[Samba] How to get password expiration?

mathias dufresne infractory at gmail.com
Thu Feb 2 15:17:52 UTC 2017

@Jeff: ok you just want to calculate and display.

You would need several tools to achieve that on each machine, as ldapsearch
if you don't find a way to retrieve information from DB magically. Perhaps
configuring nsswitch to get info for "shadow" line could help you. I mean
/etc/shadow is supposed (in my own foggy world) to store information about
password, expiration, etc.. I never tried that and never dug neither into
SSSD nslcd nor winbind to check is some is able to generate a shadow map.

So, back to ldapsearch -Y GSSAPI (if your users generate kerberos ticket at
connection time) to retrieve LDAP attribute PwdLastSet. It's not an UNIX
timestamp, it should be called LDAP time stamp or 18-digit LDAP
Then you will have to compare this PwDLastSet to current and password max
age. Current date is quite easy to retrieve. For Password max age the AD
LDAP attribute is "maxPwdAge".
You should be able to retrieve it using dirty "ldbsearch -H $sam
maxPwdAge=* dn maxPwdAge" then you'll be able to get a nice and clean
Then calculation...

The idea of Andrew would be nice if it works...

2017-02-02 13:47 GMT+01:00 Brian Candler via samba <samba at lists.samba.org>:

> On 01/02/2017 19:12, Jeff Sadowski wrote:
>> Or maybe better like so on login
>> Last login: Wed Feb 1 10:47:53
>> Password Expires in 28 days
>> [myaduser at machine ~]$
> Something like this?
> warn_pwd_expire
>    Defines number of days before pam_winbind starts to warn about
>    passwords that are going to expire. Defaults to 14 days.
> https://www.samba.org/samba/docs/man/manpages/pam_winbind.8.html
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list