samba - Feb 2017 - Users list and the date the password will expire

On Thu, 9 Feb 2017 14:56:47 +0100
Ole Traupe via samba <samba at lists.samba.org> wrote:
> I only get the usernames:
> Same on member servers, btw. Initially I thought this comes from 
> "winbind: use default domain", but this is neither present on my
DCs
> nor would it have any effect (afaik).
This is what is confusing me, I know of no way to get the username
without the domain on a DC and then yours goes and does it without
trying LOL
> 
> Anyways, no problem for me to accommodate your script to my
> environment. Thank you for your valuable extensions!
> 
No problem, glad to help.

Rowland

For what it's worth, here is the output of "testparm" on the DC:


Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
         workgroup = DOMAIN
         realm = domain.university.tld
         interfaces = lo eth0 eth0:0
         bind interfaces only = Yes
         server role = active directory domain controller
         passdb backend = samba_dsdb
         dns forwarder = forwarder_IP
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         vfs objects = dfs_samba4 acl_xattr


[netlogon]
         path = 
/usr/local/samba/var/locks/sysvol/domain.university.tld/scripts
         read only = No


[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No


On 09.02.2017 15:16, Rowland Penny via samba wrote:
> On Thu, 9 Feb 2017 14:56:47 +0100
> Ole Traupe via samba <samba at lists.samba.org> wrote:
>
>> I only get the usernames:
>> Same on member servers, btw. Initially I thought this comes from
>> "winbind: use default domain", but this is neither present on
my DCs
>> nor would it have any effect (afaik).
> This is what is confusing me, I know of no way to get the username
> without the domain on a DC and then yours goes and does it without
> trying LOL
>
>> Anyways, no problem for me to accommodate your script to my
>> environment. Thank you for your valuable extensions!
>>
> No problem, glad to help.
>
> Rowland
>

Quick addendum: I just stumbled upon abandoned accounts receiving 
"password expired" notifications forever, even if they get disabled 
subsequently (by me). It might be helpful to include this in the script:

uAC_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s
sub
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"
userAccountControl | grep userAccountControl: | sed 
"s|userAccountControl: ||")


if [ "${uAC_string}" -eq "512" ]; then

     [do expiration parsing]

fi


Here is a list of possible values for the userAccountControl field:
http://www.netvision.com/ad_useraccountcontrol.php

Ole



On 09.02.2017 15:52, Ole Traupe via samba wrote:
> For what it's worth, here is the output of "testparm" on the
DC:
>
>
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         workgroup = DOMAIN
>         realm = domain.university.tld
>         interfaces = lo eth0 eth0:0
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         passdb backend = samba_dsdb
>         dns forwarder = forwarder_IP
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
>         path = 
> /usr/local/samba/var/locks/sysvol/domain.university.tld/scripts
>         read only = No
>
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> On 09.02.2017 15:16, Rowland Penny via samba wrote:
>> On Thu, 9 Feb 2017 14:56:47 +0100
>> Ole Traupe via samba <samba at lists.samba.org> wrote:
>>
>>> I only get the usernames:
>>> Same on member servers, btw. Initially I thought this comes from
>>> "winbind: use default domain", but this is neither
present on my DCs
>>> nor would it have any effect (afaik).
>> This is what is confusing me, I know of no way to get the username
>> without the domain on a DC and then yours goes and does it without
>> trying LOL
>>
>>> Anyways, no problem for me to accommodate your script to my
>>> environment. Thank you for your valuable extensions!
>>>
>> No problem, glad to help.
>>
>> Rowland
>>
>
>