Administration
Manual Administration Using kadmin
If the user ignores the advance notice and the expiration date elapses, the user must change the password before they can obtain any more tickets from the security server.
As the expiration time is calculated from the time a new principal is added to the database, the password change load on the server is distributed over time. Therefore, you can select to require a password expiration in the default group principal template without concern for the administrative load, provided you add new principals over a period of time.
To modify the parameter type attr of the principal admin, to set the Password Expiration Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {cpwexpnocpwexp}
Principal modified.
Principal Expiration Attribute
The Principal Expiration setting determines when a principal account will expire. This can be set to a definite time or never. An expired principal account is essentially locked; it can no longer be used to access the security network. However, it is not removed from the principal database, and the account can be
Setting a principal expiration time may be useful for temporary employees. However, if you choose an expiration date for the default group principal, all principals added using that template setting will expire at the same time. You should consider the administrative requirements of expiring all principal accounts on the same day.
This attribute cannot be set with
Maximum Ticket Lifetime Attribute
The Maximum Ticket Lifetime settings determine the maximum lifetime for an initial or service ticket that the principal requests. If this lifetime is set to a time longer than the lifetime assigned to the krbtgt/REALM@REALM principal, the settings on the krbtgt/ principal take precedence.
Chapter 6 | 187 |