hedrick--- via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Here are our instructions for setting passwords to not expire. With obvious > adjustments it should let you set any expiration > > To allow staff to set password that don't expire, in GUI > > • add permission Rutgers set expiration, write, type user, check > "krbpasswordexpiration" > • add privilege Rutgers set expiration and add permission Rutgers set > expiration to it, and add role administrator to it > • go to role Administrator and add group admins to it > > The group “admins” contains admin, and in our case other users that we > want to be basically “root.” If you’re a member of admins you can do > almost everything. However you can’t set password expirations, which > is the reason for setting up a new permission for that group. Once > things are set up: > > Here's an example of setting no expiration (actually a very long > expiration) ipa user-mod clh > --setattr=krbpasswordexpiration=20380101000000Z > > You can actually set dates beyond 2038, but I'm not sure whether all > the code understands it. > > As you may know, the kerberos dates run out of bits around 2038. A lot > of the code now handles long dates, but I’m not sure that all of it > does. At one time kadmin.local didn’t. We expect krb5-1.16 and onwards to be y2038-aware. (RHEL 7.5+ are also y2038-aware). It is not, however, expected to work for dates past about 2106. Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RQYZB76IUI3JAHQJNQVCZEOZAL5CAYC2/
