hedrick--- via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Here are our instructions for setting passwords to not expire. With
obvious adjustments it should let you set any expiration
To allow staff to set password that don't expire, in GUI
• add permission Rutgers set expiration, write, type user, check
"krbpasswordexpiration"
• add privilege Rutgers set expiration and add permission Rutgers set expiration to it,
and add role administrator to it
• go to role Administrator and add group admins to it
The group “admins” contains admin, and in our case other users that we
want to be basically “root.” If you’re a member of admins you can do
almost everything. However you can’t set password expirations, which
is the reason for setting up a new permission for that group. Once
things are set up:
Here's an example of setting no expiration (actually a very long
expiration) ipa user-mod clh
--setattr=krbpasswordexpiration=20380101000000Z
You can actually set dates beyond 2038, but I'm not sure whether all
the code understands it.
As you may know, the kerberos dates run out of bits around 2038. A lot
of the code now handles long dates, but I’m not sure that all of it
does. At one time kadmin.local didn’t.
We expect krb5-1.16 and onwards to be y2038-aware. (RHEL 7.5+ are also
y2038-aware).
It is not, however, expected to work for dates past about 2106.
Thanks,
--Robbie