[Samba] Samba4 pwdLastSet Attribute

Thomas Simmons twsnnva at gmail.com
Wed Jan 30 07:00:11 MST 2013


I am in the process of updating a bunch of scripts and tools that I had
created for use with our Samba 3 domain. I am currently working on a script
that emails a password expiration warning. I have the script setup to query
the pwdLastSet attribute for each user. It then performs some simple math
to figure out when the password will expire and when the notification
emails should start. Everything is working for the most part, however I
found that if the "User must change password at next logon" box is checked
when an Admin resets a password, pwdLastSet gets set to -1. If I then go
into the account properties AFTER the reset, and uncheck this option under
the account tab, pwdLastSet gets changed from -1 to 0. Both of these screw
up my calculations. Is this normal Active Directory behavior? I can alter
the script to specifically look for those values and take some action if
this is normal behavior - I simply want to make sure. Are there any other
cases where pwdLastSet would not be a "proper" AD timestamp?


More information about the samba mailing list