How to apply password policy on computer accounts of Red Hat Enterprise Linux system joined to the Active Directory Server?

Solution In Progress - Updated -


  • Often with Active Directory a Kerberos host keytab is needed to bind with SASL/GSSAPI for LDAP operations. On many sites security policies do not allow never-expiring passwords so the keytab needs to renewed eventually, currently requiring manual steps to obtain a new keytab. SSSD should support automated renewal of Kerberos host keytabs as Samba/Winbind does.
  • Is it possible to set password expiry policy to the Red Hat Enterprise Linux system computer accounts created in the Active Directory Server?
  • When computer accounts are created using realm (or adcli on RHEL 6), their passwords are set to never expire. RHEL systems should have passwords recycled just like any other Windows client.


  • Red Hat Enterprise Linux 7.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In