[Samba] How to get password expiration?

Jeff Sadowski jeff.sadowski at gmail.com
Fri Feb 3 18:22:13 UTC 2017


Sorry that was easy enough
let seconds=`date -d "${EXPDATE}" "+%s"`-`date "+%s"`
let days=$seconds/86400
echo $days > /na/homes/$1/.pwd_exp


On Fri, Feb 3, 2017 at 11:15 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> Actually is there a way to show it more like a timestamp. It is hard to
> compute days left with a date format like that. I guess I could use date to
> do the conversion but I was wondering if there is a cleaner way
>
> On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 3 Feb 2017 07:44:39 -0700
>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>
>> > This seems to work for maxPwdAge
>> >
>> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
>> > dc=ad,dc=mydomain,dc=tld maxPwdAge
>> >
>> > now I just need to query a users pwdLastSetq
>> > I tried the commands above but am not getting anything. I tried
>> > looking at the ungrepped output but I don't see how to link the
>> > pwdLastSet with any user. I get a long list.
>> > I think I'm looking for dn: and a matching pwdLastSet? So I tried the
>> > command bellow but I don't see anything that looks like users.
>> >
>> >
>> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
>> > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
>> > "^dn:"|less gives me as follows
>> >
>> > dn: DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 129912036833708410
>> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 131292041205350825
>> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 131300093694348218
>> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 129908837104473721
>> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=AppCategories,CN=Default Domain
>> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
>> > ...
>>
>> AS I said, you can use rpcclient to do this:
>>
>> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
>> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
>> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
>> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d
>> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>>
>> If I feed my name into this, I get:
>>
>> Thu, 14 Sep 30828 03:48:05 BST
>>
>> Which is understandable, because my password is set to never expire.
>> So, unless microsoft doesn't know what they are talking about, the
>> world will end in 30828 LOL
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list