figured out how to use ldapsearch also to get what I want.
Also found how to convert AD time to unix time
Another thing I wanted calculated was when an account expires.
ldapsearch -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld
"(sAMAccountName=$user)"
gives all the good information about a user.
here is how I used it to tell me all accounts expiring this next month.
h=ad.mydomain.tld
b=dc=ad,dc=mydomain,dc=tld
q=accountExpires
for user in $(wbinfo -u);do
accountExpires=$(ldapsearch -h $h -b $b "(sAMAccountName=$user)" $q
2>/dev/null | grep "^$q" | awk '{print $2}')
if [ "$(echo ${accountExpires}|wc -c)" -gt 7 ];then
#microsoft uses 100 nanosecond increments so I remove the last 7 digits to
get seconds
#microsoft's epoch is jan 1 1601 so I subtract 11644430400 seconds to make
it unit time
act_exp=$(expr ${accountExpires::-7} - 11644430400)
days=$(expr $(expr $act_exp - `date "+%s"`) / 86400)
if [ "$days" -lt 30 ] && [ "$days" -gt 0 ];then
echo $user expires in $days days
fi
fi
done
On Fri, Feb 3, 2017 at 12:53 PM, Rowland Penny <rpenny at samba.org>
wrote:
> On Fri, 3 Feb 2017 12:39:20 -0700
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
> > On my ubuntu machines I added
> >
> > auth required pam_exec.so /scripts/password_expire.sh
> >
> > to the beginning of /etc/pam.d/common-auth
> >
>
> That's where I was going wrong, I added it to common-session, but this
> being Unix, I have found another way ;-)
>
> On Mate (so should work on gnome as well), create a .desktop file
> in /etc/xdg/autostart to run a script in /usr/local/bin and you get the
> attached screenshot.
>
> Rowland
On Tue, 7 Feb 2017 11:30:52 -0700 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> figured out how to use ldapsearch also to get what I want. > Also found how to convert AD time to unix time > Another thing I wanted calculated was when an account expires. > > ldapsearch -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld > "(sAMAccountName=$user)" > > gives all the good information about a user. > > here is how I used it to tell me all accounts expiring this next > month. > > h=ad.mydomain.tld > b=dc=ad,dc=mydomain,dc=tld > q=accountExpires > for user in $(wbinfo -u);do > accountExpires=$(ldapsearch -h $h -b $b "(sAMAccountName=$user)" $q > 2>/dev/null | grep "^$q" | awk '{print $2}') > if [ "$(echo ${accountExpires}|wc -c)" -gt 7 ];then > #microsoft uses 100 nanosecond increments so I remove the last 7 > digits to get seconds > #microsoft's epoch is jan 1 1601 so I subtract 11644430400 seconds > to make it unit time > act_exp=$(expr ${accountExpires::-7} - 11644430400) > days=$(expr $(expr $act_exp - `date "+%s"`) / 86400) > if [ "$days" -lt 30 ] && [ "$days" -gt 0 ];then > echo $user expires in $days days > fi > fi > doneHmm, accountExpires != msDS-UserPasswordExpiryTimeComputed And from my internet investigations: unixtimestamp=$((($WindowsTimeStamp/10000000)-11676009600)) and to turn that into number of days: DAYS=$((($unixtimestamp - $DATE) / 3600 / 24)) Rowland
On Tue, Feb 7, 2017 at 3:22 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> > > On Tue, Feb 7, 2017 at 11:44 AM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Tue, 7 Feb 2017 11:30:52 -0700 >> Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> >> > figured out how to use ldapsearch also to get what I want. >> > Also found how to convert AD time to unix time >> > Another thing I wanted calculated was when an account expires. >> > >> > ldapsearch -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld >> > "(sAMAccountName=$user)" >> > >> > gives all the good information about a user. >> > >> > here is how I used it to tell me all accounts expiring this next >> > month. >> > >> > h=ad.mydomain.tld >> > b=dc=ad,dc=mydomain,dc=tld >> > q=accountExpires >> > for user in $(wbinfo -u);do >> > accountExpires=$(ldapsearch -h $h -b $b "(sAMAccountName=$user)" $q >> > 2>/dev/null | grep "^$q" | awk '{print $2}') >> > if [ "$(echo ${accountExpires}|wc -c)" -gt 7 ];then >> > #microsoft uses 100 nanosecond increments so I remove the last 7 >> > digits to get seconds >> > #microsoft's epoch is jan 1 1601 so I subtract 11644430400 seconds >> > to make it unit time >> > act_exp=$(expr ${accountExpires::-7} - 11644430400) >> > days=$(expr $(expr $act_exp - `date "+%s"`) / 86400) >> > if [ "$days" -lt 30 ] && [ "$days" -gt 0 ];then >> > echo $user expires in $days days >> > fi >> > fi >> > done >> >> Hmm, accountExpires != msDS-UserPasswordExpiryTimeComputed >> >> And from my internet investigations: >> >> unixtimestamp=$((($WindowsTimeStamp/10000000)-11676009600)) >> >> $WindowsTimeStamp/10000000 > is equal to > ${WindowsTimeStamp::-7} > I don't know what is a more expensive operation catting a string or > division(I guessed division was a more expensive operation). > > 11676009600 doesn't work right. It gives me different times then what net > use gives me that is how I got > 11644430400 to match what net use gives me > > I plugged the unixtimestamp into "date -d @${unixtimestamp}" and comparedit with "net user %username% /domain" untill they where showing the same times for accountExpire. date> > >> and to turn that into number of days: >> >> DAYS=$((($unixtimestamp - $DATE) / 3600 / 24)) >> > x/3600/24 = x/86400 > > >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
correction on time offset 11644473600 is what shows the same times for me. On Tue, Feb 7, 2017 at 4:11 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> > > On Tue, Feb 7, 2017 at 3:22 PM, Jeff Sadowski <jeff.sadowski at gmail.com> > wrote: > >> >> >> On Tue, Feb 7, 2017 at 11:44 AM, Rowland Penny via samba < >> samba at lists.samba.org> wrote: >> >>> On Tue, 7 Feb 2017 11:30:52 -0700 >>> Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >>> >>> > figured out how to use ldapsearch also to get what I want. >>> > Also found how to convert AD time to unix time >>> > Another thing I wanted calculated was when an account expires. >>> > >>> > ldapsearch -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld >>> > "(sAMAccountName=$user)" >>> > >>> > gives all the good information about a user. >>> > >>> > here is how I used it to tell me all accounts expiring this next >>> > month. >>> > >>> > h=ad.mydomain.tld >>> > b=dc=ad,dc=mydomain,dc=tld >>> > q=accountExpires >>> > for user in $(wbinfo -u);do >>> > accountExpires=$(ldapsearch -h $h -b $b "(sAMAccountName=$user)" $q >>> > 2>/dev/null | grep "^$q" | awk '{print $2}') >>> > if [ "$(echo ${accountExpires}|wc -c)" -gt 7 ];then >>> > #microsoft uses 100 nanosecond increments so I remove the last 7 >>> > digits to get seconds >>> > #microsoft's epoch is jan 1 1601 so I subtract 11644430400 seconds >>> > to make it unit time >>> > act_exp=$(expr ${accountExpires::-7} - 11644430400) >>> > days=$(expr $(expr $act_exp - `date "+%s"`) / 86400) >>> > if [ "$days" -lt 30 ] && [ "$days" -gt 0 ];then >>> > echo $user expires in $days days >>> > fi >>> > fi >>> > done >>> >>> Hmm, accountExpires != msDS-UserPasswordExpiryTimeComputed >>> >>> And from my internet investigations: >>> >>> unixtimestamp=$((($WindowsTimeStamp/10000000)-11676009600)) >>> >>> $WindowsTimeStamp/10000000 >> is equal to >> ${WindowsTimeStamp::-7} >> I don't know what is a more expensive operation catting a string or >> division(I guessed division was a more expensive operation). >> >> 11676009600 doesn't work right. It gives me different times then what net >> use gives me that is how I got >> 11644430400 to match what net use gives me >> >> I plugged the unixtimestamp into "date -d @${unixtimestamp}" and > compared it with "net user %username% /domain" untill they where showing > the same times for accountExpire. > > date > >> >> >>> and to turn that into number of days: >>> >>> DAYS=$((($unixtimestamp - $DATE) / 3600 / 24)) >>> >> x/3600/24 = x/86400 >> >> >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >