[Samba] [MASSMAIL]Re: About password expiry

Amaury Viera Hernández avhernandez at uci.cu
Thu Nov 26 15:55:11 UTC 2015 

On 26/11/15 03:21, mathias dufresne wrote:
> Hi,
>
> Use pwdLastSet + your AD password policy to know when password will expire.
>
> Expiration will happen at pwdLastSet + how long this password is valid.
>
> Cheers,
>
> mathias

Thanks. It was very useful for me. This is the first version of the script.

Regards, Amaury.

#!/bin/bash

#=============== Parámetros que s pueden modificar 
==================================================

# Dias para que expire la contrasena en el AD, por defecto: 90 días.
RESTRICCION_EXPIRACION=90

# Segundos antes para enviar el correo, por defecto: 7 días
DIAS_PARA_NOTIFICAR=7

# Servidor de directorio activo
H="192.168.56.10"

# Puerto de directorio activo
P="389"

# Usuario de directorio activo
DN="cn=mailadmin,ou=services,dc=diveppr,dc=co,dc=cu"

# Contraseña de directorio activo
PW="p at ssw0rd"

# Base de directorio activo
B="ou=services,dc=diveppr,dc=co,dc=cu"

# Tiempo de consulta por usuario
TIEMPO_POR_USUARIOS=0

# Sitio para que los usuario cambien la contraseña
SITIO="https://cambiarcontrasena.diveppr.co.cu"

# Logs para el reporte diario
FILE_LOGS="/var/log/reporte-comprobacion-expiracion-de-cuentas.log"

# Fecha para el reporte
TIME="$(date '+%Y-%m-%d %H:%M')"

# Dirección remitente
FROM="root"

# Dirección destino
TO="root"

# Asunto del reporte
ASUNTO="Reporte de expiración de contraseña de los usuarios"


#======================================== Ejecución del script 
============================================

echo > $FILE_LOGS
chmod 777 $FILE_LOGS

enviarCorreo(){
  DIAS_QUE_FALTAN=$1
  USUARIO=$2
  FECHA_EXPIRACION=$3
  from="$4"
  to=$2
  subject="Su cuenta espira en $1 días"
  body=" Su cuenta espira en $1 días o sea el $3 usted puede cambiar la 
contraseña en la siguiente dirección:

        $SITIO

  Administrador de servicios telemáticos.
  "
  mail -s "$subject" -r "$from"  "$to" <<< "$body"
}

# Comando base
CMD="ldapsearch -D "$DN" -w $PW -p $P -h $H -b "$B""

# Filtro base
FP="(objectclass=person)"

USERS=$($CMD -s sub "$FP" userPrincipalName | grep userPrincipalName | 
cut -d ' ' -f2)
ACTUALUNIX=`date "+%s"`

echo "Comprobación de expiración de las cuentas" >> $FILE_LOGS
echo "" >> $FILE_LOGS
echo "Inicio de la comprobación: $TIME" >> $FILE_LOGS
echo "" >> $FILE_LOGS

for USER in $USERS ; do
   if [ $USER != "requesting:" ]  ; then
    PWDLASTSET=$($CMD -s sub "(&$FP(userPrincipalName=$USER))" 
pwdLastSet | grep pwdLastSet: | cut -d' ' -f2)
    if [ $PWDLASTSET != "0" ]  ; then
        LASTSETUNIX=`expr $PWDLASTSET / 10000000 - 11644473600`
    else
       WHENCREATED=$($CMD -s sub "(&$FP(userPrincipalName=$USER))" 
whenCreated | grep whenCreated: | cut -d' ' -f2)
       DATECREATED=${WHENCREATED:0:8}
       LASTSETUNIX=`date -d $DATECREATED "+%s"`
    fi

    let REST=" ($RESTRICCION_EXPIRACION*86400) "

    EXP=$(expr $LASTSETUNIX + $REST)
    TEMP=$(expr $LASTSETUNIX + $REST - $ACTUALUNIX)
    DIAS=$(expr $TEMP / 86400)
    FECHAEXP=$(date --date="@$EXP")

    echo "Comprobación del usuario: $USER" >> $FILE_LOGS
    echo "         Fecha que vence: $FECHAEXP" >> $FILE_LOGS
    echo "         Días que faltan: $DIAS" >> $FILE_LOGS

    if [ $DIAS -le $DIAS_PARA_NOTIFICAR ]  ; then
       echo "El usuario a sido notificado" >> $FILE_LOGS
       enviarCorreo "$DIAS" "$USER" "$FECHAEXP" "$FROM"
    fi

    echo "" >> $FILE_LOGS

   fi

#Esto es importante para que no sature el correo, o sea, cada 2 segundos 
comprobar un usuario.
sleep $TIEMPO_POR_USUARIOS
done

mail -s "$ASUNTO"  -r "$FROM" "$TO" << EOF
$(cat $FILE_LOGS)
EOF



>
> 2015-11-26 6:40 GMT+01:00 Amaury Viera Hernández <avhernandez at uci.cu>:
>
>> Hi every one:
>> I'm using samba4 as domain controller and a I want to check every 1 hour
>> in my mail server the password expiration for every user in the domain. I
>> need to kow what is the attribute used in samba4.
>> Using ldbsearch i see badPasswordTime and accountExpires, but in the
>> microsoft documentation said that accountExpires is used for represent the
>> date when the account expires. Can i use this and send the email to the
>> users telling that they need to change their password?
>> About badPasswordTime said that represent The last time and date that an
>> attempt to log on to this account was made with a password that is not
>> valid.
>>
>> I'm confuse. Could you help me to know which of this attributes I need for
>> advise to the users about their password expiration?
>> Thanks in advance. Amaury.
>>
>> ldbsearch --url=/var/lib/samba/private/sam.ldb samaccountname=pp
>> # record 1
>> dn: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: pp
>> instanceType: 4
>> whenCreated: 20151124051519.0Z
>> whenChanged: 20151124051519.0Z
>> uSNCreated: 3847
>> name: pp
>> objectGUID: 95e62723-1bfb-4847-825a-8749705e4ef9
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-2370192828-1696309146-286596188-1117
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: pp
>> sAMAccountType: 805306368
>> userPrincipalName: pp at eomarit.com.cu
>> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=eomarit,DC=com,DC=cu
>> pwdLastSet: 130928157190000000
>> userAccountControl: 512
>> uSNChanged: 3849
>> distinguishedName: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list