I want something like so on login Last login: Wed Feb 1 10:47:53 Password Expires: Wed March 1 00:00:00 [myaduser at machine ~]$ I just want them to know when their password expires. On Wed, Feb 1, 2017 at 9:39 AM, mathias dufresne <infractory at gmail.com> wrote:> Plop, > > You'd like to modify .bashrc to auto-disconnect user with expired > password? I thought modern tools to use AD (SSSD, winbind, nslcd) would > come with such a mechanism inside. I do believe to remember some Linux > disconnecting me for "disabled user" or "expired password"... > > Anyway, don't put that into .bashrc, they can modify it. If you really go > into that way, uses /etc/profile which is owned by root (normally). > > In AD (MS and Samba) I believe expiration is calculated. You take current > date, you take pwdLastSet, you take password expiration policy and you > check if password wasn't set to far from now. > > But I still believe a well written tool should manage these expirations > automagically when it comes to tools responsible to retrieve users from AD. > > 2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org> > : > >> my smb.conf looks as follows. >> [global] >> security = ads >> realm = AD.MYDOMAIN.TLD >> workgroup = AD >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> winbind nss info = rfc2307 >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> restrict anonymous = 2 >> ldap server require strong auth = no >> client ldap sasl wrapping = plain >> >> I'm connected to an Windows 2008 based Active Directory environment >> >> Is there a linux command users can run to get their password expiration >> that they could run from their .bashrc files? >> >> I searched the wiki and the mailing list but couldn't find what I am >> looking for. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Or maybe better like so on login Last login: Wed Feb 1 10:47:53 Password Expires in 28 days [myaduser at machine ~]$ On Wed, Feb 1, 2017 at 12:10 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> I want something like so on login > > Last login: Wed Feb 1 10:47:53 > Password Expires: Wed March 1 00:00:00 > [myaduser at machine ~]$ > > I just want them to know when their password expires. > > > > On Wed, Feb 1, 2017 at 9:39 AM, mathias dufresne <infractory at gmail.com> > wrote: > >> Plop, >> >> You'd like to modify .bashrc to auto-disconnect user with expired >> password? I thought modern tools to use AD (SSSD, winbind, nslcd) would >> come with such a mechanism inside. I do believe to remember some Linux >> disconnecting me for "disabled user" or "expired password"... >> >> Anyway, don't put that into .bashrc, they can modify it. If you really go >> into that way, uses /etc/profile which is owned by root (normally). >> >> In AD (MS and Samba) I believe expiration is calculated. You take current >> date, you take pwdLastSet, you take password expiration policy and you >> check if password wasn't set to far from now. >> >> But I still believe a well written tool should manage these expirations >> automagically when it comes to tools responsible to retrieve users from AD. >> >> 2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org >> >: >> >>> my smb.conf looks as follows. >>> [global] >>> security = ads >>> realm = AD.MYDOMAIN.TLD >>> workgroup = AD >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-7999 >>> idmap config MIND:backend = ad >>> idmap config MIND:schema_mode = rfc2307 >>> idmap config MIND:range = 8000-9999999 >>> winbind nss info = rfc2307 >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> restrict anonymous = 2 >>> ldap server require strong auth = no >>> client ldap sasl wrapping = plain >>> >>> I'm connected to an Windows 2008 based Active Directory environment >>> >>> Is there a linux command users can run to get their password expiration >>> that they could run from their .bashrc files? >>> >>> I searched the wiki and the mailing list but couldn't find what I am >>> looking for. >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >
I was thinking of maybe putting a request update password expire time on
login and have a system user go find the expire times.
with ldap or something?
It could put a file in the users home directory with a timestamp of when
the user's password expires.
Ex:
In the bashrc or tcshrc (the global ones) add a line like so
touch /tmp/requestpwexpupdate/${USER}
and have a cronjob the searches for password expire times in ldap and
removes the request file
placing a timestamped file with the users expiration in ~${USER}/.passwdexp
but I don't know how to write the ldapsearch to do this.
On Wed, Feb 1, 2017 at 12:12 PM, Jeff Sadowski <jeff.sadowski at
gmail.com>
wrote:
> Or maybe better like so on login
>
> Last login: Wed Feb 1 10:47:53
> Password Expires in 28 days
> [myaduser at machine ~]$
>
>
>
> On Wed, Feb 1, 2017 at 12:10 PM, Jeff Sadowski <jeff.sadowski at
gmail.com>
> wrote:
>
>> I want something like so on login
>>
>> Last login: Wed Feb 1 10:47:53
>> Password Expires: Wed March 1 00:00:00
>> [myaduser at machine ~]$
>>
>> I just want them to know when their password expires.
>>
>>
>>
>> On Wed, Feb 1, 2017 at 9:39 AM, mathias dufresne <infractory at
gmail.com>
>> wrote:
>>
>>> Plop,
>>>
>>> You'd like to modify .bashrc to auto-disconnect user with
expired
>>> password? I thought modern tools to use AD (SSSD, winbind, nslcd)
would
>>> come with such a mechanism inside. I do believe to remember some
Linux
>>> disconnecting me for "disabled user" or "expired
password"...
>>>
>>> Anyway, don't put that into .bashrc, they can modify it. If you
really
>>> go into that way, uses /etc/profile which is owned by root
(normally).
>>>
>>> In AD (MS and Samba) I believe expiration is calculated. You take
>>> current date, you take pwdLastSet, you take password expiration
policy and
>>> you check if password wasn't set to far from now.
>>>
>>> But I still believe a well written tool should manage these
expirations
>>> automagically when it comes to tools responsible to retrieve users
from AD.
>>>
>>> 2017-01-31 17:00 GMT+01:00 Jeff Sadowski via samba <
>>> samba at lists.samba.org>:
>>>
>>>> my smb.conf looks as follows.
>>>> [global]
>>>> security = ads
>>>> realm = AD.MYDOMAIN.TLD
>>>> workgroup = AD
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-7999
>>>> idmap config MIND:backend = ad
>>>> idmap config MIND:schema_mode = rfc2307
>>>> idmap config MIND:range = 8000-9999999
>>>> winbind nss info = rfc2307
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> restrict anonymous = 2
>>>> ldap server require strong auth = no
>>>> client ldap sasl wrapping = plain
>>>>
>>>> I'm connected to an Windows 2008 based Active Directory
environment
>>>>
>>>> Is there a linux command users can run to get their password
expiration
>>>> that they could run from their .bashrc files?
>>>>
>>>> I searched the wiki and the mailing list but couldn't find
what I am
>>>> looking for.
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>
On 01/02/2017 19:12, Jeff Sadowski wrote:> Or maybe better like so on login > > Last login: Wed Feb 1 10:47:53 > Password Expires in 28 days > [myaduser at machine ~]$Something like this? warn_pwd_expire Defines number of days before pam_winbind starts to warn about passwords that are going to expire. Defaults to 14 days. https://www.samba.org/samba/docs/man/manpages/pam_winbind.8.html