[Samba] Get PasswordMustChangeNow parameter from command line

Rowland Penny rpenny at samba.org
Wed Jan 23 19:19:08 UTC 2019

On Wed, 23 Jan 2019 10:44:01 -0800
Luke Barone via samba <samba at lists.samba.org> wrote:

> I am adapting a script that needs to know whether a user needs to
> change their password on the next login from NT to AD with Samba.
> I have tried "samba-tool user getpassword <user> --attributes
> PwdMustChangeNow", but that's not giving me anything useful - just a
> DN, and "Got password OK" (even on users that do need the password to
> change).

It wouldn't, mainly because 'PwdMustChangeNow' isn't one of the listed
attributes and I don't know where you got it from.

> Is there another line I can use that will show when a user's password
> must change? The OS is Debian 9, running samba 4.5.12-Debian (yes, I
> know it's EOL, but it's what the Debian repo has)

No and it has nothing to do with your version of Samba ;-)

There is an attribute 'msDS-UserPasswordExpiryTimeComputed' which would
give you what you want, but this doesn't seem to exist in AD yet.

You need to obtain two attributes from AD, the domains 'maxPwdAge' and
the users 'pwdLastSet', then with a bit of maths (okay, a lot), you can
calculate when the password will expire.


More information about the samba mailing list