Hi list,
long time no see! :)
I was looking for an email reminder script for users whose password will
expire. Some of our users are on long travels and will never see the
Domain's default notification. I haven't found any complete (and simple)
solution online. So I wrote one. In case it helps anyone, you find it below.
You should only have to fill in the blanks for the the "basedn" search
parameter. Time conversion methods are taken from here:
http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time
Ole
--
#!/bin/sh
max_pwAge=`samba-tool domain passwordsettings show | grep "Maximum
password age" | tr -dc '0-9'`
user_list=`wbinfo -u`
basedn="OU=*,DC=*,DC=*,DC=*"
for user in $user_list; do
set_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s sub
-b $basedn cn=$user | grep pwdLastSet | tr -dc '0-9'`
if [ $set_date ] && [ $set_date -gt 1 ]; then
UNIXTimeStamp=$((($set_date/10000000)-11644473600))
then_sec=`date -d "1970-01-01 $UNIXTimeStamp sec GMT"
+%s`
now_sec=`date +%s`
diff_days=$(( ( $now_sec - $then_sec )/60/60/24 ))
exp_days=$(( $max_pwAge - $diff_days ))
if [ $exp_days == 90 ] || [ $exp_days == 60 ] || [
$exp_days == 30 ]; then
mail_string=`ldbsearch -H
/usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user | grep mail`
echo "Gotcha: $user" | mail -s "WARNING:
Your
domain account password will expire in $exp_days days!" ${mail_string:6}
fi
fi
done
That was weird: didn't see (expect) there to be a discussion right on the same topic going on at this very moment. Ole On 08.02.2017 17:37, Ole Traupe via samba wrote:> Hi list, > > long time no see! :) > > I was looking for an email reminder script for users whose password > will expire. Some of our users are on long travels and will never see > the Domain's default notification. I haven't found any complete (and > simple) solution online. So I wrote one. In case it helps anyone, you > find it below. > > You should only have to fill in the blanks for the the "basedn" search > parameter. Time conversion methods are taken from here: > http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time > > > Ole > > > > > -- > > #!/bin/sh > > max_pwAge=`samba-tool domain passwordsettings show | grep "Maximum > password age" | tr -dc '0-9'` > user_list=`wbinfo -u` > > basedn="OU=*,DC=*,DC=*,DC=*" > > for user in $user_list; do > > set_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s sub > -b $basedn cn=$user | grep pwdLastSet | tr -dc '0-9'` > > if [ $set_date ] && [ $set_date -gt 1 ]; then > > UNIXTimeStamp=$((($set_date/10000000)-11644473600)) > then_sec=`date -d "1970-01-01 $UNIXTimeStamp sec GMT" > +%s` > now_sec=`date +%s` > diff_days=$(( ( $now_sec - $then_sec )/60/60/24 )) > exp_days=$(( $max_pwAge - $diff_days )) > > if [ $exp_days == 90 ] || [ $exp_days == 60 ] || [ > $exp_days == 30 ]; then > > mail_string=`ldbsearch -H > /usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user | grep mail` > echo "Gotcha: $user" | mail -s "WARNING: Your > domain account password will expire in $exp_days days!" ${mail_string:6} > > fi > fi > done >
Rowland Penny
2017-Feb-08 17:46 UTC
[Samba] Users list and the date the password will expire
On Wed, 8 Feb 2017 18:32:15 +0100 Ole Traupe via samba <samba at lists.samba.org> wrote:> That was weird: didn't see (expect) there to be a discussion right on > the same topic going on at this very moment. > > Ole > > > On 08.02.2017 17:37, Ole Traupe via samba wrote: > > Hi list, > > > > long time no see! :) > > > > I was looking for an email reminder script for users whose password > > will expire. Some of our users are on long travels and will never > > see the Domain's default notification. I haven't found any complete > > (and simple) solution online. So I wrote one. In case it helps > > anyone, you find it below. > > > > You should only have to fill in the blanks for the the "basedn" > > search parameter. Time conversion methods are taken from here: > > http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time > > > > > > Ole > > > > > > > > > > -- > > > > #!/bin/sh > > > > max_pwAge=`samba-tool domain passwordsettings show | grep "Maximum > > password age" | tr -dc '0-9'` > > user_list=`wbinfo -u` > > > > basedn="OU=*,DC=*,DC=*,DC=*" > > > > for user in $user_list; do > > > > set_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s > > sub -b $basedn cn=$user | grep pwdLastSet | tr -dc '0-9'` > > > > if [ $set_date ] && [ $set_date -gt 1 ]; then > > > > UNIXTimeStamp=$((($set_date/10000000)-11644473600)) > > then_sec=`date -d "1970-01-01 $UNIXTimeStamp sec > > GMT" +%s` > > now_sec=`date +%s` > > diff_days=$(( ( $now_sec - $then_sec )/60/60/24 )) > > exp_days=$(( $max_pwAge - $diff_days )) > > > > if [ $exp_days == 90 ] || [ $exp_days == 60 ] || [ > > $exp_days == 30 ]; then > > > > mail_string=`ldbsearch -H > > /usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user | grep > > mail` echo "Gotcha: $user" | mail -s "WARNING: Your > > domain account password will expire in $exp_days days!" > > ${mail_string:6} > > > > fi > > fi > > done > > > >Yes and now you know that you are using the wrong attribute LOL Rowland
Rowland Penny
2017-Feb-09 11:02 UTC
[Samba] Users list and the date the password will expire
On Thu, 9 Feb 2017 11:26:55 +0100 Ole Traupe <ole.traupe at tu-berlin.de> wrote:> But I got the timestamp subtraction constant right from the beginning!Hope you don't mind but I updated your script ;-) #!/bin/bash ### Set system defaults # Get path to sam.ldb LDBDIR=$(samba -b | grep 'PRIVATE_DIR' | awk -F ':' '{print $NF}' | sed 's/^ *//g') if [ -z "${LDBDIR}" ]; then echo "This is supposed to be a DC, but cannot obtain the Private dir." echo "Cannot Continue...Exiting." exit 1 else LDBDB="${LDBDIR}/sam.ldb" fi # Get the default naming context of the domain # DC=samdom,DC=example,DC=com domainDN=$(ldbsearch -H "${LDBDB}" -b "" -s base defaultNamingContext | grep 'defaultNamingContext' | sed 's|defaultNamingContext: ||') if [ -z "${domainDN}" ]; then echo "Could not obtain AD rootDSE" exit 1 fi user_list=$(wbinfo -u) for user in $user_list; do user=$(echo "${user}" | awk -F '\\' '{print $2}') user_expire_date=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" msDS-UserPasswordExpiryTimeComputed | grep "msDS-UserPasswordExpiryTimeComputed: " | sed "s|msDS-UserPasswordExpiryTimeComputed: ||") UNIXTimeStamp=$((("${user_expire_date}"/10000000)-11644473600)) date_now=$(date +%s) exp_days=$((("${UNIXTimeStamp}" - "${date_now}") / 3600 / 24)) if [ "${exp_days}" -le "0" ]; then mail_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" mail | grep mail: | sed "s|mail: ||") if [ -n "${mail_string}" ]; then echo "Gotcha: ${user}" | mail -s "WARNING: Your domain account password has expired!!!" "${mail_string}" fi elif [ "${exp_days}" == "90" ] || [ "${exp_days}" == "60" ] || [ "${exp_days}" == "30" ]; then mail_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" mail | grep mail: | sed "s|mail: ||") if [ -n "${mail_string}" ]; then echo echo "Gotcha: ${user}" | mail -s "WARNING: Your domain account password will expire in ${exp_days} days!" "${mail_string}" fi fi done exit 0
NOBODY updates my scripts! Except whoever wants, of course. ;) Would you mind going into details regarding you changes? Ole On 09.02.2017 12:02, Rowland Penny via samba wrote:> On Thu, 9 Feb 2017 11:26:55 +0100 > Ole Traupe <ole.traupe at tu-berlin.de> wrote: > >> But I got the timestamp subtraction constant right from the beginning! > > Hope you don't mind but I updated your script ;-) > > #!/bin/bash > > ### Set system defaults > > # Get path to sam.ldb > LDBDIR=$(samba -b | grep 'PRIVATE_DIR' | awk -F ':' '{print $NF}' | sed 's/^ *//g') > if [ -z "${LDBDIR}" ]; then > echo "This is supposed to be a DC, but cannot obtain the Private dir." > echo "Cannot Continue...Exiting." > exit 1 > else > LDBDB="${LDBDIR}/sam.ldb" > fi > > # Get the default naming context of the domain # DC=samdom,DC=example,DC=com > domainDN=$(ldbsearch -H "${LDBDB}" -b "" -s base defaultNamingContext | grep 'defaultNamingContext' | sed 's|defaultNamingContext: ||') > if [ -z "${domainDN}" ]; then > echo "Could not obtain AD rootDSE" > exit 1 > fi > > user_list=$(wbinfo -u) > > for user in $user_list; do > user=$(echo "${user}" | awk -F '\\' '{print $2}') > user_expire_date=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" msDS-UserPasswordExpiryTimeComputed | grep "msDS-UserPasswordExpiryTimeComputed: " | sed "s|msDS-UserPasswordExpiryTimeComputed: ||") > UNIXTimeStamp=$((("${user_expire_date}"/10000000)-11644473600)) > date_now=$(date +%s) > exp_days=$((("${UNIXTimeStamp}" - "${date_now}") / 3600 / 24)) > if [ "${exp_days}" -le "0" ]; then > mail_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" mail | grep mail: | sed "s|mail: ||") > if [ -n "${mail_string}" ]; then > echo "Gotcha: ${user}" | mail -s "WARNING: Your domain account password has expired!!!" "${mail_string}" > fi > elif [ "${exp_days}" == "90" ] || [ "${exp_days}" == "60" ] || [ "${exp_days}" == "30" ]; then > mail_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" mail | grep mail: | sed "s|mail: ||") > if [ -n "${mail_string}" ]; then > echo echo "Gotcha: ${user}" | mail -s "WARNING: Your domain account password will expire in ${exp_days} days!" "${mail_string}" > fi > fi > done > > exit 0 >