Web lists-archives.com

Re: [Samba] How to get password expiration?




I was thinking of maybe putting a request update password expire time on
login and have a system user go find the expire times.
with ldap or something?

It could put a file in the users home directory with a timestamp of when
the user's password expires.

Ex:

In the bashrc or tcshrc (the global ones) add a line like so

touch /tmp/requestpwexpupdate/${USER}

and have a cronjob the searches for password expire times in ldap and
removes the request file
placing a timestamped file with the users expiration in ~${USER}/.passwdexp

but I don't know how to write the ldapsearch to do this.



On Wed, Feb 1, 2017 at 12:12 PM, Jeff Sadowski <jeff.sadowski@xxxxxxxxx>
wrote:

> Or maybe better like so on login
>
> Last login: Wed Feb 1 10:47:53
> Password Expires in 28 days
> [myaduser@machine ~]$
>
>
>
> On Wed, Feb 1, 2017 at 12:10 PM, Jeff Sadowski <jeff.sadowski@xxxxxxxxx>
> wrote:
>
>> I want something like so on login
>>
>> Last login: Wed Feb 1 10:47:53
>> Password Expires: Wed March 1 00:00:00
>> [myaduser@machine ~]$
>>
>> I just want them to know when their password expires.
>>
>>
>>
>> On Wed, Feb 1, 2017 at 9:39 AM, mathias dufresne <infractory@xxxxxxxxx>
>> wrote:
>>
>>> Plop,
>>>
>>> You'd like to modify .bashrc to auto-disconnect user with expired
>>> password? I thought modern tools to use AD (SSSD, winbind, nslcd) would
>>> come with such a mechanism inside. I do believe to remember some Linux
>>> disconnecting me for "disabled user" or "expired password"...
>>>
>>> Anyway, don't put that into .bashrc, they can modify it. If you really
>>> go into that way, uses /etc/profile which is owned by root (normally).
>>>
>>> In AD (MS and Samba) I believe expiration is calculated. You take
>>> current date, you take pwdLastSet, you take password expiration policy and
>>> you check if password wasn't set to far from now.
>>>
>>> But I still believe a well written tool should manage these expirations
>>> automagically when it comes to tools responsible to retrieve users from AD.
>>>
>>> 2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <
>>> samba@xxxxxxxxxxxxxxx>:
>>>
>>>> my smb.conf looks as follows.
>>>> [global]
>>>>    security = ads
>>>>    realm = AD.MYDOMAIN.TLD
>>>>    workgroup = AD
>>>>    idmap config * : backend = tdb
>>>>    idmap config * : range = 2000-7999
>>>>    idmap config MIND:backend = ad
>>>>    idmap config MIND:schema_mode = rfc2307
>>>>    idmap config MIND:range = 8000-9999999
>>>>    winbind nss info = rfc2307
>>>>    winbind use default domain = yes
>>>>    winbind enum users = yes
>>>>    winbind enum groups = yes
>>>>    restrict anonymous = 2
>>>>    ldap server require strong auth = no
>>>>    client ldap sasl wrapping = plain
>>>>
>>>> I'm connected to an Windows 2008 based Active Directory environment
>>>>
>>>> Is there a linux command users can run to get their password expiration
>>>> that they could run from their .bashrc files?
>>>>
>>>> I searched the wiki and the mailing list but couldn't find what I am
>>>> looking for.
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba