I'm running MIT Kerberos 1.17-3 on Debian 10 for a new auth system to replace our old Kerberos setup and noticed an odd issue. When creating user principals with kadmin it is not setting a password expiration date, but if I then change the password the expiration date is set. I can add the -pwexpire flag and get it to set the expiration during creation, but I would prefer that not be necessary in case either myself or a coworker forgets to set that flag when creating new users.
Is there a way to force Kerberos to set a password expiration date during the user creation without having to specify -pwexpire? Thanks in advance!
kadmin.local: getpol default
Policy: default
Maximum password life: 90 days 00:00:00 #<---- Max password life set correctly in policy
<snip>
kadmin.local: addprinc test123
NOTICE: no policy specified for test123@example.COM; assigning "default" #<---- default policy being applied during creation
Enter password for principal "test123@example.COM":
Re-enter password for principal "test123@example.COM":
Principal "test123@example.COM" created.
kadmin.local: getprinc test123
Principal: test123@example.COM
Expiration date: [never]
Last password change: Mon Jun 29 11:57:49 MDT 2020
Password expiration date: [never] #<-------------- Password expiration set to "never" after creation
<snip>
Policy: default
kadmin.local: cpw test123
Enter password for principal "test123@example.COM":
Re-enter password for principal "test123@example.COM":
Password for "test123@example.COM" changed.
kadmin.local: getprinc test123
Principal: test123@example.COM
Expiration date: [never]
Last password change: Mon Jun 29 11:58:16 MDT 2020
Password expiration date: Sun Sep 27 11:58:16 MDT 2020 #<--- Expiration updated to policy setting after changing password
<snip>
Policy: default
