Web lists-archives.com

Re: [Samba] Users list and the date the password will expire




Quick addendum: I just stumbled upon abandoned accounts receiving "password expired" notifications forever, even if they get disabled subsequently (by me). It might be helpful to include this in the script:

uAC_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" userAccountControl | grep userAccountControl: | sed "s|userAccountControl: ||")


if [ "${uAC_string}" -eq "512" ]; then

    [do expiration parsing]

fi


Here is a list of possible values for the userAccountControl field:
http://www.netvision.com/ad_useraccountcontrol.php

Ole



On 09.02.2017 15:52, Ole Traupe via samba wrote:
For what it's worth, here is the output of "testparm" on the DC:


Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = DOMAIN
        realm = domain.university.tld
        interfaces = lo eth0 eth0:0
        bind interfaces only = Yes
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder = forwarder_IP
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4 acl_xattr


[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.university.tld/scripts
        read only = No


[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


On 09.02.2017 15:16, Rowland Penny via samba wrote:
On Thu, 9 Feb 2017 14:56:47 +0100
Ole Traupe via samba <samba@xxxxxxxxxxxxxxx> wrote:

I only get the usernames:
Same on member servers, btw. Initially I thought this comes from
"winbind: use default domain", but this is neither present on my DCs
nor would it have any effect (afaik).
This is what is confusing me, I know of no way to get the username
without the domain on a DC and then yours goes and does it without
trying LOL

Anyways, no problem for me to accommodate your script to my
environment. Thank you for your valuable extensions!

No problem, glad to help.

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba