[Samba] How to get password expiration?

mathias dufresne infractory at gmail.com
Wed Feb 1 16:39:12 UTC 2017


You'd like to modify .bashrc to auto-disconnect user with expired password?
I thought modern tools to use AD (SSSD, winbind, nslcd) would come with
such a mechanism inside. I do believe to remember some Linux disconnecting
me for "disabled user" or "expired password"...

Anyway, don't put that into .bashrc, they can modify it. If you really go
into that way, uses /etc/profile which is owned by root (normally).

In AD (MS and Samba) I believe expiration is calculated. You take current
date, you take pwdLastSet, you take password expiration policy and you
check if password wasn't set to far from now.

But I still believe a well written tool should manage these expirations
automagically when it comes to tools responsible to retrieve users from AD.

2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org>:

> my smb.conf looks as follows.
> [global]
>    security = ads
>    realm = AD.MYDOMAIN.TLD
>    workgroup = AD
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    restrict anonymous = 2
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
> I'm connected to an Windows 2008 based Active Directory environment
> Is there a linux command users can run to get their password expiration
> that they could run from their .bashrc files?
> I searched the wiki and the mailing list but couldn't find what I am
> looking for.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list