my smb.conf looks as follows. [global] security = ads realm = AD.MYDOMAIN.TLD workgroup = AD idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes restrict anonymous = 2 ldap server require strong auth = no client ldap sasl wrapping = plain I'm connected to an Windows 2008 based Active Directory environment Is there a linux command users can run to get their password expiration that they could run from their .bashrc files? I searched the wiki and the mailing list but couldn't find what I am looking for.
Plop, You'd like to modify .bashrc to auto-disconnect user with expired password? I thought modern tools to use AD (SSSD, winbind, nslcd) would come with such a mechanism inside. I do believe to remember some Linux disconnecting me for "disabled user" or "expired password"... Anyway, don't put that into .bashrc, they can modify it. If you really go into that way, uses /etc/profile which is owned by root (normally). In AD (MS and Samba) I believe expiration is calculated. You take current date, you take pwdLastSet, you take password expiration policy and you check if password wasn't set to far from now. But I still believe a well written tool should manage these expirations automagically when it comes to tools responsible to retrieve users from AD. 2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org>:> my smb.conf looks as follows. > [global] > security = ads > realm = AD.MYDOMAIN.TLD > workgroup = AD > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > restrict anonymous = 2 > ldap server require strong auth = no > client ldap sasl wrapping = plain > > I'm connected to an Windows 2008 based Active Directory environment > > Is there a linux command users can run to get their password expiration > that they could run from their .bashrc files? > > I searched the wiki and the mailing list but couldn't find what I am > looking for. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I want something like so on login Last login: Wed Feb 1 10:47:53 Password Expires: Wed March 1 00:00:00 [myaduser at machine ~]$ I just want them to know when their password expires. On Wed, Feb 1, 2017 at 9:39 AM, mathias dufresne <infractory at gmail.com> wrote:> Plop, > > You'd like to modify .bashrc to auto-disconnect user with expired > password? I thought modern tools to use AD (SSSD, winbind, nslcd) would > come with such a mechanism inside. I do believe to remember some Linux > disconnecting me for "disabled user" or "expired password"... > > Anyway, don't put that into .bashrc, they can modify it. If you really go > into that way, uses /etc/profile which is owned by root (normally). > > In AD (MS and Samba) I believe expiration is calculated. You take current > date, you take pwdLastSet, you take password expiration policy and you > check if password wasn't set to far from now. > > But I still believe a well written tool should manage these expirations > automagically when it comes to tools responsible to retrieve users from AD. > > 2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org> > : > >> my smb.conf looks as follows. >> [global] >> security = ads >> realm = AD.MYDOMAIN.TLD >> workgroup = AD >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> winbind nss info = rfc2307 >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> restrict anonymous = 2 >> ldap server require strong auth = no >> client ldap sasl wrapping = plain >> >> I'm connected to an Windows 2008 based Active Directory environment >> >> Is there a linux command users can run to get their password expiration >> that they could run from their .bashrc files? >> >> I searched the wiki and the mailing list but couldn't find what I am >> looking for. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On Tue, 2017-01-31 at 09:00 -0700, Jeff Sadowski via samba wrote:> my smb.conf looks as follows. > [global] > security = ads > realm = AD.MYDOMAIN.TLD > workgroup = AD > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > restrict anonymous = 2 > ldap server require strong auth = no > client ldap sasl wrapping = plain > > I'm connected to an Windows 2008 based Active Directory environment > > Is there a linux command users can run to get their password > expiration > that they could run from their .bashrc files? > > I searched the wiki and the mailing list but couldn't find what I am > looking for.When I kinit, I get this info. You might be able to get it from pam_krb5? Thanks, Andrew Bartlett