Hello -- We are faced with the situation of now having to, for the first time, enforce password expiration (number of days the password is valid since the last password change - the "pwexpires" switch for kas) for some 12,000 AFS principals. We are presently using the Transarc kaserver (Kerberos4-based), with plans to move to Kerberos5 (Heimdal or MIT) around 2007.
When using kas to set password expiration, the maximum value of pwexpires is 254 (same for the OpenAFS kas). The password for most of the principals here was last changed more than 254 days ago (the cell has been in existence for about 12 years). This means that if password expiration were to be set now, without the users first resetting their passwords, most users would not be able to log in to their AFS account. One way to deal with the situation would be to first have all the users change their passwords over a few days period, soon after which the password expiration would be enforced. However, we have little confidence that a significant percentage of the users would comply, so we'd like to avoid this procedure, if possible. We also want to avoid changing users' passwords and trying to (securely) inform them of their new password. The question : Is there any way to manipulate the kaserver database, kaserver.DB0, so that the "last cpw:" value can be reset to an arbitrary timestamp for a principal? I would be very surprised if there were a reliable way, and even more surprised if the resulting database was not in some way problematical, but, who knows, maybe someone's done this already, or anyway, tried. Thanks for any help on this. David Perel University Computing Systems New Jersey Institute of Technology [EMAIL PROTECTED] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
