Hi every one: I'm using samba4 as domain controller and a I want to check every 1 hour in my mail server the password expiration for every user in the domain. I need to kow what is the attribute used in samba4. Using ldbsearch i see badPasswordTime and accountExpires, but in the microsoft documentation said that accountExpires is used for represent the date when the account expires. Can i use this and send the email to the users telling that they need to change their password? About badPasswordTime said that represent The last time and date that an attempt to log on to this account was made with a password that is not valid. I'm confuse. Could you help me to know which of this attributes I need for advise to the users about their password expiration? Thanks in advance. Amaury. ldbsearch --url=/var/lib/samba/private/sam.ldb samaccountname=pp # record 1 dn: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: pp instanceType: 4 whenCreated: 20151124051519.0Z whenChanged: 20151124051519.0Z uSNCreated: 3847 name: pp objectGUID: 95e62723-1bfb-4847-825a-8749705e4ef9 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-2370192828-1696309146-286596188-1117 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: pp sAMAccountType: 805306368 userPrincipalName: pp at eomarit.com.cu objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eomarit,DC=com,DC=cu pwdLastSet: 130928157190000000 userAccountControl: 512 uSNChanged: 3849 distinguishedName: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
Hi, Use pwdLastSet + your AD password policy to know when password will expire. Expiration will happen at pwdLastSet + how long this password is valid. Cheers, mathias 2015-11-26 6:40 GMT+01:00 Amaury Viera Hernández <avhernandez at uci.cu>:> Hi every one: > I'm using samba4 as domain controller and a I want to check every 1 hour > in my mail server the password expiration for every user in the domain. I > need to kow what is the attribute used in samba4. > Using ldbsearch i see badPasswordTime and accountExpires, but in the > microsoft documentation said that accountExpires is used for represent the > date when the account expires. Can i use this and send the email to the > users telling that they need to change their password? > About badPasswordTime said that represent The last time and date that an > attempt to log on to this account was made with a password that is not > valid. > > I'm confuse. Could you help me to know which of this attributes I need for > advise to the users about their password expiration? > Thanks in advance. Amaury. > > ldbsearch --url=/var/lib/samba/private/sam.ldb samaccountname=pp > # record 1 > dn: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: pp > instanceType: 4 > whenCreated: 20151124051519.0Z > whenChanged: 20151124051519.0Z > uSNCreated: 3847 > name: pp > objectGUID: 95e62723-1bfb-4847-825a-8749705e4ef9 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-2370192828-1696309146-286596188-1117 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: pp > sAMAccountType: 805306368 > userPrincipalName: pp at eomarit.com.cu > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=eomarit,DC=com,DC=cu > pwdLastSet: 130928157190000000 > userAccountControl: 512 > uSNChanged: 3849 > distinguishedName: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 2015-11-26 at 00:40 -0500, Amaury Viera Hernández wrote:> Hi every one: > I'm using samba4 as domain controller and a I want to check every 1 > hour in my mail server the password expiration for every user in the > domain. I need to kow what is the attribute used in samba4. > Using ldbsearch i see badPasswordTime and accountExpires, but in the > microsoft documentation said that accountExpires is used for > represent the date when the account expires. Can i use this and send > the email to the users telling that they need to change their > password? > About badPasswordTime said that represent The last time and date that > an attempt to log on to this account was made with a password that is > not valid. > > I'm confuse. Could you help me to know which of this attributes I > need for advise to the users about their password expiration? > Thanks in advance. Amaury.Try asking for the operational (so generated, and only given if requested) attribute "msDS-UserPasswordExpiryTimeComputed" in current versions. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On 26/11/15 03:21, mathias dufresne wrote:> Hi, > > Use pwdLastSet + your AD password policy to know when password will expire. > > Expiration will happen at pwdLastSet + how long this password is valid. > > Cheers, > > mathiasThanks. It was very useful for me. This is the first version of the script. Regards, Amaury. #!/bin/bash #=============== Parámetros que s pueden modificar ================================================= # Dias para que expire la contrasena en el AD, por defecto: 90 días. RESTRICCION_EXPIRACION=90 # Segundos antes para enviar el correo, por defecto: 7 días DIAS_PARA_NOTIFICAR=7 # Servidor de directorio activo H="192.168.56.10" # Puerto de directorio activo P="389" # Usuario de directorio activo DN="cn=mailadmin,ou=services,dc=diveppr,dc=co,dc=cu" # Contraseña de directorio activo PW="p at ssw0rd" # Base de directorio activo B="ou=services,dc=diveppr,dc=co,dc=cu" # Tiempo de consulta por usuario TIEMPO_POR_USUARIOS=0 # Sitio para que los usuario cambien la contraseña SITIO="https://cambiarcontrasena.diveppr.co.cu" # Logs para el reporte diario FILE_LOGS="/var/log/reporte-comprobacion-expiracion-de-cuentas.log" # Fecha para el reporte TIME="$(date '+%Y-%m-%d %H:%M')" # Dirección remitente FROM="root" # Dirección destino TO="root" # Asunto del reporte ASUNTO="Reporte de expiración de contraseña de los usuarios" #======================================== Ejecución del script =========================================== echo > $FILE_LOGS chmod 777 $FILE_LOGS enviarCorreo(){ DIAS_QUE_FALTAN=$1 USUARIO=$2 FECHA_EXPIRACION=$3 from="$4" to=$2 subject="Su cuenta espira en $1 días" body=" Su cuenta espira en $1 días o sea el $3 usted puede cambiar la contraseña en la siguiente dirección: $SITIO Administrador de servicios telemáticos. " mail -s "$subject" -r "$from" "$to" <<< "$body" } # Comando base CMD="ldapsearch -D "$DN" -w $PW -p $P -h $H -b "$B"" # Filtro base FP="(objectclass=person)" USERS=$($CMD -s sub "$FP" userPrincipalName | grep userPrincipalName | cut -d ' ' -f2) ACTUALUNIX=`date "+%s"` echo "Comprobación de expiración de las cuentas" >> $FILE_LOGS echo "" >> $FILE_LOGS echo "Inicio de la comprobación: $TIME" >> $FILE_LOGS echo "" >> $FILE_LOGS for USER in $USERS ; do if [ $USER != "requesting:" ] ; then PWDLASTSET=$($CMD -s sub "(&$FP(userPrincipalName=$USER))" pwdLastSet | grep pwdLastSet: | cut -d' ' -f2) if [ $PWDLASTSET != "0" ] ; then LASTSETUNIX=`expr $PWDLASTSET / 10000000 - 11644473600` else WHENCREATED=$($CMD -s sub "(&$FP(userPrincipalName=$USER))" whenCreated | grep whenCreated: | cut -d' ' -f2) DATECREATED=${WHENCREATED:0:8} LASTSETUNIX=`date -d $DATECREATED "+%s"` fi let REST=" ($RESTRICCION_EXPIRACION*86400) " EXP=$(expr $LASTSETUNIX + $REST) TEMP=$(expr $LASTSETUNIX + $REST - $ACTUALUNIX) DIAS=$(expr $TEMP / 86400) FECHAEXP=$(date --date="@$EXP") echo "Comprobación del usuario: $USER" >> $FILE_LOGS echo " Fecha que vence: $FECHAEXP" >> $FILE_LOGS echo " Días que faltan: $DIAS" >> $FILE_LOGS if [ $DIAS -le $DIAS_PARA_NOTIFICAR ] ; then echo "El usuario a sido notificado" >> $FILE_LOGS enviarCorreo "$DIAS" "$USER" "$FECHAEXP" "$FROM" fi echo "" >> $FILE_LOGS fi #Esto es importante para que no sature el correo, o sea, cada 2 segundos comprobar un usuario. sleep $TIEMPO_POR_USUARIOS done mail -s "$ASUNTO" -r "$FROM" "$TO" << EOF $(cat $FILE_LOGS) EOF> > 2015-11-26 6:40 GMT+01:00 Amaury Viera Hernández <avhernandez at uci.cu>: > >> Hi every one: >> I'm using samba4 as domain controller and a I want to check every 1 hour >> in my mail server the password expiration for every user in the domain. I >> need to kow what is the attribute used in samba4. >> Using ldbsearch i see badPasswordTime and accountExpires, but in the >> microsoft documentation said that accountExpires is used for represent the >> date when the account expires. Can i use this and send the email to the >> users telling that they need to change their password? >> About badPasswordTime said that represent The last time and date that an >> attempt to log on to this account was made with a password that is not >> valid. >> >> I'm confuse. Could you help me to know which of this attributes I need for >> advise to the users about their password expiration? >> Thanks in advance. Amaury. >> >> ldbsearch --url=/var/lib/samba/private/sam.ldb samaccountname=pp >> # record 1 >> dn: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: pp >> instanceType: 4 >> whenCreated: 20151124051519.0Z >> whenChanged: 20151124051519.0Z >> uSNCreated: 3847 >> name: pp >> objectGUID: 95e62723-1bfb-4847-825a-8749705e4ef9 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> lastLogon: 0 >> primaryGroupID: 513 >> objectSid: S-1-5-21-2370192828-1696309146-286596188-1117 >> accountExpires: 9223372036854775807 >> logonCount: 0 >> sAMAccountName: pp >> sAMAccountType: 805306368 >> userPrincipalName: pp at eomarit.com.cu >> objectCategory: >> CN=Person,CN=Schema,CN=Configuration,DC=eomarit,DC=com,DC=cu >> pwdLastSet: 130928157190000000 >> userAccountControl: 512 >> uSNChanged: 3849 >> distinguishedName: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
That's a very interesting information. Is there, somewhere, a list of these computed attributes and their meaning? Best regards, mathias 2015-11-26 9:34 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Thu, 2015-11-26 at 00:40 -0500, Amaury Viera Hernández wrote: > > Hi every one: > > I'm using samba4 as domain controller and a I want to check every 1 > > hour in my mail server the password expiration for every user in the > > domain. I need to kow what is the attribute used in samba4. > > Using ldbsearch i see badPasswordTime and accountExpires, but in the > > microsoft documentation said that accountExpires is used for > > represent the date when the account expires. Can i use this and send > > the email to the users telling that they need to change their > > password? > > About badPasswordTime said that represent The last time and date that > > an attempt to log on to this account was made with a password that is > > not valid. > > > > I'm confuse. Could you help me to know which of this attributes I > > need for advise to the users about their password expiration? > > Thanks in advance. Amaury. > > Try asking for the operational (so generated, and only given if > requested) attribute "msDS-UserPasswordExpiryTimeComputed" in current > versions. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >