我在 Debian 10 上运行 MIT Kerberos 1.17-3 以获得新的身份验证系统来替换我们旧的 Kerberos 设置,并注意到一个奇怪的问题。使用 kadmin 创建用户主体时,它不会设置密码到期日期,但如果我随后更改密码,则会设置到期日期。我可以添加-pwexpire
标志并让它在创建期间设置过期,但我希望这不是必需的,以防我自己或同事在创建新用户时忘记设置该标志。
有没有办法强制 Kerberos 在用户创建期间设置密码过期日期而无需指定-pwexpire
?提前致谢!
kadmin.local: getpol default
Policy: default
Maximum password life: 90 days 00:00:00 #<---- Max password life set correctly in policy
<snip>
kadmin.local: addprinc test123
NOTICE: no policy specified for test123@example.COM; assigning "default" #<---- default policy being applied during creation
Enter password for principal "test123@example.COM":
Re-enter password for principal "test123@example.COM":
Principal "test123@example.COM" created.
kadmin.local: getprinc test123
Principal: test123@example.COM
Expiration date: [never]
Last password change: Mon Jun 29 11:57:49 MDT 2020
Password expiration date: [never] #<-------------- Password expiration set to "never" after creation
<snip>
Policy: default
kadmin.local: cpw test123
Enter password for principal "test123@example.COM":
Re-enter password for principal "test123@example.COM":
Password for "test123@example.COM" changed.
kadmin.local: getprinc test123
Principal: test123@example.COM
Expiration date: [never]
Last password change: Mon Jun 29 11:58:16 MDT 2020
Password expiration date: Sun Sep 27 11:58:16 MDT 2020 #<--- Expiration updated to policy setting after changing password
<snip>
Policy: default