[Samba] Get PasswordMustChangeNow parameter from command line

Luke Barone lukebarone at gmail.com
Wed Jan 23 20:44:44 UTC 2019

Perfect, I got the parameter I needed! I just checked for
`msDS-UserPasswordExpiryTimeComputed`, and if it's 0, then I know the
password needs to change on the next login!

Thanks! I honestly had no idea what the attributes were, but now I see
they're the attributes that are in Active Directory.

On Wed, Jan 23, 2019 at 11:19 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 23 Jan 2019 10:44:01 -0800
> Luke Barone via samba <samba at lists.samba.org> wrote:
> > I am adapting a script that needs to know whether a user needs to
> > change their password on the next login from NT to AD with Samba.
> >
> > I have tried "samba-tool user getpassword <user> --attributes
> > PwdMustChangeNow", but that's not giving me anything useful - just a
> > DN, and "Got password OK" (even on users that do need the password to
> > change).
> It wouldn't, mainly because 'PwdMustChangeNow' isn't one of the listed
> attributes and I don't know where you got it from.
> >
> > Is there another line I can use that will show when a user's password
> > must change? The OS is Debian 9, running samba 4.5.12-Debian (yes, I
> > know it's EOL, but it's what the Debian repo has)
> No and it has nothing to do with your version of Samba ;-)
> There is an attribute 'msDS-UserPasswordExpiryTimeComputed' which would
> give you what you want, but this doesn't seem to exist in AD yet.
> You need to obtain two attributes from AD, the domains 'maxPwdAge' and
> the users 'pwdLastSet', then with a bit of maths (okay, a lot), you can
> calculate when the password will expire.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list