Re: [Samba] How to get password expiration?
- Date: Thu, 2 Feb 2017 16:17:52 +0100
- From: mathias dufresne via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] How to get password expiration?
@Jeff: ok you just want to calculate and display.
You would need several tools to achieve that on each machine, as ldapsearch
if you don't find a way to retrieve information from DB magically. Perhaps
configuring nsswitch to get info for "shadow" line could help you. I mean
/etc/shadow is supposed (in my own foggy world) to store information about
password, expiration, etc.. I never tried that and never dug neither into
SSSD nslcd nor winbind to check is some is able to generate a shadow map.
So, back to ldapsearch -Y GSSAPI (if your users generate kerberos ticket at
connection time) to retrieve LDAP attribute PwdLastSet. It's not an UNIX
timestamp, it should be called LDAP time stamp or 18-digit LDAP
Then you will have to compare this PwDLastSet to current and password max
age. Current date is quite easy to retrieve. For Password max age the AD
LDAP attribute is "maxPwdAge".
You should be able to retrieve it using dirty "ldbsearch -H $sam
maxPwdAge=* dn maxPwdAge" then you'll be able to get a nice and clean
The idea of Andrew would be nice if it works...
2017-02-02 13:47 GMT+01:00 Brian Candler via samba <samba@xxxxxxxxxxxxxxx>:
> On 01/02/2017 19:12, Jeff Sadowski wrote:
>> Or maybe better like so on login
>> Last login: Wed Feb 1 10:47:53
>> Password Expires in 28 days
>> [myaduser@machine ~]$
> Something like this?
> Defines number of days before pam_winbind starts to warn about
> passwords that are going to expire. Defaults to 14 days.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the