[Samba] How to get password expiration?

Jeff Sadowski jeff.sadowski at gmail.com
Fri Feb 3 19:39:20 UTC 2017 

On my ubuntu machines I added

auth    required        pam_exec.so /scripts/password_expire.sh

to the beginning of /etc/pam.d/common-auth

it looks pretty similar to what I did below.
In the /etc/bash.bashrc
I added a check to wait for the file to be less than 1 second old before
looking at it.
break out after 5 seconds in case something failed or is taking longer then
it should.

now people get how many days till their password expires. Thank you all so
much :-)

On Fri, Feb 3, 2017 at 11:22 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> Sorry that was easy enough
> let seconds=`date -d "${EXPDATE}" "+%s"`-`date "+%s"`
> let days=$seconds/86400
> echo $days > /na/homes/$1/.pwd_exp
>
>
> On Fri, Feb 3, 2017 at 11:15 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
> wrote:
>
>> Actually is there a way to show it more like a timestamp. It is hard to
>> compute days left with a date format like that. I guess I could use date to
>> do the conversion but I was wondering if there is a cleaner way
>>
>> On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Fri, 3 Feb 2017 07:44:39 -0700
>>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>>
>>> > This seems to work for maxPwdAge
>>> >
>>> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
>>> > dc=ad,dc=mydomain,dc=tld maxPwdAge
>>> >
>>> > now I just need to query a users pwdLastSetq
>>> > I tried the commands above but am not getting anything. I tried
>>> > looking at the ungrepped output but I don't see how to link the
>>> > pwdLastSet with any user. I get a long list.
>>> > I think I'm looking for dn: and a matching pwdLastSet? So I tried the
>>> > command bellow but I don't see anything that looks like users.
>>> >
>>> >
>>> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
>>> > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
>>> > "^dn:"|less gives me as follows
>>> >
>>> > dn: DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>>> > pwdLastSet: 129912036833708410
>>> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>>> > pwdLastSet: 131292041205350825
>>> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>>> > pwdLastSet: 131300093694348218
>>> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>>> > pwdLastSet: 129908837104473721
>>> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=AppCategories,CN=Default Domain
>>> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
>>> > ...
>>>
>>> AS I said, you can use rpcclient to do this:
>>>
>>> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
>>> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
>>> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
>>> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d
>>> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>>>
>>> If I feed my name into this, I get:
>>>
>>> Thu, 14 Sep 30828 03:48:05 BST
>>>
>>> Which is understandable, because my password is set to never expire.
>>> So, unless microsoft doesn't know what they are talking about, the
>>> world will end in 30828 LOL
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>

More information about the samba mailing list