In my experience with kerberos updating the policies will NOT affect directly the principals. First you have to change the policies and then reset passwords with "cpw".
Cheers Giorgio On Tue, Mar 20, 2012 at 08:39:29PM +0100, Petter Reinholdtsen wrote: > I was able to sit down with Alf Tonny and look at this issue, and we > believe we figured out the problem. The Kerberos passwords are set in > policy to expire after two days (172800 seconds). To see if this is > the case for your user(s), use this (replace ldapuser with one of your > local users): > > root@tjener:~# echo getprinc ldapuser |kadmin.local |grep -i passw > Authenticating as principal root/admin@INTERN with password. > Last password change: Tue Feb 21 19:05:00 CET 2012 > Password expiration date: Thu Feb 23 19:05:00 CET 2012 > Failed password attempts: 0 > root@tjener:~# > > If I understand this correctly, one can fix it locally by running this > as root on tjener: > > echo modify_policy -maxlife never users | kadmin.local > > It should change the policy to never expire passwords. But I am > unsure if this is really working, as the getprinc call then start to > claim the users passwords will expire around 1970. And the user can > not log in using the password, and setting a new password do not > change the password expiration date. Setting it to '180days' instead > of 'never' work, thought. > > Anyone got any ideas how to properly fix this? > -- > Happy hacking > Petter Reinholdtsen > > > > -- > To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120320193928.ge18...@login2.uio.no > > -- Sysadmin SPSE-Tenero Ufficio: +41 91 735 62 48 Cellulare: +41 79 629 20 63 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
