Filter
Top Products
Administering the Kerberos Server
Manual Administration Using kadmin
Chapter 8222
Because the expiration time is calculated from the time you add a new
principal to the database, the password change load on the server is
distributed over time. Therefore, you can select a password expiration in
the default group principal template without affecting the
administrative load, provided you add new principals over a period of
time.
To modify the parameter type attr of the principal admin to set the
Password Expiration attribute, you need to execute the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui
t) :attr
Attribute (or quit): {cpwexp|nocpwexp}
Principal modified.
Principal Expiration Attribute
The Principal Expiration attribute determines the expiration time of
a principal account. You can set the expiration time to a definite time or
to never. An expired principal account is essentially locked; it can no
longer be used to access the security network. However, this account can
be re-enabled by resetting the expiration time, because the principal still
exists in the principal database.
Setting a principal expiration time may be useful for granting access to
temporary employees. However, if you specify an expiration date for the
default group principal, all principals added using that template setting
will expire at the same time. You must consider the administrative
requirements of expiring all principal accounts on the same day.
You cannot set this attribute using the command-line administrator.
Maximum Ticket Lifetime Attribute
The Maximum Ticket Lifetime attribute determines the maximum
lifetime for an initial or service ticket that the principal requests. If you
set the lifetime to a time longer than the lifetime assigned to the
krbtgt/REALM@REALM principal, the settings in the krbtgt/ principal
take precedence.
You may choose to set a maximum ticket lifetime for the default group
template that is different from the krbtgt/ principal if you plan to
enter a block of users that have restricted ticket lifetimes. After adding
the block of user principals, you can alter the default group setting again.