[OpenAFS] Reset a principal's last cpw timestamp w/o resetting the password?

David Perel davidp@oak.njit.edu
Thu, 15 Dec 2005 22:25:04 -0500 (EST)

  Hello --

  We are faced with the situation of now having to, for the first time,
  enforce password expiration (number of days the password is valid since 
  the last password change - the "pwexpires" switch for kas) for some 
  12,000 AFS principals. We are presently using the Transarc kaserver 
  (Kerberos4-based), with plans to move to Kerberos5 (Heimdal or MIT) 
  around 2007.

  When using kas to set password expiration, the maximum value of pwexpires
  is 254 (same for the OpenAFS kas). The password for most of the principals 
  here was last changed more than 254 days ago (the cell has been in existence 
  for about 12 years).  This means that if password expiration were to be 
  set now, without the users first resetting their passwords, most users 
  would not be able to log in to their AFS account.

  One way to deal with the situation would be to first have all the users 
  change their passwords over a few days period, soon after which the 
  password expiration would be enforced. However, we have little confidence 
  that a significant percentage of the users would comply, so we'd like 
  to avoid this procedure, if possible. We also want to avoid changing
  users' passwords and trying to (securely) inform them of their
  new password.

  The question : Is there any way to manipulate the kaserver database,
  kaserver.DB0, so that the "last cpw:" value can be reset to an arbitrary 
  timestamp for a principal?  I would be very surprised if there were a 
  reliable way, and even more surprised if the resulting database was not in
  some way problematical, but, who knows, maybe someone's done this already,
  or anyway, tried.

  Thanks for any help on this.

  David Perel
  University Computing Systems
  New Jersey Institute of Technology