Administration

Manual Administration Using kadmin

If the user ignores the advance notice and the expiration date elapses, the user must change the password before they can obtain any more tickets from the security server.

As the expiration time is calculated from the time a new principal is added to the database, the password change load on the server is distributed over time. Therefore, you can select to require a password expiration in the default group principal template without concern for the administrative load, provided you add new principals over a period of time.

To modify the parameter type attr of the principal admin, to set the Password Expiration Attribute, you need to do the following:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {cpwexpnocpwexp}

Principal modified.

Principal Expiration Attribute

The Principal Expiration setting determines when a principal account will expire. This can be set to a definite time or never. An expired principal account is essentially locked; it can no longer be used to access the security network. However, it is not removed from the principal database, and the account can be re-enabled by resetting the expiration time.

Setting a principal expiration time may be useful for temporary employees. However, if you choose an expiration date for the default group principal, all principals added using that template setting will expire at the same time. You should consider the administrative requirements of expiring all principal accounts on the same day.

This attribute cannot be set with Command-Line-Administrator.

Maximum Ticket Lifetime Attribute

The Maximum Ticket Lifetime settings determine the maximum lifetime for an initial or service ticket that the principal requests. If this lifetime is set to a time longer than the lifetime assigned to the krbtgt/REALM@REALM principal, the settings on the krbtgt/ principal take precedence.

Chapter 6

187

Page 187
Image 187
HP UX Kerberos Data Security Software manual Principal Expiration Attribute, Maximum Ticket Lifetime Attribute