Thank you. How to exclude service accounts from this password expiration? I guess, If I don't run the command "kadmin: modprinc -policy userpolicy oldprinc" for service accounts and create a policy with name other than default, service accounts will remain untouched. Is that correct?
-----Original Message----- From: Greg Hudson [mailto:ghud...@mit.edu] Sent: Monday, March 28, 2016 4:54 PM To: Ramaiah, Vanna G.; kerberos@mit.edu Subject: Re: How to expire passwords for Kerberos user accounts On 03/28/2016 02:30 PM, Ramaiah, Vanna G. wrote: > We have a state mandated rule that we have to expire the password of user > accounts every 180 days. Could you please let me know how to do that for all > current users and new users in Kerberos? Should I apply a policy using > -maxlife? You likely want to do two things: 1. Modify an existing password policy object, or create a new one, with a maximum life of 180 days. For example: kadmin: modpol -maxlife "180 days" userpolicy or kadmin: addpol -maxlife "180 days" userpolicy You need to make sure this policy object is associated with all existing and future user principals. Example commands: kadmin: modprinc -policy userpolicy oldprinc kadmin: addprinc -policy userpolicy newprinc If you name a policy object "default", the kadmin addprinc command will use it by default, but applies to all principals (e.g. server principals), not just user principals. 2. Set a password expiration time on existing principals. For example: kadmin: modprinc -expire "180 days" oldprinc Unfortunately, we do not have any batch modification facilities in kadmin, so it's up to you to script these commands to run over existing principals. Some features which might help are: * You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to create a ccache, and then use "kadmin -c /path/to/ccache" to avoid having to authenticate for each command. Alternatively, you can just use kadmin.local on the master KDC. * In 1.14, you can specify a command on the kadmin or kadmin.local command line after the options, like: kadmin.local modprinc -expire "180 days" oldprinc In prior releases, you must use the slightly more awkward: kadmin.local -q 'modprinc -expire "180 days" oldprinc' ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
