New issue and fix for kadmin(.local)

Will Fiveash William.Fiveash at
Thu Feb 11 18:16:10 EST 2010

On Thu, Feb 11, 2010 at 04:42:35PM -0500, Peter Shoults wrote:
> Hi,
> I have a customer who opened up an issue where they want to be able to
> set the policy options -minlife and -maxlife back to the default values
> of "0".  Currently, if you create and set either of these policy
> options, there is no way to set it back to zero.  The issue for the
> customer is they wanted to turn off (set back to default) one of these
> options and they could not without first having to modprinc all users
> who used the policy, then delpol the policy and then create it again
> without modifying the option in question and then modprinc all the users
> to use the new policy.
> I have come up with a fix, and would like to ask for your comments on
> this fix - specifically with regard to the value I am passing to the
> modpol command.  Here is the syntax I have coded up for this modpol command:
> modpol -minlife 0 1daypol
> I choose "0" as that is the default value for this option.  However, I
> realize that some folks may have an issue with passing "0", and would
> rather see something like
> modpol -minlife default 1daypol
> OR
> modpol -minlife none 1daypol

I like either 0 or "none" as args for either -minlife or -maxlife (maybe
"none" could be an alias for 0).

Will Fiveash
Sun Microsystems               Office x64079/512-401-1079
Austin, TX, 78727              (TZ=CST6CDT), USA
Internal Solaris Kerberos/GSS/SASL website:

More information about the krbdev mailing list