How to set correctly a password aging using krb5?

I have a Solaris server, it use ldap for user authentication and kerberos for password. The user can change his password, I have only problem with password aging for example: passwd -r ldap -n 12 giovanni Enter giovanni's password: Permission denied This is the pam.conf for passwd passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_dhkeys.so.1 passwd auth sufficient pam_krb5.so.1 passwd auth required pam_unix_cred.so.1 passwd auth required pam_unix_auth.so.1 I know on kerberos is possible to use policies, but if I want to set password aging for user? I had to set a policy only for this user? No way to use passwd command?