Rowland Penny
2017-Feb-08 17:46 UTC
[Samba] Users list and the date the password will expire
On Wed, 8 Feb 2017 18:32:15 +0100 Ole Traupe via samba <samba at lists.samba.org> wrote:> That was weird: didn't see (expect) there to be a discussion right on > the same topic going on at this very moment. > > Ole > > > On 08.02.2017 17:37, Ole Traupe via samba wrote: > > Hi list, > > > > long time no see! :) > > > > I was looking for an email reminder script for users whose password > > will expire. Some of our users are on long travels and will never > > see the Domain's default notification. I haven't found any complete > > (and simple) solution online. So I wrote one. In case it helps > > anyone, you find it below. > > > > You should only have to fill in the blanks for the the "basedn" > > search parameter. Time conversion methods are taken from here: > > http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time > > > > > > Ole > > > > > > > > > > -- > > > > #!/bin/sh > > > > max_pwAge=`samba-tool domain passwordsettings show | grep "Maximum > > password age" | tr -dc '0-9'` > > user_list=`wbinfo -u` > > > > basedn="OU=*,DC=*,DC=*,DC=*" > > > > for user in $user_list; do > > > > set_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s > > sub -b $basedn cn=$user | grep pwdLastSet | tr -dc '0-9'` > > > > if [ $set_date ] && [ $set_date -gt 1 ]; then > > > > UNIXTimeStamp=$((($set_date/10000000)-11644473600)) > > then_sec=`date -d "1970-01-01 $UNIXTimeStamp sec > > GMT" +%s` > > now_sec=`date +%s` > > diff_days=$(( ( $now_sec - $then_sec )/60/60/24 )) > > exp_days=$(( $max_pwAge - $diff_days )) > > > > if [ $exp_days == 90 ] || [ $exp_days == 60 ] || [ > > $exp_days == 30 ]; then > > > > mail_string=`ldbsearch -H > > /usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user | grep > > mail` echo "Gotcha: $user" | mail -s "WARNING: Your > > domain account password will expire in $exp_days days!" > > ${mail_string:6} > > > > fi > > fi > > done > > > >Yes and now you know that you are using the wrong attribute LOL Rowland
Exactly, and got reminded that I don't have to grep anything but can ask for specific parameters. Been a while that I used ldbsearch. ;) Ole On 08.02.2017 18:46, Rowland Penny via samba wrote:> On Wed, 8 Feb 2017 18:32:15 +0100 > Ole Traupe via samba <samba at lists.samba.org> wrote: > >> That was weird: didn't see (expect) there to be a discussion right on >> the same topic going on at this very moment. >> >> Ole >> >> >> On 08.02.2017 17:37, Ole Traupe via samba wrote: >>> Hi list, >>> >>> long time no see! :) >>> >>> I was looking for an email reminder script for users whose password >>> will expire. Some of our users are on long travels and will never >>> see the Domain's default notification. I haven't found any complete >>> (and simple) solution online. So I wrote one. In case it helps >>> anyone, you find it below. >>> >>> You should only have to fill in the blanks for the the "basedn" >>> search parameter. Time conversion methods are taken from here: >>> http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time >>> >>> >>> Ole >>> >>> >>> >>> >>> -- >>> >>> #!/bin/sh >>> >>> max_pwAge=`samba-tool domain passwordsettings show | grep "Maximum >>> password age" | tr -dc '0-9'` >>> user_list=`wbinfo -u` >>> >>> basedn="OU=*,DC=*,DC=*,DC=*" >>> >>> for user in $user_list; do >>> >>> set_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s >>> sub -b $basedn cn=$user | grep pwdLastSet | tr -dc '0-9'` >>> >>> if [ $set_date ] && [ $set_date -gt 1 ]; then >>> >>> UNIXTimeStamp=$((($set_date/10000000)-11644473600)) >>> then_sec=`date -d "1970-01-01 $UNIXTimeStamp sec >>> GMT" +%s` >>> now_sec=`date +%s` >>> diff_days=$(( ( $now_sec - $then_sec )/60/60/24 )) >>> exp_days=$(( $max_pwAge - $diff_days )) >>> >>> if [ $exp_days == 90 ] || [ $exp_days == 60 ] || [ >>> $exp_days == 30 ]; then >>> >>> mail_string=`ldbsearch -H >>> /usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user | grep >>> mail` echo "Gotcha: $user" | mail -s "WARNING: Your >>> domain account password will expire in $exp_days days!" >>> ${mail_string:6} >>> >>> fi >>> fi >>> done >>> >> > Yes and now you know that you are using the wrong attribute LOL > > Rowland >
On 02/09/2017 11:25 AM, Ole Traupe via samba wrote:> Exactly, and got reminded that I don't have to grep anything but can ask > for specific parameters. Been a while that I used ldbsearch. ;) >So there will be an updated version of your script? :-) Your script is something we could use as well, appreciated! MJ
Well, that was a little premature. Querying the attribute directly actually leads to a longer (and partly redundant) statement: exp_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user msDS-UserPasswordExpiryTimeComputed | grep msDS-UserPasswordExpiryTimeComputed | tr -dc '0-9'` Ole On 09.02.2017 11:25, Ole Traupe via samba wrote:> Exactly, and got reminded that I don't have to grep anything but can > ask for specific parameters. Been a while that I used ldbsearch. ;) > > Ole > > > On 08.02.2017 18:46, Rowland Penny via samba wrote: >> On Wed, 8 Feb 2017 18:32:15 +0100 >> Ole Traupe via samba <samba at lists.samba.org> wrote: >> >>> That was weird: didn't see (expect) there to be a discussion right on >>> the same topic going on at this very moment. >>> >>> Ole >>> >>> >>> On 08.02.2017 17:37, Ole Traupe via samba wrote: >>>> Hi list, >>>> >>>> long time no see! :) >>>> >>>> I was looking for an email reminder script for users whose password >>>> will expire. Some of our users are on long travels and will never >>>> see the Domain's default notification. I haven't found any complete >>>> (and simple) solution online. So I wrote one. In case it helps >>>> anyone, you find it below. >>>> >>>> You should only have to fill in the blanks for the the "basedn" >>>> search parameter. Time conversion methods are taken from here: >>>> http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time >>>> >>>> >>>> >>>> Ole >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> #!/bin/sh >>>> >>>> max_pwAge=`samba-tool domain passwordsettings show | grep "Maximum >>>> password age" | tr -dc '0-9'` >>>> user_list=`wbinfo -u` >>>> >>>> basedn="OU=*,DC=*,DC=*,DC=*" >>>> >>>> for user in $user_list; do >>>> >>>> set_date=`ldbsearch -H /usr/local/samba/private/sam.ldb -s >>>> sub -b $basedn cn=$user | grep pwdLastSet | tr -dc '0-9'` >>>> >>>> if [ $set_date ] && [ $set_date -gt 1 ]; then >>>> >>>> UNIXTimeStamp=$((($set_date/10000000)-11644473600)) >>>> then_sec=`date -d "1970-01-01 $UNIXTimeStamp sec >>>> GMT" +%s` >>>> now_sec=`date +%s` >>>> diff_days=$(( ( $now_sec - $then_sec )/60/60/24 )) >>>> exp_days=$(( $max_pwAge - $diff_days )) >>>> >>>> if [ $exp_days == 90 ] || [ $exp_days == 60 ] || [ >>>> $exp_days == 30 ]; then >>>> >>>> mail_string=`ldbsearch -H >>>> /usr/local/samba/private/sam.ldb -s sub -b $basedn cn=$user | grep >>>> mail` echo "Gotcha: $user" | mail -s "WARNING: Your >>>> domain account password will expire in $exp_days days!" >>>> ${mail_string:6} >>>> >>>> fi >>>> fi >>>> done >>>> >>> >> Yes and now you know that you are using the wrong attribute LOL >> >> Rowland >> > >