Here are our instructions for setting passwords to not expire. With obvious
adjustments it should let you set any expiration
To allow staff to set password that don't expire, in GUI
• add permission Rutgers set expiration, write, type user, check
"krbpasswordexpiration"
• add privilege Rutgers set expiration and add permission Rutgers set
expiration to it, and add role administrator to it
• go to role Administrator and add group admins to it
The group “admins” contains admin, and in our case other users that we want to
be basically “root.” If you’re a member of admins you can do almost everything.
However you can’t set password expirations, which is the reason for setting up
a new permission for that group. Once things are set up:
Here's an example of setting no expiration (actually a very long expiration)
ipa user-mod clh --setattr=krbpasswordexpiration=20380101000000Z
You can actually set dates beyond 2038, but I'm not sure whether all the code
understands it.
As you may know, the kerberos dates run out of bits around 2038. A lot of the
code now handles long dates, but I’m not sure that all of it does. At one time
kadmin.local didn’t.
> On Jul 17, 2018, at 8:19 AM, Ryan Slominski via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
>
> Hi Alexander and Robbie,
>
> Thanks for the responses. I'm not quite ready to start hacking IPA just yet
> as I'm still trying to get it setup and running. I'll try to re-create the
> weirdness with password expiration not sticking with kadmin.local and I'll
> post back if I'm able to reproduce that. Sounds like the utilities should
> generally be avoided though and the IPA command line interface should be used
> instead.
>
> Ryan
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LQWKTAIJFMN2C5ELJRVR5R5FFP3EXVKU/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/F34NAKOUTWDLNWISEIB3PRRB2OLT5NDX/
