On 03/28/2016 05:08 PM, Ramaiah, Vanna G. wrote: > For existing accounts, I can run "kadmin: modprinc -policy userpolicy > oldprinc" > Why do I have to run this command "kadmin: modprinc -expire "180 days" > oldprinc", if the policy is already applied?
The KDC only pays attention to the pwexpire field on the principal entries; it doesn't look at the policy. The policy is applied by kadmind (or kadmin.local) when passwords are changed, and sets the pwexpire field on the principals. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos