I am running this on a CentOS 6.7 DC with Samba version 4.2.5. Ole On 09.02.2017 13:40, Ole Traupe via samba wrote:> Actually, there were 2 problems. These lines work for me: > > #user=$(echo "${user}" | awk -F '\\' '{print $2}') > user_expire_date=$(ldbsearch --url="${LDBDB}" -b "${domainDN}" -s > sub > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$user))" > msDS-UserPasswordExpiryTimeComputed | grep > "msDS-UserPasswordExpiryTimeComputed: " | sed > "s|msDS-UserPasswordExpiryTimeComputed: ||") > UNIXTimeStamp=$(((${user_expire_date}/10000000)-11644473600)) > date_now=$(date +%s) > exp_days=$(((${UNIXTimeStamp} - ${date_now}) / 3600 / 24)) > > With the 'awk' the user is empty. Querying $user before the awk shows > the correct user name without "DOMAIN\". This line seems not to be > necessary for me. > > I also had to remove the quotes in the 3rd and last of these lines: > > e.g. > ./mailtest_rowland.sh: line 29: > ("131479598790000000"/10000000)-11644473600: syntax error: operand > expected (error token is ""131479598790000000"/10000000)-11644473600") > > Ole > > > On 09.02.2017 13:14, Rowland Penny wrote: >> On Thu, 9 Feb 2017 12:49:12 +0100 >> Ole Traupe via samba <samba at lists.samba.org> wrote: >> >>> Never mind. However, with your update I get the following error right >>> on the first found "user": >>> >>> ./mailtest_rowland.sh: line 27: (""/10000000)-11644473600: syntax >>> error: operand expected (error token is """/10000000)-11644473600") >>> >> I initially got that, so I added: >> user=$(echo "${user}" | awk -F '\\' '{print $2}') >> >> because, 'wbinfo -u' gives you 'DOMAIN\username' >> >> It looks like for some reason this is failing, are you using 'dash' >> instead of 'bash' ? >> >> You could try adding 'echo "User: ${user}" ' above and below line 25 >> >> i.e. Change: >> >> for user in $user_list; do >> user=$(echo "${user}" | awk -F '\\' '{print $2}') >> >> To: >> >> for user in $user_list; do >> echo "User: ${user}" >> user=$(echo "${user}" | awk -F '\\' '{print $2}') >> echo "User: ${user}" >> break >> >> This should print the username before and after the removal of the >> domain name and then break out of the loop. >> >> Rowland > >
On Sat, 25 Mar 2017 18:28:37 +0000 Rowland Penny wrote:> > On Sat, 25 Mar 2017 14:11:00 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > For a given Samba4 AD user, how do determine the number of days until > > the password expires? > > > > --Mark > > > > This was raised some time ago, try searching the list archives, but it > basically revolves around the 'msDS-UserPasswordExpiryTimeComputed' > attribute. > > RowlandYes, and thank you for that tip to search for msDS-UserPasswordExpiryTimeComputed. I've changed my subject line to be the same as the other in that thread. I found and tried the scripts discussed. It works perfectly ... on the AD/DC host. I need it to work on a domain member. The command: `samba -b` run on the domain members does indeed return PRIVATE_DIR, in my case /var/lib/samba/private. But, ldbsearch --url="/var/lib/samba/private/sam.ldb" -b "DC=hprs,DC=local" -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=mark))" msDS-UserPasswordExpiryTimeComputed returns 0 records. Certainly because the --url refers the the PRIVATE_DIR on the domain server, not the domain member. using mail:/var/lib/... or mail.hprs.local:/var/lib/... and a few other variations I could think of did not work. So, how do I get msDS-UserPasswordExpiryTimeComputed from a domain member? Thanks --Mark
Rowland Penny
2017-Mar-26 08:20 UTC
[Samba] Users list and the date the password will expire
On Sun, 26 Mar 2017 00:16:13 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> > ldbsearch --url="/var/lib/samba/private/sam.ldb" -b > "DC=hprs,DC=local" -s sub > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=mark))" > msDS-UserPasswordExpiryTimeComputed > > returns 0 records. Certainly because the --url refers the the > PRIVATE_DIR on the domain server, not the domain member. using > mail:/var/lib/... or mail.hprs.local:/var/lib/... and a few other > variations I could think of did not work. > > So, how do I get msDS-UserPasswordExpiryTimeComputed from a domain > member? >Try this: ldbsearch --url=ldap://A_DC_HOSTNAME -b "DC=hprs,DC=local" -s sub "(&(sAMAccountType=805306368)(sAMAccountName=mark))" msDS-UserPasswordExpiryTimeComputed Replace 'A_DC_HOSTNAME' with your DCs short hostname. Rowland