[Samba] Users list and the date the password will expire
Mark Foley
mfoley at ohprs.org
Mon Mar 27 15:54:56 UTC 2017
On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:
>
> On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
> >
> > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> > >
> > > On Sun, 26 Mar 2017 14:32:53 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > > > as root:
> > > >
> > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub
> > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))"
> > > > msDS-UserPasswordExpiryTimeComputed
> > > >
> > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
> > > > Operation unavailable without authentication> <>
> > > >
> > > > When I added `-U user%pass` it worked. I don't suppose there is a way
> > > > to NOT specify the password? I'd rather not have to propigate the
> > > > domain administrator's password among all the domain members (-N did
> > > > not work).
> > > >
> > > > Thanks --Mark
> > > >
> > >
> > > Sorry, forgot about the required authentication, try it with '-P'
> > > without '-U administrator'
> > >
> > > Rowland
> >
> > Great! That did it. Final command:
> >
> > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed
> >
>
> Not quite where I need to be. The above with the -P option works on the domain member when
> logged in as root. I had planned on interecepting the lightDM login program to incorporate
> this, but in fact I have no idea what that is or where to find it.
>
> So, next idea is to run a script when the user logs in to inform him/her of a pending
> expiration. The -P option does not work for a non-root user. I can get the info I need using
> -U id%pw, but again, I'd need to have each user's password for this.
>
> Is there a way a user can run ldbsearch ... without specifying a password?
>
> Is ldbsearch the only way to get a user's expiryTime?
>
> Thanks, --Mark
>
I figured out a way to have a normal user authenticate with ldbsearch. Instead of -P use: -k yes
I've gone ahead and listed my resulting script below. This script is run when the user logs in
which is defined in KDE: System Settings > Startup and Shutdown > Autostart. Hopefully, this
script can be of some use to people who want a Windows-like notification of a expiring AD user
password and the opportunity to change the password.
--Mark
#!/bin/bash
#
# Check for and permit changing of Expiring Password
#
warnDays=8
# CHECK FOR PASSWORD ABOUT TO EXPIRE
expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \
grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))
if [ $togo -gt $warnDays ]; then exit 0; fi # no warning yet
IMAGE=/user/util/bin/pw1.png # this is just a generic silhouette of a user
TITLE="Change Expiring Password"
if [ "$togo" = 0 ]
then
MSG="Your password expires today.\nConsider changing your password."
else
MSG="Your password expires in $togo days.\nConsider changing your password."
fi
badPW=0
while [ 1 = 1 ]
do
pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \
--image "$IMAGE" --image-on-top --title "$TITLE" \
--text="$MSG" \
--align=right \
--field="Enter current password:H" \
--field="Enter new password:H" \
--field="Confirm Password:H"`
pwOrg=`echo "$pw" | cut "-d~" -f1`
pw1=`echo "$pw" | cut "-d~" -f2`
pw2=`echo "$pw" | cut "-d~" -f3`
if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi # user canceled
if [ "$pw1" != "$pw2" ]
then
MSG="Sorry, passwords do no match. Try again."
continue
fi
if [ -z "$pwOrg" ]
then
MSG="CURRENT PASSWORD REQUIRED!"
continue
fi
ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
rc=$?
if [ "$rc" != 0 ]
then
badPW=$[ $badPW + 1 ]
if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries
MSG="WRONG CURRENT PASSWORD. Try again."
continue
fi
if [ ${#pw1} -lt 8 ]
then
MSG="Password length must be at least 8 characters."
continue
fi
# Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces.
cnt=0
x=$(echo "$pw1" | grep '[A-Z]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
x=$(echo "$pw1" | grep '[a-z]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
x=$(echo "$pw1" | grep '[0-9]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
x=$(echo "$pw1" | tr -d '[:alnum:]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
if [ $cnt -lt 3 ]
then
MSG="Password must have 3 of the following: upper case, lower case, number, punctuation."
continue
fi
if [ "$pw1" = "$pwOrg" ]
then
MSG="You cannot use your previous password. Think of something new."
continue
fi
break
done
# CHANGE PASSWORD
samba-tool user password --oldpassword="${pwOrg}" --newpassword="${pw1}" >/dev/null 2>&1
status="$?"
if [ "$status" == "0" ]; then
yad --title "$TITLE" \
--center \
--button="gtk-ok:0" \
--text="Successfully changed password for $USER in AD."
else
yad --title "$TITLE" \
--center \
--button="gtk-ok:0" \
--text="Error changing password for $USER in AD."
fi
exit $status
More information about the samba
mailing list