thr3ads.net - samba - [Samba] How to get password expiration? [Feb 2017]

If this information is useful, please help other people find it:
Share via:

Jeff Sadowski

2017-Feb-03 14:44 UTC

[Samba] How to get password expiration?

This seems to work for maxPwdAge

ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld
maxPwdAge

now I just need to query a users pwdLastSetq
I tried the commands above but am not getting anything. I tried looking at
the ungrepped output but I don't see how to link the pwdLastSet with any
user. I get a long list.
I think I'm looking for dn: and a matching pwdLastSet? So I tried the
command bellow but I don't see anything that looks like users.


ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
'*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e
"^dn:"|less
gives me as follows

dn: DC=ad,DC=mydomain,DC=tld
dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
pwdLastSet: 129912036833708410
dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
pwdLastSet: 131292041205350825
dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
pwdLastSet: 131300093694348218
dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
pwdLastSet: 129908837104473721
dn: CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=Users,DC=ad,DC=mydomain,DC=tld
dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=AppCategories,CN=Default Domain
Policy,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
...

mathias dufresne

2017-Feb-03 15:38 UTC

head link

[Samba] How to get password expiration?

Jeff,

you can ask ldapsearch to filter for you rather than using grep.

Just add "PwdLastSet" (no matter the case) after your ldapsearch :

ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
'*@ad.mydomain.tld' -U myusername PwdLastSet

This will retrieve only DN + asked attributes.

Not all user have a password set so they should have a PwdLastSet. Anyway
you don't care they are not real user touching keyboards and making
mistakes. And you only want to display that information to real user making
real mistakes : )

2017-02-03 15:44 GMT+01:00 Jeff Sadowski via samba <samba at
lists.samba.org>:
> This seems to work for maxPwdAge
>
> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld
> maxPwdAge
>
> now I just need to query a users pwdLastSetq
> I tried the commands above but am not getting anything. I tried looking at
> the ungrepped output but I don't see how to link the pwdLastSet with
any
> user. I get a long list.
> I think I'm looking for dn: and a matching pwdLastSet? So I tried the
> command bellow but I don't see anything that looks like users.
>
>
> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:"
-e "^dn:"|less
> gives me as follows
>
> dn: DC=ad,DC=mydomain,DC=tld
> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129912036833708410
> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131292041205350825
> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131300093694348218
> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129908837104473721
> dn: CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=AppCategories,CN=Default Domain
> Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> ...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland Penny

2017-Feb-03 15:51 UTC

head link

[Samba] How to get password expiration?

On Fri, 3 Feb 2017 07:44:39 -0700
Jeff Sadowski via samba <samba at lists.samba.org> wrote:
> This seems to work for maxPwdAge
> 
> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> dc=ad,dc=mydomain,dc=tld maxPwdAge
> 
> now I just need to query a users pwdLastSetq
> I tried the commands above but am not getting anything. I tried
> looking at the ungrepped output but I don't see how to link the
> pwdLastSet with any user. I get a long list.
> I think I'm looking for dn: and a matching pwdLastSet? So I tried the
> command bellow but I don't see anything that looks like users.
> 
> 
> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:"
-e
> "^dn:"|less gives me as follows
> 
> dn: DC=ad,DC=mydomain,DC=tld
> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129912036833708410
> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131292041205350825
> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 131300093694348218
> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> pwdLastSet: 129908837104473721
> dn: CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=AppCategories,CN=Default Domain
> Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> ...
AS I said, you can use rpcclient to do this:

RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time'
| cut -d
":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')

If I feed my name into this, I get:

Thu, 14 Sep 30828 03:48:05 BST

Which is understandable, because my password is set to never expire.
So, unless microsoft doesn't know what they are talking about, the
world will end in 30828 LOL

Rowland

Jeff Sadowski

2017-Feb-03 17:21 UTC

head link

[Samba] How to get password expiration?

Almost there

Is there a way to query by username?

On Fri, Feb 3, 2017 at 8:38 AM, mathias dufresne <infractory at gmail.com>
wrote:
> Jeff,
>
> you can ask ldapsearch to filter for you rather than using grep.
>
> Just add "PwdLastSet" (no matter the case) after your ldapsearch
:
>
> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> '*@ad.mydomain.tld' -U myusername PwdLastSet
>
> This will retrieve only DN + asked attributes.
>
> Not all user have a password set so they should have a PwdLastSet. Anyway
> you don't care they are not real user touching keyboards and making
> mistakes. And you only want to display that information to real user making
> real mistakes : )
>
> 2017-02-03 15:44 GMT+01:00 Jeff Sadowski via samba <samba at
lists.samba.org>
> :
>
>> This seems to work for maxPwdAge
>>
>> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
dc=ad,dc=mydomain,dc=tld
>> maxPwdAge
>>
>> now I just need to query a users pwdLastSetq
>> I tried the commands above but am not getting anything. I tried looking
at
>> the ungrepped output but I don't see how to link the pwdLastSet
with any
>> user. I get a long list.
>> I think I'm looking for dn: and a matching pwdLastSet? So I tried
the
>> command bellow but I don't see anything that looks like users.
>>
>>
>> ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
>> '*@ad.mydomain.tld' -U myusername|grep -e
"^pwdLastSet:" -e "^dn:"|less
>> gives me as follows
>>
>> dn: DC=ad,DC=mydomain,DC=tld
>> dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
>> dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> pwdLastSet: 129912036833708410
>> dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> pwdLastSet: 131292041205350825
>> dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> pwdLastSet: 131300093694348218
>> dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> pwdLastSet: 129908837104473721
>> dn: CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Users,DC=ad,DC=mydomain,DC=tld
>> dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
>> dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
>> dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
>> dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=AppCategories,CN=Default Domain
>> Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
>> dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
>> ...
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

Jeff Sadowski

2017-Feb-03 17:22 UTC

head link

[Samba] How to get password expiration?

I'll give rpcclient a try

On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 3 Feb 2017 07:44:39 -0700
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
> > This seems to work for maxPwdAge
> >
> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> > dc=ad,dc=mydomain,dc=tld maxPwdAge
> >
> > now I just need to query a users pwdLastSetq
> > I tried the commands above but am not getting anything. I tried
> > looking at the ungrepped output but I don't see how to link the
> > pwdLastSet with any user. I get a long list.
> > I think I'm looking for dn: and a matching pwdLastSet? So I tried
the
> > command bellow but I don't see anything that looks like users.
> >
> >
> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> > '*@ad.mydomain.tld' -U myusername|grep -e
"^pwdLastSet:" -e
> > "^dn:"|less gives me as follows
> >
> > dn: DC=ad,DC=mydomain,DC=tld
> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129912036833708410
> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131292041205350825
> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131300093694348218
> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129908837104473721
> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AppCategories,CN=Default Domain
> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> > ...
>
> AS I said, you can use rpcclient to do this:
>
> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} '
-o)
> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change
Time' | cut -d
> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>
> If I feed my name into this, I get:
>
> Thu, 14 Sep 30828 03:48:05 BST
>
> Which is understandable, because my password is set to never expire.
> So, unless microsoft doesn't know what they are talking about, the
> world will end in 30828 LOL
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Jeff Sadowski

2017-Feb-03 17:25 UTC

head link

[Samba] How to get password expiration?

Winner this worked wonderfully

On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 3 Feb 2017 07:44:39 -0700
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
> > This seems to work for maxPwdAge
> >
> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> > dc=ad,dc=mydomain,dc=tld maxPwdAge
> >
> > now I just need to query a users pwdLastSetq
> > I tried the commands above but am not getting anything. I tried
> > looking at the ungrepped output but I don't see how to link the
> > pwdLastSet with any user. I get a long list.
> > I think I'm looking for dn: and a matching pwdLastSet? So I tried
the
> > command bellow but I don't see anything that looks like users.
> >
> >
> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> > '*@ad.mydomain.tld' -U myusername|grep -e
"^pwdLastSet:" -e
> > "^dn:"|less gives me as follows
> >
> > dn: DC=ad,DC=mydomain,DC=tld
> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129912036833708410
> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131292041205350825
> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131300093694348218
> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129908837104473721
> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AppCategories,CN=Default Domain
> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> > ...
>
> AS I said, you can use rpcclient to do this:
>
> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} '
-o)
> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change
Time' | cut -d
> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>
> If I feed my name into this, I get:
>
> Thu, 14 Sep 30828 03:48:05 BST
>
> Which is understandable, because my password is set to never expire.
> So, unless microsoft doesn't know what they are talking about, the
> world will end in 30828 LOL
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Andrew Bartlett

2017-Feb-03 18:02 UTC

head link

[Samba] How to get password expiration?

On Fri, 2017-02-03 at 07:44 -0700, Jeff Sadowski via samba
wrote:> This seems to work for maxPwdAge
> 
> ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> dc=ad,dc=mydomain,dc=tld
> maxPwdAge
> 
> now I just need to query a users pwdLastSetq
Don't bother.  Let Samba do it for you, just query this operational
attribute: 

msDS-UserPasswordExpiryTimeComputed

 on the user.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Jeff Sadowski

2017-Feb-03 18:15 UTC

head link

[Samba] How to get password expiration?

Actually is there a way to show it more like a timestamp. It is hard to
compute days left with a date format like that. I guess I could use date to
do the conversion but I was wondering if there is a cleaner way

On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 3 Feb 2017 07:44:39 -0700
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
> > This seems to work for maxPwdAge
> >
> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
> > dc=ad,dc=mydomain,dc=tld maxPwdAge
> >
> > now I just need to query a users pwdLastSetq
> > I tried the commands above but am not getting anything. I tried
> > looking at the ungrepped output but I don't see how to link the
> > pwdLastSet with any user. I get a long list.
> > I think I'm looking for dn: and a matching pwdLastSet? So I tried
the
> > command bellow but I don't see anything that looks like users.
> >
> >
> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D
> > '*@ad.mydomain.tld' -U myusername|grep -e
"^pwdLastSet:" -e
> > "^dn:"|less gives me as follows
> >
> > dn: DC=ad,DC=mydomain,DC=tld
> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129912036833708410
> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131292041205350825
> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 131300093694348218
> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
> > pwdLastSet: 129908837104473721
> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=AppCategories,CN=Default Domain
> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
> > ...
>
> AS I said, you can use rpcclient to do this:
>
> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} '
-o)
> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change
Time' | cut -d
> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>
> If I feed my name into this, I get:
>
> Thu, 14 Sep 30828 03:48:05 BST
>
> Which is understandable, because my password is set to never expire.
> So, unless microsoft doesn't know what they are talking about, the
> world will end in 30828 LOL
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Reasonably Related Threads

Search for more possibly parallel threads

samba - Feb 2017 - How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

[Samba] How to get password expiration?

Reasonably Related Threads