On 03/29/2016 03:10 PM, William Clark wrote: > I believe there is an error in the commands you have given out. If you use > the -expire switch it sets an expiry date on the principal itself and not the > principal PW. I believe the switch you need is -pwexpire. Correct me if I > am wrong, but I tested with my KDC’s and confirmed.
Whoops, you're right; I was thinking -pwexpire, but typed -expire in the mail buffer. I should also mention that 'kadmin modprinc -pwexpire "180 days"' will set a password expiration of 180 days from the current date, not from the date of last password modification. Retroactively applying a password expiration policy to the last password modification date is possible in theory, but not simple. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos