[Samba] Users list and the date the password will expire

Mark Foley mfoley at ohprs.org
Mon Mar 27 21:25:06 UTC 2017 

Matt - thanks for the tip on passwdqc. That is not installed by default on Slackware, but it is
in the SlackBuilds repository. I'll install it and check it out.

On Mon, 27 Mar 2017 13:32:53 -0400 Matt Savin wrote:
>
> Hello Mark,
>
> Thank you for sharing! I would probably replace password length and
> complexity check with:
>
> if [[ $(echo -e "$pw1\n$pwOrg\n$USER"| \
>     pwqcheck min=disabled,disabled,disabled,8,8 max=20 match=4) \
>     == OK && $? -eq 0 ]]; then echo yes; fi
>
> Cons: depends on passwdqc package, which is part of most distributions.
> Pros: does substring matching.
>
> Regards,
> Matt
>
> On Mon, Mar 27, 2017 at 11:54 AM, Mark Foley via samba <
> samba at lists.samba.org> wrote:
>
> > On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:
> > >
> > > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
> > > >
> > > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> > > > >
> > > > > On Sun, 26 Mar 2017 14:32:53 -0400
> > > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > > >
> > > > >
> > > > > > as root:
> > > > > >
> > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub
> > > > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))"
> > > > > > msDS-UserPasswordExpiryTimeComputed
> > > > > >
> > > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> > > > > > Operation unavailable without authentication> <>
> > > > > >
> > > > > > When I added `-U user%pass` it worked. I don't suppose there is a
> > way
> > > > > > to NOT specify the password? I'd rather not have to propigate the
> > > > > > domain administrator's password among all the domain members (-N
> > did
> > > > > > not work).
> > > > > >
> > > > > > Thanks --Mark
> > > > > >
> > > > >
> > > > > Sorry, forgot about the required authentication, try it with '-P'
> > > > > without '-U administrator'
> > > > >
> > > > > Rowland
> > > >
> > > > Great! That did it. Final command:
> > > >
> > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub
> > "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-
> > UserPasswordExpiryTimeComputed
> > > >
> > >
> > > Not quite where I need to be.  The above with the -P option works on the
> > domain member when
> > > logged in as root.  I had planned on interecepting the lightDM login
> > program to incorporate
> > > this, but in fact I have no idea what that is or where to find it.
> > >
> > > So, next idea is to run a script when the user logs in to inform him/her
> > of a pending
> > > expiration.  The -P option does not work for a non-root user.  I can get
> > the info I need using
> > > -U id%pw, but again, I'd need to have each user's password for this.
> > >
> > > Is there a way a user can run ldbsearch ... without specifying a
> > password?
> > >
> > > Is ldbsearch the only way to get a user's expiryTime?
> > >
> > > Thanks, --Mark
> > >
> >
> > I figured out a way to have a normal user authenticate with ldbsearch.
> > Instead of -P use: -k yes
> >
> > I've gone ahead and listed my resulting script below.  This script is run
> > when the user logs in
> > which is defined in KDE: System Settings > Startup and Shutdown >
> > Autostart.  Hopefully, this
> > script can be of some use to people who want a Windows-like notification
> > of a expiring AD user
> > password and the opportunity to change the password.
> >
> > --Mark
> >
> > #!/bin/bash
> > #
> > # Check for and permit changing of Expiring Password
> > #
> >
> > warnDays=8
> >
> > # CHECK FOR PASSWORD ABOUT TO EXPIRE
> >
> > expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k
> > yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed
> > | \
> >   grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
> >
> > expireDate=$((($expireTime/10000000)-11644473600))
> > today=`date +%s`
> > togo=$((($expireDate-$today)/86400))
> >
> > if [ $togo -gt $warnDays ]; then exit 0; fi     # no warning yet
> >
> > IMAGE=/user/util/bin/pw1.png  # this is just a generic silhouette of a user
> >
> > TITLE="Change Expiring Password"
> >
> > if [ "$togo" = 0 ]
> > then
> >     MSG="Your password expires today.\nConsider changing your password."
> > else
> >     MSG="Your password expires in $togo days.\nConsider changing your
> > password."
> > fi
> >
> > badPW=0
> >
> > while [ 1 = 1 ]
> > do
> >     pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top
> > --separator="~" \
> >         --image "$IMAGE" --image-on-top --title "$TITLE" \
> >         --text="$MSG" \
> >         --align=right \
> >         --field="Enter current password:H" \
> >         --field="Enter new password:H" \
> >         --field="Confirm Password:H"`
> >
> >     pwOrg=`echo "$pw" | cut "-d~" -f1`
> >     pw1=`echo "$pw" | cut "-d~" -f2`
> >     pw2=`echo "$pw" | cut "-d~" -f3`
> >
> >     if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi
> > # user canceled
> >
> >     if [ "$pw1" != "$pw2" ]
> >     then
> >         MSG="Sorry, passwords do no match. Try again."
> >         continue
> >     fi
> >
> >     if [ -z "$pwOrg" ]
> >     then
> >         MSG="CURRENT PASSWORD REQUIRED!"
> >         continue
> >     fi
> >
> >     ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
> >     rc=$?
> >
> >     if [ "$rc" != 0 ]
> >     then
> >         badPW=$[ $badPW + 1 ]
> >         if [ $badPW -gt 2 ]; then exit -1; fi   # only permit 3 tries
> >         MSG="WRONG CURRENT PASSWORD. Try again."
> >         continue
> >     fi
> >
> >     if [ ${#pw1} -lt 8 ]
> >     then
> >         MSG="Password length must be at least 8 characters."
> >         continue
> >     fi
> >
> >     # Verify Complexity: at least 1 of: upper case, lower case, number,
> > punctuation. No spaces.
> >
> >     cnt=0
> >     x=$(echo "$pw1" | grep '[A-Z]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     x=$(echo "$pw1" | grep '[a-z]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     x=$(echo "$pw1" | grep '[0-9]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     x=$(echo "$pw1" | tr -d '[:alnum:]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     if [ $cnt -lt 3 ]
> >     then
> >         MSG="Password must have 3 of the following: upper case, lower
> > case, number, punctuation."
> >         continue
> >     fi
> >
> >     if [ "$pw1" = "$pwOrg" ]
> >     then
> >         MSG="You cannot use your previous password. Think of something
> > new."
> >         continue
> >     fi
> >
> >     break
> > done
> >
> > # CHANGE PASSWORD
> >
> > samba-tool user password --oldpassword="${pwOrg}" --newpassword="${pw1}"
> > >/dev/null 2>&1
> > status="$?"
> >
> > if [ "$status" == "0" ]; then
> >     yad --title "$TITLE" \
> >     --center \
> >     --button="gtk-ok:0" \
> >     --text="Successfully changed password for $USER in AD."
> > else
> >     yad --title "$TITLE" \
> >     --center \
> >     --button="gtk-ok:0" \
> >     --text="Error changing password for $USER in AD."
> > fi
> >
> > exit $status
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

More information about the samba mailing list