Got it. For the new users, do I have to run "kadmin: modprinc -expire "180 days" newprinc" or will the pwexpire field be set when the account is created?
-----Original Message----- From: Greg Hudson [mailto:ghud...@mit.edu] Sent: Monday, March 28, 2016 5:12 PM To: Ramaiah, Vanna G.; kerberos@mit.edu Subject: Re: How to expire passwords for Kerberos user accounts On 03/28/2016 05:08 PM, Ramaiah, Vanna G. wrote: > For existing accounts, I can run "kadmin: modprinc -policy userpolicy > oldprinc" > Why do I have to run this command "kadmin: modprinc -expire "180 days" > oldprinc", if the policy is already applied? The KDC only pays attention to the pwexpire field on the principal entries; it doesn't look at the policy. The policy is applied by kadmind (or kadmin.local) when passwords are changed, and sets the pwexpire field on the principals. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos