How to expire passwords for Kerberos user accounts
Greg Hudson
ghudson at mit.edu
Tue Mar 29 15:20:24 EDT 2016
On 03/29/2016 03:10 PM, William Clark wrote:
> I believe there is an error in the commands you have given out. If you use the -expire switch it sets an expiry date on the principal itself and not the principal PW. I believe the switch you need is -pwexpire. Correct me if I am wrong, but I tested with my KDC’s and confirmed.
Whoops, you're right; I was thinking -pwexpire, but typed -expire in the
mail buffer.
I should also mention that 'kadmin modprinc -pwexpire "180 days"' will
set a password expiration of 180 days from the current date, not from
the date of last password modification. Retroactively applying a
password expiration policy to the last password modification date is
possible in theory, but not simple.
More information about the Kerberos
mailing list