Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

Administration
Manual Administration Using kadmin
Chapter 6 187
If the user ignores the advance notice and the expiration date
elapses, the user must change the password before they can obtain
any more tickets from the security server.
As the expiration time is calculated from the time a new principal is
added to the database, the password change load on the server is
distributed over time. Therefore, you can select to require a password
expiration in the default group principal template without concern for
the administrative load, provided you add new principals over a period of
time.
To modify the parameter type attr of the principal admin, to set the
Password Expiration Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {cpwexp|nocpwexp}
Principal modified.
Principal Expiration Attribute
The Principal Expiration setting determines when a principal
account will expire. This can be set to a definite time or never. An expired
principal account is essentially locked; it can no longer be used to access
the security network. However, it is not removed from the principal
database, and the account can be re-enabled by resetting the expiration
time.
Setting a principal expiration time may be useful for temporary
employees. However, if you choose an expiration date for the default
group principal, all principals added using that template setting will
expire at the same time. You should consider the administrative
requirements of expiring all principal accounts on the same day.
This attribute cannot be set with Command-Line-Administrator.
Maximum Ticket Lifetime Attribute
The Maximum Ticket Lifetime settings determine the maximum lifetime
for an initial or service ticket that the principal requests. If this lifetime
is set to a time longer than the lifetime assigned to the
krbtgt/REALM@REALM principal, the settings on the krbtgt/ principal
take precedence.