[Samba] Users list and the date the password will expire

Mark Foley mfoley at ohprs.org
Thu Mar 30 12:50:15 UTC 2017 

On Wed, 29 Mar 2017 18:59:40 +0100 Rowland Penny wrote:
>
> On Wed, 29 Mar 2017 12:41:46 -0400
> Mark Foley <mfoley at ohprs.org> wrote:
>
> > Yes, I did get it, but due to labyrinthine .procmailrc settings, it
> > did not go to the mailbox in which I normally read the sambalist
> > messages!
> > 
> > Checking my offline mailbox ... in that email, you suggest (expanded):
> > 
> > $ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail
>
> > Enter 's password:
> > 
> > So, it *still* asks for a password, and the user's ID in the prompt
> > is empty (from the empty -U?). If I leave off the -U it asks for
> > mark's password.
> > 
> > Am I doing something wrong?
>
> Yes, you are running the script on the command line ;-)
>
> > 
> > Once I enter the password, the rest of your script ultimately does
> > get me the "Password must change Time". BUT ... I need to enter the
> > user's password! (neither -k nor -N work)
>
> If you use the script as I suggested, it works without entering the
> password. OK, that isn't really true, when you login, you enter the
> password and this gets passed (along with the username) to the script.
>
> It works on the Mate desktop and I think that KDE uses a similar
> setup, but it does rely on PAM.
>
> Rowland

Yes, that script worked when run from the .desktop. Also interesting to note that running:

ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes ...

and

rpcclient -k -c "queryuser 1111" mail

are now working again with the -k option. So, in the interest of "teaching a man to fish", I
have a few follow-up questions:

1. I ran the successful `ldbsearch -k` *after* logging with the expiry-date.desktop
configured.  Did my running that notify-pass-expiry script *cause* the kerberos option on the
ldbsearch/rpcclient to start working? In other words did running the notify-pass-expiry script
cause kerberos to somehow refresh tickets (or whatever) for this user?

2. If not, why did -k start working today? Is there some refresh/cache/lease interval at work?

3. You say, "when you login, you enter the password and this gets passed (along with the
username) to the script".  Is this a feature of .desktop? Why would password get passed to the
script via this mechanism and not via command line? Is there a man page on this somewhere or is
this "legend around the digital campfire" stuff?

THX, your solutions are invaluable. I can't imagine anyone getting a decent domain member
workstation up without them.

--Mark

More information about the samba mailing list