Actually is there a way to show it more like a timestamp. It is hard to compute days left with a date format like that. I guess I could use date to do the conversion but I was wondering if there is a cleaner way On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > This seems to work for maxPwdAge > > > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > > dc=ad,dc=mydomain,dc=tld maxPwdAge > > > > now I just need to query a users pwdLastSetq > > I tried the commands above but am not getting anything. I tried > > looking at the ungrepped output but I don't see how to link the > > pwdLastSet with any user. I get a long list. > > I think I'm looking for dn: and a matching pwdLastSet? So I tried the > > command bellow but I don't see anything that looks like users. > > > > > > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D > > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e > > "^dn:"|less gives me as follows > > > > dn: DC=ad,DC=mydomain,DC=tld > > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld > > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129912036833708410 > > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131292041205350825 > > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 131300093694348218 > > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld > > pwdLastSet: 129908837104473721 > > dn: CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Users,DC=ad,DC=mydomain,DC=tld > > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld > > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld > > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld > > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld > > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld > > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld > > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=AppCategories,CN=Default Domain > > Policy,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld > > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld > > ... > > AS I said, you can use rpcclient to do this: > > RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1) > USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o) > QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1) > EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d > ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//') > > If I feed my name into this, I get: > > Thu, 14 Sep 30828 03:48:05 BST > > Which is understandable, because my password is set to never expire. > So, unless microsoft doesn't know what they are talking about, the > world will end in 30828 LOL > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Sorry that was easy enough
let seconds=`date -d "${EXPDATE}" "+%s"`-`date
"+%s"`
let days=$seconds/86400
echo $days > /na/homes/$1/.pwd_exp
On Fri, Feb 3, 2017 at 11:15 AM, Jeff Sadowski <jeff.sadowski at
gmail.com>
wrote:
> Actually is there a way to show it more like a timestamp. It is hard to
> compute days left with a date format like that. I guess I could use date to
> do the conversion but I was wondering if there is a cleaner way
>
> On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 3 Feb 2017 07:44:39 -0700
>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>
>> > This seems to work for maxPwdAge
>> >
>> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b
>> > dc=ad,dc=mydomain,dc=tld maxPwdAge
>> >
>> > now I just need to query a users pwdLastSetq
>> > I tried the commands above but am not getting anything. I tried
>> > looking at the ungrepped output but I don't see how to link
the
>> > pwdLastSet with any user. I get a long list.
>> > I think I'm looking for dn: and a matching pwdLastSet? So I
tried the
>> > command bellow but I don't see anything that looks like users.
>> >
>> >
>> > ldapsearch -h ad.mydomain.tld -b
'dc=ad,dc=mydomain,dc=tld' -D
>> > '*@ad.mydomain.tld' -U myusername|grep -e
"^pwdLastSet:" -e
>> > "^dn:"|less gives me as follows
>> >
>> > dn: DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 129912036833708410
>> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 131292041205350825
>> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 131300093694348218
>> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld
>> > pwdLastSet: 129908837104473721
>> > dn: CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn:
CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=AppCategories,CN=Default Domain
>> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld
>> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld
>> > ...
>>
>> AS I said, you can use rpcclient to do this:
>>
>> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1)
>> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\}
' -o)
>> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1)
>> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change
Time' | cut -d
>> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//')
>>
>> If I feed my name into this, I get:
>>
>> Thu, 14 Sep 30828 03:48:05 BST
>>
>> Which is understandable, because my password is set to never expire.
>> So, unless microsoft doesn't know what they are talking about, the
>> world will end in 30828 LOL
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
On my ubuntu machines I added auth required pam_exec.so /scripts/password_expire.sh to the beginning of /etc/pam.d/common-auth it looks pretty similar to what I did below. In the /etc/bash.bashrc I added a check to wait for the file to be less than 1 second old before looking at it. break out after 5 seconds in case something failed or is taking longer then it should. now people get how many days till their password expires. Thank you all so much :-) On Fri, Feb 3, 2017 at 11:22 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> Sorry that was easy enough > let seconds=`date -d "${EXPDATE}" "+%s"`-`date "+%s"` > let days=$seconds/86400 > echo $days > /na/homes/$1/.pwd_exp > > > On Fri, Feb 3, 2017 at 11:15 AM, Jeff Sadowski <jeff.sadowski at gmail.com> > wrote: > >> Actually is there a way to show it more like a timestamp. It is hard to >> compute days left with a date format like that. I guess I could use date to >> do the conversion but I was wondering if there is a cleaner way >> >> On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < >> samba at lists.samba.org> wrote: >> >>> On Fri, 3 Feb 2017 07:44:39 -0700 >>> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>> >>> > This seems to work for maxPwdAge >>> > >>> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b >>> > dc=ad,dc=mydomain,dc=tld maxPwdAge >>> > >>> > now I just need to query a users pwdLastSetq >>> > I tried the commands above but am not getting anything. I tried >>> > looking at the ungrepped output but I don't see how to link the >>> > pwdLastSet with any user. I get a long list. >>> > I think I'm looking for dn: and a matching pwdLastSet? So I tried the >>> > command bellow but I don't see anything that looks like users. >>> > >>> > >>> > ldapsearch -h ad.mydomain.tld -b 'dc=ad,dc=mydomain,dc=tld' -D >>> > '*@ad.mydomain.tld' -U myusername|grep -e "^pwdLastSet:" -e >>> > "^dn:"|less gives me as follows >>> > >>> > dn: DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Computers,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=AD2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >>> > pwdLastSet: 129912036833708410 >>> > dn: CN=DC1,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >>> > pwdLastSet: 131292041205350825 >>> > dn: OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=DC2,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >>> > pwdLastSet: 131300093694348218 >>> > dn: CN=OMEGA,OU=Domain Controllers,DC=ad,DC=mydomain,DC=tld >>> > pwdLastSet: 129908837104473721 >>> > dn: CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=RID Manager$,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Users,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=LostAndFound,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Infrastructure,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=ForeignSecurityPrincipals,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Program Data,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Microsoft,CN=Program Data,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=NTDS Quotas,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Managed Service Accounts,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=WinsockServices,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=RpcServices,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Default Domain Policy,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=AppCategories,CN=Default Domain >>> > Policy,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Meetings,CN=System,DC=ad,DC=mydomain,DC=tld >>> > dn: CN=Policies,CN=System,DC=ad,DC=mydomain,DC=tld >>> > ... >>> >>> AS I said, you can use rpcclient to do this: >>> >>> RPCLOOKUPID=$(rpcclient -P -c "lookupnames $USER" dc1) >>> USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o) >>> QUERYUSER=$(rpcclient -P -c "queryuser $USERDCID" dc1) >>> EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | cut -d >>> ":" -f 2,3,4,5 | sed -e 's/^[[:space:]]*//') >>> >>> If I feed my name into this, I get: >>> >>> Thu, 14 Sep 30828 03:48:05 BST >>> >>> Which is understandable, because my password is set to never expire. >>> So, unless microsoft doesn't know what they are talking about, the >>> world will end in 30828 LOL >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >