I believe there is an error in the commands you have given out. If you use the -expire switch it sets an expiry date on the principal itself and not the principal PW. I believe the switch you need is -pwexpire. Correct me if I am wrong, but I tested with my KDC’s and confirmed.
William Clark > > You need to make sure this policy object is associated with all existing and > future user principals. Example commands: > > kadmin: modprinc -policy userpolicy oldprinc > kadmin: addprinc -policy userpolicy newprinc > > If you name a policy object "default", the kadmin addprinc command will use > it by default, but applies to all principals (e.g. server principals), not > just user principals. > > 2. Set a password expiration time on existing principals. For example: > > kadmin: modprinc -expire "180 days" oldprinc > > Unfortunately, we do not have any batch modification facilities in kadmin, so > it's up to you to script these commands to run over existing principals. > Some features which might help are: > > * You can run "kinit -S kadmin/admin -c /path/to/ccache user/admin" to create > a ccache, and then use "kadmin -c /path/to/ccache" to avoid having to > authenticate for each command. Alternatively, you can just use kadmin.local > on the master KDC. > > * In 1.14, you can specify a command on the kadmin or kadmin.local command > line after the options, like: > > kadmin.local modprinc -expire "180 days" oldprinc > > In prior releases, you must use the slightly more awkward: > > kadmin.local -q 'modprinc -expire "180 days" oldprinc' ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
