How to expire passwords for Kerberos user accounts

[William Clark]

I believe there is an error in the commands you have given out.  If you use the -expire switch it sets an expiry date on the principal itself and not the principal PW.  I believe the switch you need is -pwexpire.  Correct me if I am wrong, but I tested with my KDC’s and confirmed.

William Clark

> 
> You need to make sure this policy object is associated with all existing and future user principals.  Example commands:
> 
>    kadmin: modprinc -policy userpolicy oldprinc
>    kadmin: addprinc -policy userpolicy newprinc
> 
> If you name a policy object "default", the kadmin addprinc command will use it by default, but applies to all principals (e.g. server principals), not just user principals.
> 
> 2. Set a password expiration time on existing principals.  For example:
> 
>    kadmin: modprinc -expire "180 days" oldprinc
> 
> Unfortunately, we do not have any batch modification facilities in kadmin, so it's up to you to script these commands to run over existing principals.  Some features which might help are:
> 
> * You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to create a ccache, and then use "kadmin -c /path/to/ccache" to avoid having to authenticate for each command. Alternatively, you can just use kadmin.local on the master KDC.
> 
> * In 1.14, you can specify a command on the kadmin or kadmin.local command line after the options, like:
> 
>    kadmin.local modprinc -expire "180 days" oldprinc
> 
> In prior releases, you must use the slightly more awkward:
> 
>    kadmin.local -q 'modprinc -expire "180 days" oldprinc'