[Samba] How to get password expiration?
Brian Candler
b.candler at pobox.com
Thu Feb 2 15:49:57 UTC 2017
On 02/02/2017 15:17, mathias dufresne wrote:
> So, back to ldapsearch -Y GSSAPI (if your users generate kerberos
> ticket at connection time) to retrieve LDAP attribute PwdLastSet. It's
> not an UNIX timestamp, it should be called LDAP time stamp or 18-digit
> LDAP timestamp...
Aside: it's a Microsoft Win32 FILETIME. (The LDAP standard uses ISO times)
pwdLastSet doesn't tell you when it expires, so you'd have to combine
this with the domain password expiry policy too: i.e. do the equivalent
of "samba-tool domain passwordsettings show"
If he only wants to display the information to the user at login time, I
think the best/easiest place to do this would be in the PAM module which
enforces the password expiry, since it has all the information to hand
already.
More information about the samba
mailing list