On Thu, 18 Apr 2013, Tiago Elvas wrote: > From: Tiago Elvas <tiagoel...@gmail.com> > To: rohit sarewar <rohitsare...@gmail.com> > Cc: "kerberos@mit.edu" <kerberos@mit.edu> > Date: Thu, 18 Apr 2013 10:00:02 > Subject: Re: Unable to change Kerberos Ticket Life and Renewal Life > > I honestly don't know how to update all the users at the same time inside > kadmin. However.... > > My guess would be to: > > - Create a keytab with root/admin credentials (I would suggest you > create a principal named root_script/admin or something) > - List all the principals in a bash script > - Loop in the list and modify all the principals using the keytab > previously created to connect through kadmin using the command: > - kadmin -p root_script/admin -k -t <keytab_filename> -q <query> > - <query> should be something a command as you were inside kadmin: > "modprinc...." to do whatever you want
That should work. An alternative is to write a perl program for this kind of work. You'll need a couple of perl modules: http://search.cpan.org/~jhorwitz/Krb5-1.9/Krb5.pm http://search.cpan.org/~sjquinney/Authen-Krb5-Admin-0.17/Admin.pm I've just removed a large number of obsolete principals from our MIT kerberos database using such perl program built against the above perl modules. Worked a treat. In a similar vein, we've recently introduced a simple default kerberos policy to add password histories to our kerberos principals. I used a perl program to retro-actively apply this policy to all existing principals. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
