Hi,
I honestly don't know how to update all the users at the same time inside
kadmin. However....
My guess would be to:
- Create a keytab with root/admin credentials (I would suggest you
create a principal named root_script/admin or something)
- List all the principals in a bash script
- Loop in the list and modify all the principals using the keytab
previously created to connect through kadmin using the command:
- kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
- <query> should be something a command as you were inside kadmin:
"modprinc...." to do whatever you want
Hope the info was helpful.
Best regards,
Tiago
On Thu, Apr 18, 2013 at 10:34 AM, rohit sarewar <rohitsare...@gmail.com>wrote:
> Hi Tiago
>
> As an Administrator , how can I renew all principals using a command.
> There are large number of principals in my case.
>
> Regards
> Rohit Sarewar
>
>
> On Thu, Apr 18, 2013 at 1:53 PM, Tiago Elvas <tiagoel...@gmail.com> wrote:
>
>> Hi Gaurav,
>>
>> I have received great help from this mailing list for the same issue.
>> I think you'll find useful information in this topic:
>>
>> http://serverfault.com/questions/132123/how-to-change-the-kerberos-default-ticket-lifetime
>>
>> Best regards,
>>
>> Tiago
>>
>>
>> On Thu, Apr 18, 2013 at 8:45 AM, Gaurav Dasgupta <gdsay...@gmail.com>
>> wrote:
>>
>> > Hi All,
>> >
>> > I have MIT Kerberos setup in a CentOS 6 cluster. Everything is working
>> fine
>> > except one thing. I want to change the default ticket life for all the
>> > principals and their renewal time also. For that I have first changed
>> the *
>> > /etc/krb5.conf* to change the value of *ticket_lifetime = 7d* and
>> > *renew_lifetime
>> > = 30d*.
>> >
>> > Then I restarted the *krb5kdc* and *kadmin* services. Then, from the *
>> > Kadmin.local* shell, I used the following commands:
>> >
>> > modprinc -maxrenewlife 7day krbtgt/MY_REALM
>> > modprinc -maxrenewlife 7day +allow_renewable gaurav
>> >
>> > *Note*: *krbtgt/MY_REALM* is the default service principal and *gaurav*
>> is
>> > a user principal.
>> >
>> > Now, when I am doing *kinit* for *gaurav*, and then *klist* to check the
>> > ticket details, I cannot see the new ticket_lifetime and renew_lifetime
>> > reflected. Its showing the old (default) values of 24h (ticket_lifetime)
>> > and 7d (renew_lifetime).
>> >
>> > I have also tried the command: *kinit -l 7d*. But this is also not
>> working.
>> >
>> > Can someone tell me that how else I can change the ticket_lifetime and
>> > renew_lifetime for all the principals?
>> >
>> > Thanks,
>> > Gaurav
>> > ________________________________________________
>> > Kerberos mailing list Kerberos@mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
