[Samba] Users list and the date the password will expire

Mark Foley mfoley at ohprs.org
Mon Mar 27 15:54:56 UTC 2017 

On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:
>
> On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
> >
> > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> > >
> > > On Sun, 26 Mar 2017 14:32:53 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > > > as root:
> > > > 
> > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub
> > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))"
> > > > msDS-UserPasswordExpiryTimeComputed
> > > > 
> > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> > > > Operation unavailable without authentication> <>
> > > > 
> > > > When I added `-U user%pass` it worked. I don't suppose there is a way
> > > > to NOT specify the password? I'd rather not have to propigate the
> > > > domain administrator's password among all the domain members (-N did
> > > > not work).
> > > > 
> > > > Thanks --Mark
> > > > 
> > >
> > > Sorry, forgot about the required authentication, try it with '-P'
> > > without '-U administrator'
> > >
> > > Rowland
> >
> > Great! That did it. Final command:
> >
> > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed
> >
>
> Not quite where I need to be.  The above with the -P option works on the domain member when
> logged in as root.  I had planned on interecepting the lightDM login program to incorporate
> this, but in fact I have no idea what that is or where to find it. 
>
> So, next idea is to run a script when the user logs in to inform him/her of a pending
> expiration.  The -P option does not work for a non-root user.  I can get the info I need using
> -U id%pw, but again, I'd need to have each user's password for this. 
>
> Is there a way a user can run ldbsearch ... without specifying a password?
>
> Is ldbsearch the only way to get a user's expiryTime?
>
> Thanks, --Mark
>

I figured out a way to have a normal user authenticate with ldbsearch. Instead of -P use: -k yes

I've gone ahead and listed my resulting script below.  This script is run when the user logs in
which is defined in KDE: System Settings > Startup and Shutdown > Autostart.  Hopefully, this
script can be of some use to people who want a Windows-like notification of a expiring AD user
password and the opportunity to change the password. 

--Mark

#!/bin/bash
#
# Check for and permit changing of Expiring Password
#

warnDays=8

# CHECK FOR PASSWORD ABOUT TO EXPIRE

expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \
  grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

if [ $togo -gt $warnDays ]; then exit 0; fi	# no warning yet

IMAGE=/user/util/bin/pw1.png  # this is just a generic silhouette of a user

TITLE="Change Expiring Password"

if [ "$togo" = 0 ]
then
    MSG="Your password expires today.\nConsider changing your password."
else
    MSG="Your password expires in $togo days.\nConsider changing your password."
fi

badPW=0

while [ 1 = 1 ]
do
    pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \
        --image "$IMAGE" --image-on-top --title "$TITLE" \
        --text="$MSG" \
        --align=right \
        --field="Enter current password:H" \
        --field="Enter new password:H" \
        --field="Confirm Password:H"`

    pwOrg=`echo "$pw" | cut "-d~" -f1`
    pw1=`echo "$pw" | cut "-d~" -f2`
    pw2=`echo "$pw" | cut "-d~" -f3`

    if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi  # user canceled

    if [ "$pw1" != "$pw2" ]
    then
        MSG="Sorry, passwords do no match. Try again."
        continue
    fi

    if [ -z "$pwOrg" ]
    then
        MSG="CURRENT PASSWORD REQUIRED!"
        continue
    fi

    ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
    rc=$?

    if [ "$rc" != 0 ]
    then
        badPW=$[ $badPW + 1 ]
        if [ $badPW -gt 2 ]; then exit -1; fi   # only permit 3 tries
        MSG="WRONG CURRENT PASSWORD. Try again."
        continue
    fi

    if [ ${#pw1} -lt 8 ]
    then
        MSG="Password length must be at least 8 characters."
        continue
    fi

    # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces.

    cnt=0
    x=$(echo "$pw1" | grep '[A-Z]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | grep '[a-z]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | grep '[0-9]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | tr -d '[:alnum:]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    if [ $cnt -lt 3 ]
    then
        MSG="Password must have 3 of the following: upper case, lower case, number, punctuation."
        continue
    fi

    if [ "$pw1" = "$pwOrg" ]
    then
        MSG="You cannot use your previous password. Think of something new."
        continue
    fi

    break
done

# CHANGE PASSWORD

samba-tool user password --oldpassword="${pwOrg}" --newpassword="${pw1}" >/dev/null 2>&1
status="$?"

if [ "$status" == "0" ]; then
    yad --title "$TITLE" \
    --center \
    --button="gtk-ok:0" \
    --text="Successfully changed password for $USER in AD."
else
    yad --title "$TITLE" \
    --center \
    --button="gtk-ok:0" \
    --text="Error changing password for $USER in AD."
fi

exit $status

More information about the samba mailing list