[Samba] Users list and the date the password will expire

Ole Traupe ole.traupe at tu-berlin.de
Mon Feb 13 15:46:12 UTC 2017 

Quick addendum: I just stumbled upon abandoned accounts receiving 
"password expired" notifications forever, even if they get disabled 
subsequently (by me). It might be helpful to include this in the script:

uAC_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub 
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" 
userAccountControl | grep userAccountControl: | sed 
"s|userAccountControl: ||")


if [ "${uAC_string}" -eq "512" ]; then

     [do expiration parsing]

fi


Here is a list of possible values for the userAccountControl field:
http://www.netvision.com/ad_useraccountcontrol.php

Ole



On 09.02.2017 15:52, Ole Traupe via samba wrote:
> For what it's worth, here is the output of "testparm" on the DC:
>
>
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         workgroup = DOMAIN
>         realm = domain.university.tld
>         interfaces = lo eth0 eth0:0
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         passdb backend = samba_dsdb
>         dns forwarder = forwarder_IP
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
>         path = 
> /usr/local/samba/var/locks/sysvol/domain.university.tld/scripts
>         read only = No
>
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> On 09.02.2017 15:16, Rowland Penny via samba wrote:
>> On Thu, 9 Feb 2017 14:56:47 +0100
>> Ole Traupe via samba <samba at lists.samba.org> wrote:
>>
>>> I only get the usernames:
>>> Same on member servers, btw. Initially I thought this comes from
>>> "winbind: use default domain", but this is neither present on my DCs
>>> nor would it have any effect (afaik).
>> This is what is confusing me, I know of no way to get the username
>> without the domain on a DC and then yours goes and does it without
>> trying LOL
>>
>>> Anyways, no problem for me to accommodate your script to my
>>> environment. Thank you for your valuable extensions!
>>>
>> No problem, glad to help.
>>
>> Rowland
>>
>
>

More information about the samba mailing list