.local) when passwords are changed, and sets the pwexpire field on the principals.





More information about the Kerberos mailing list