Password expiration

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Somewhere around October of last year I did some checking and I 
thought I'd figured out how password expiration worked.  What I'm 
seeing now seems different, and less functional:

I can set an expiration date, but when I change a password the 
expiration gets set to 'never'.

1) Is that what I should expect?  Or is there a way to change that 
behavior so it will be set to some interval from 'now'?  (Maybe an 
attribute I set?  How many of those attributes are actually 
implemented anyway?)

2) Presuming there's nothing better, how many places would need 
changing to copy the expiration date from the default principal 
whenever the password got changed?  From the outside that would be 
kadmin/add kadmin/cpw kadmin/modify, and kpasswdd (miss any?).  Maybe 
fewer places on the inside.  (Then I'd run a cron job to keep the 
default expiration date correct.)

I should say as background that I'm not working with a database that 
was ever initialized with kadmin.  Rather I imported it from a 
kaserver and then manually added the principals (like default) that 
were supposed to be there.  If that's a stupid thing to do then let 
me know.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu