[Samba] How to get password expiration?
b.candler at pobox.com
Thu Feb 2 15:49:57 UTC 2017
On 02/02/2017 15:17, mathias dufresne wrote:
> So, back to ldapsearch -Y GSSAPI (if your users generate kerberos
> ticket at connection time) to retrieve LDAP attribute PwdLastSet. It's
> not an UNIX timestamp, it should be called LDAP time stamp or 18-digit
> LDAP timestamp...
Aside: it's a Microsoft Win32 FILETIME. (The LDAP standard uses ISO times)
pwdLastSet doesn't tell you when it expires, so you'd have to combine
this with the domain password expiry policy too: i.e. do the equivalent
of "samba-tool domain passwordsettings show"
If he only wants to display the information to the user at login time, I
think the best/easiest place to do this would be in the PAM module which
enforces the password expiry, since it has all the information to hand
More information about the samba