[Samba] How to get password expiration?

Rowland Penny rpenny at samba.org
Thu Feb 2 16:05:10 UTC 2017

On Thu, 2 Feb 2017 15:49:57 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:

> On 02/02/2017 15:17, mathias dufresne wrote:
> > So, back to ldapsearch -Y GSSAPI (if your users generate kerberos 
> > ticket at connection time) to retrieve LDAP attribute PwdLastSet.
> > It's not an UNIX timestamp, it should be called LDAP time stamp or
> > 18-digit LDAP timestamp...
> Aside: it's a Microsoft Win32 FILETIME. (The LDAP standard uses ISO
> times)
> pwdLastSet doesn't tell you when it expires, so you'd have to combine 
> this with the domain password expiry policy too: i.e. do the
> equivalent of "samba-tool domain passwordsettings show"
> If he only wants to display the information to the user at login
> time, I think the best/easiest place to do this would be in the PAM
> module which enforces the password expiry, since it has all the
> information to hand already.

The problem isn't getting the expiry date and time (you can use the
rpcclient command for this), it is getting something to pop-up on the
users desktop with the data.


More information about the samba mailing list