Quick addendum: I just stumbled upon abandoned accounts receiving
"password expired" notifications forever, even if they get disabled
subsequently (by me). It might be helpful to include this in the script:
uAC_string=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s
sub
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))"
userAccountControl | grep userAccountControl: | sed
"s|userAccountControl: ||")
if [ "${uAC_string}" -eq "512" ]; then
[do expiration parsing]
fi
Here is a list of possible values for the userAccountControl field:
http://www.netvision.com/ad_useraccountcontrol.php
Ole
On 09.02.2017 15:52, Ole Traupe via samba wrote:> For what it's worth, here is the output of "testparm" on the
DC:
>
>
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = domain.university.tld
> interfaces = lo eth0 eth0:0
> bind interfaces only = Yes
> server role = active directory domain controller
> passdb backend = samba_dsdb
> dns forwarder = forwarder_IP
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> path =
> /usr/local/samba/var/locks/sysvol/domain.university.tld/scripts
> read only = No
>
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> On 09.02.2017 15:16, Rowland Penny via samba wrote:
>> On Thu, 9 Feb 2017 14:56:47 +0100
>> Ole Traupe via samba <samba at lists.samba.org> wrote:
>>
>>> I only get the usernames:
>>> Same on member servers, btw. Initially I thought this comes from
>>> "winbind: use default domain", but this is neither
present on my DCs
>>> nor would it have any effect (afaik).
>> This is what is confusing me, I know of no way to get the username
>> without the domain on a DC and then yours goes and does it without
>> trying LOL
>>
>>> Anyways, no problem for me to accommodate your script to my
>>> environment. Thank you for your valuable extensions!
>>>
>> No problem, glad to help.
>>
>> Rowland
>>
>
>
Rowland Penny
2017-Feb-13 16:19 UTC
[Samba] Users list and the date the password will expire
On Mon, 13 Feb 2017 16:46:12 +0100 Ole Traupe via samba <samba at lists.samba.org> wrote: You could always replace:> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" > userAccountControl | grep userAccountControl: | sed > "s|userAccountControl: ||") > > if [ "${uAC_string}" -eq "512" ]; then > > [do expiration parsing] > fiWith: "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" This will do the same ;-) Rowland
"userAccountControl:1.2.840.113556.1.4.803:=2" Sorry, I cannot read the Matrix. ;) Ole On 13.02.2017 17:19, Rowland Penny via samba wrote:> On Mon, 13 Feb 2017 16:46:12 +0100 > Ole Traupe via samba <samba at lists.samba.org> wrote: > > You could always replace: > >> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" >> userAccountControl | grep userAccountControl: | sed >> "s|userAccountControl: ||") >> >> if [ "${uAC_string}" -eq "512" ]; then >> >> [do expiration parsing] >> fi > With: > > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" > > This will do the same ;-) > > Rowland > >