[Samba] Where is password expiration notice period

Mark Foley mfoley at ohprs.org
Sat Dec 1 03:22:41 UTC 2018

On Tue, 27 Nov 2018 17:26:57 Marco Gaiarin wrote:
> Mandi! Mark Foley via samba
>   In chel di` si favelave...
> > I don't recall that Linux/KDE notifies at all. 
> If you use kerberos, users get notified at every logon on password
> expire.
> > Is this an AD setting or is this strictly up to the individual OS/workstation to set?
> I think is an client OS settings.

To follow up on this, yes, it appears that the password expiration notification is a
client-side setting. To do this on Mac:

sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 14

where the '14' is the number of days to give notice prior to expiration. It appears that the
default is 20 (or 30, I don't recall which) days prior. Reading that setting prior to doing the
'write' gives the message:

The domain/default pair of (/Library/Preferences/com.apple.loginwindow, PasswordExpirationDays) does not exist

so, it uses a default of 20 or 30 days.

After doing the 'write', the set value (e.g. 14) is returned.

I believe this is working as I have not received any further notices after logging in. We'll
see if it does, in fact, start to notice me at the 14 day point.

On Linux/KDE domain members I have the following script in ~/.kde/Autostart/checkPWexpire set
to show a notice with 8 days to go (credit to Rowland Penny for the ldbsearch):

# Check for and permit changing of Expiring Password



expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes \
  -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS -UserPasswordExpiryTimeComputed | \
  grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`

today=`date +%s`

if [ -n "$1" ]
    echo "[$expireTime]" Days to go: $togo
    exit 0

if [ $togo -gt $warnDays ]; then exit 0; fi


TITLE="Change Expiring Password"

if [ "$togo" = 0 ]
    MSG="Your password expires today.\nConsider changing your password."
    MSG="Your password expires in $togo days.\nConsider changing your password."

The script then goes on to ask for the password change using a yad script, if desired.


More information about the samba mailing list