[Samba] How to get password expiration?

Rowland Penny rpenny at samba.org
Fri Feb 3 15:51:40 UTC 2017 

On Fri, 3 Feb 2017 07:44:39 -0700
Jeff Sadowski via samba <samba at lists.samba.org> wrote:

> This seems to work for maxPwdAge
> 
> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> dc=ad,dc=mydomain,dc=tld maxPwdAge
> 
> now I just need to query a users pwdLastSetq
> I tried the commands above but am not getting anything. I tried
> looking at the ungrepped output but I don't see how to link the
> pwdLastSet with any user. I get a long list.
> I think I'm looking for dn: and a matching pwdLastSet? So I tried the
> command bellow but I don't see anything that looks like users.
> 
> 
> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
> "^dn:"|less gives me as follows
> 
> dn: DC=ad,DC=mydomain,DC=tld
> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129912036833708410
> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131292041205350825
> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131300093694348218
> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129908837104473721
> dn: CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=AppCategories,CN=Default Domain
> Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> ...

AS I said, you can use rpcclient to do this:

RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d
":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')

If I feed my name into this, I get:

Thu, 14 Sep 30828 03:48:05 BST

Which is understandable, because my password is set to never expire.
So, unless microsoft doesn't know what they are talking about, the
world will end in 30828 LOL

Rowland

More information about the samba mailing list