[Samba] Where is password expiration notice period

Mark Foley mfoley at ohprs.org
Sat Dec 1 03:22:41 UTC 2018 

On Tue, 27 Nov 2018 17:26:57 Marco Gaiarin wrote:
>
> Mandi! Mark Foley via samba
>   In chel di` si favelave...
>
> > I don't recall that Linux/KDE notifies at all. 
>
> If you use kerberos, users get notified at every logon on password
> expire.
>
>
> > Is this an AD setting or is this strictly up to the individual OS/workstation to set?
>
> I think is an client OS settings.

To follow up on this, yes, it appears that the password expiration notification is a
client-side setting. To do this on Mac:

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 14

where the '14' is the number of days to give notice prior to expiration. It appears that the
default is 20 (or 30, I don't recall which) days prior. Reading that setting prior to doing the
'write' gives the message:

The domain/default pair of (/Library/Preferences/com.apple.loginwindow, PasswordExpirationDays) does not exist

so, it uses a default of 20 or 30 days.

After doing the 'write', the set value (e.g. 14) is returned.

I believe this is working as I have not received any further notices after logging in. We'll
see if it does, in fact, start to notice me at the 14 day point.

On Linux/KDE domain members I have the following script in ~/.kde/Autostart/checkPWexpire set
to show a notice with 8 days to go (credit to Rowland Penny for the ldbsearch):

#!/bin/bash
#
# Check for and permit changing of Expiring Password
#

warnDays=8

# CHECK FOR PASSWORD ABOUT TO EXPIRE

expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes \
  -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS -UserPasswordExpiryTimeComputed | \
  grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

if [ -n "$1" ]
then
    echo "[$expireTime]" Days to go: $togo
    exit 0
fi

if [ $togo -gt $warnDays ]; then exit 0; fi

IMAGE=/user/util/bin/pw1.png

TITLE="Change Expiring Password"

if [ "$togo" = 0 ]
then
    MSG="Your password expires today.\nConsider changing your password."
else
    MSG="Your password expires in $togo days.\nConsider changing your password."
fi

The script then goes on to ask for the password change using a yad script, if desired.

--Mark

More information about the samba mailing list