Menu
folks!
There are an Active Directory (Windows) and a Linux samba client. At the Active Directory the policy had adjusted in a such way so users need to change his passwords periodically (passwords have an expiration time).
My question is pretty simple: can I get this expiration time for the given user if I work on the Linux machine with the Samba?
883
Check password expiry from the command prompt Alternatively, you can open the command prompt by right-clicking on the Windows logo in the bottom left corner and then clicking "Run". Then type cmd . In the command prompt, type the command net user [loginname] /domain .
How is Password Expiration Handled in Active Directory? In Active Directory, the account will not be locked if a user's password expires. Instead, the user will be prompted to change the password, and the new one must follow the password rules established by the organization based on its security policies.
Navigate to Reports> User Reports > Account expired users.
This depends on the configuration of the domaincontroller. You can try:
net ads user info [email protected] -S DC_SERVER_NAME -U USERNAME
where [email protected] is the account to gather info from, DC_SERVER_NAME is the hostname of your domain controller and USERNAME is your username.
You will be prompted for your domain password.
Now you get either information to your account, including expiry date of your password or you get
ads_pull_uint32 failed
in this case, your domain controller is not configured to provide account information to UNIX like systems.
You may contact your domain administrator to convince him to install and configure Microsoft Windows Services for UNIX so that this command gives you the needed information.
This answer might be frustrating. It is for me as I am in the same situation and researched the topic a lot.
My workaround: I set a calendar reminder 80 days in the future, when I set my domain password (smbpasswd -U USERNAME -r DC_SERVER_NAME), since it expires every 90 days. Not perfect, but workable.
[UPDATE] I found a way to determine the expiration date of your domain password with rpcclient, here is my script:
#!/bin/bash
# author: Tim Wahrendorff 2016
# licence: Public Domain - https://wiki.creativecommons.org/wiki/Public_domain
#
# To use this script you need at least:
# sudo apt-get install libnotify-bin rpcclient
#
# Please set your account, password and domaincontroller to use this script
USER="username" # Domain accountname
PASS="Pa$$W0rd" # Domain password
DC="vmdc01" # Domaincontroller
### START RPCCLIENT query
if [ "x$USERDCID" == "x" ]; then
RPCLOOKUPID=$(rpcclient -U $USER%$PASS -c "lookupnames $USER" $DC 2> ./rpc_errFile)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
fi
QUERYUSER=$(rpcclient -U $USER%$PASS -c "queryuser $USERDCID" $DC 2> ./rpc_errFile)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | grep -e '[a-Z]\{2\}, [0-9]\{2\} [a-Z]\{3\} [0-9]\{4\} [0-9]\{2\}:[0-9]\{2\}' -o)
## Load rpc error Message
RPCERR=$(<./rpc_errFile)
## send notifications to Unity Desktop
if [ "x$RPCERR" != "x" ]; then
notify-send -i /usr/share/icons/gnome/48x48/status/dialog-error.png "Error while fetching expiration date of your domain password" "$RPCERR"
else
notify-send -i /usr/share/icons/gnome/48x48/status/dialog-information.png "your domain password expires at " "$EXPDATE h"
fi
### END RPCCLIENT query
I configured this script to run on autostart, I shows me when my domain password will expire in a Unity notification. Feel free to extend, improve and republish this script, it is public domain.
[/UPDATE]
90
On linux you can use pdbedit
pdbedit -L -v -u <username>
And look for the line: Password must change
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
