[Samba] How to get password expiration?

Brian Candler b.candler at pobox.com
Thu Feb 2 15:49:57 UTC 2017

On 02/02/2017 15:17, mathias dufresne wrote:
> So, back to ldapsearch -Y GSSAPI (if your users generate kerberos 
> ticket at connection time) to retrieve LDAP attribute PwdLastSet. It's 
> not an UNIX timestamp, it should be called LDAP time stamp or 18-digit 
> LDAP timestamp...

Aside: it's a Microsoft Win32 FILETIME. (The LDAP standard uses ISO times)

pwdLastSet doesn't tell you when it expires, so you'd have to combine 
this with the domain password expiry policy too: i.e. do the equivalent 
of "samba-tool domain passwordsettings show"

If he only wants to display the information to the user at login time, I 
think the best/easiest place to do this would be in the PAM module which 
enforces the password expiry, since it has all the information to hand 

More information about the samba mailing list