samba - Mar 2017 - Users list and the date the password will expire

On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
>
> On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> >
> > On Sun, 26 Mar 2017 14:32:53 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> >
> > > as root:
> > > 
> > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s
sub
> > >
"(&(sAMAccountType=805306368)(sAMAccountName=mark))"
> > > msDS-UserPasswordExpiryTimeComputed
> > > 
> > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020:
> > > Operation unavailable without authentication> <>
> > > 
> > > When I added `-U user%pass` it worked. I don't suppose there
is a way
> > > to NOT specify the password? I'd rather not have to propigate
the
> > > domain administrator's password among all the domain members
(-N did
> > > not work).
> > > 
> > > Thanks --Mark
> > > 
> >
> > Sorry, forgot about the required authentication, try it with
'-P'
> > without '-U administrator'
> >
> > Rowland
>
> Great! That did it. Final command:
>
> ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub
"(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-UserPasswordExpiryTimeComputed
>
Not quite where I need to be.  The above with the -P option works on the domain
member when
logged in as root.  I had planned on interecepting the lightDM login program to
incorporate
this, but in fact I have no idea what that is or where to find it. 

So, next idea is to run a script when the user logs in to inform him/her of a
pending
expiration.  The -P option does not work for a non-root user.  I can get the
info I need using
-U id%pw, but again, I'd need to have each user's password for this. 

Is there a way a user can run ldbsearch ... without specifying a password?

Is ldbsearch the only way to get a user's expiryTime?

Thanks, --Mark

On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:
>
> On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
> >
> > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> > >
> > > On Sun, 26 Mar 2017 14:32:53 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > > > as root:
> > > > 
> > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local"
-s sub
> > > >
"(&(sAMAccountType=805306368)(sAMAccountName=mark))"
> > > > msDS-UserPasswordExpiryTimeComputed
> > > > 
> > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020:
> > > > Operation unavailable without authentication> <>
> > > > 
> > > > When I added `-U user%pass` it worked. I don't suppose
there is a way
> > > > to NOT specify the password? I'd rather not have to
propigate the
> > > > domain administrator's password among all the domain
members (-N did
> > > > not work).
> > > > 
> > > > Thanks --Mark
> > > > 
> > >
> > > Sorry, forgot about the required authentication, try it with
'-P'
> > > without '-U administrator'
> > >
> > > Rowland
> >
> > Great! That did it. Final command:
> >
> > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub
"(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-UserPasswordExpiryTimeComputed
> >
>
> Not quite where I need to be.  The above with the -P option works on the
domain member when
> logged in as root.  I had planned on interecepting the lightDM login
program to incorporate
> this, but in fact I have no idea what that is or where to find it. 
>
> So, next idea is to run a script when the user logs in to inform him/her of
a pending
> expiration.  The -P option does not work for a non-root user.  I can get
the info I need using
> -U id%pw, but again, I'd need to have each user's password for
this.
>
> Is there a way a user can run ldbsearch ... without specifying a password?
>
> Is ldbsearch the only way to get a user's expiryTime?
>
> Thanks, --Mark
>
I figured out a way to have a normal user authenticate with ldbsearch. Instead
of -P use: -k yes

I've gone ahead and listed my resulting script below.  This script is run
when the user logs in
which is defined in KDE: System Settings > Startup and Shutdown >
Autostart.  Hopefully, this
script can be of some use to people who want a Windows-like notification of a
expiring AD user
password and the opportunity to change the password. 

--Mark

#!/bin/bash
#
# Check for and permit changing of Expiring Password
#

warnDays=8

# CHECK FOR PASSWORD ABOUT TO EXPIRE

expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local"
-k yes -s sub
"(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-UserPasswordExpiryTimeComputed | \
  grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

if [ $togo -gt $warnDays ]; then exit 0; fi	# no warning yet

IMAGE=/user/util/bin/pw1.png  # this is just a generic silhouette of a user

TITLE="Change Expiring Password"

if [ "$togo" = 0 ]
then
    MSG="Your password expires today.\nConsider changing your
password."
else
    MSG="Your password expires in $togo days.\nConsider changing your
password."
fi

badPW=0

while [ 1 = 1 ]
do
    pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top
--separator="~" \
        --image "$IMAGE" --image-on-top --title "$TITLE" \
        --text="$MSG" \
        --align=right \
        --field="Enter current password:H" \
        --field="Enter new password:H" \
        --field="Confirm Password:H"`

    pwOrg=`echo "$pw" | cut "-d~" -f1`
    pw1=`echo "$pw" | cut "-d~" -f2`
    pw2=`echo "$pw" | cut "-d~" -f3`

    if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [
-z "$pw2" ]; then exit 0; fi  # user canceled

    if [ "$pw1" != "$pw2" ]
    then
        MSG="Sorry, passwords do no match. Try again."
        continue
    fi

    if [ -z "$pwOrg" ]
    then
        MSG="CURRENT PASSWORD REQUIRED!"
        continue
    fi

    ntlm_auth --username=$USER --password="$pwOrg" > /dev/null
2>&1
    rc=$?

    if [ "$rc" != 0 ]
    then
        badPW=$[ $badPW + 1 ]
        if [ $badPW -gt 2 ]; then exit -1; fi   # only permit 3 tries
        MSG="WRONG CURRENT PASSWORD. Try again."
        continue
    fi

    if [ ${#pw1} -lt 8 ]
    then
        MSG="Password length must be at least 8 characters."
        continue
    fi

    # Verify Complexity: at least 1 of: upper case, lower case, number,
punctuation. No spaces.

    cnt=0
    x=$(echo "$pw1" | grep '[A-Z]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | grep '[a-z]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | grep '[0-9]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | tr -d '[:alnum:]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    if [ $cnt -lt 3 ]
    then
        MSG="Password must have 3 of the following: upper case, lower case,
number, punctuation."
        continue
    fi

    if [ "$pw1" = "$pwOrg" ]
    then
        MSG="You cannot use your previous password. Think of something
new."
        continue
    fi

    break
done

# CHANGE PASSWORD

samba-tool user password --oldpassword="${pwOrg}"
--newpassword="${pw1}" >/dev/null 2>&1
status="$?"

if [ "$status" == "0" ]; then
    yad --title "$TITLE" \
    --center \
    --button="gtk-ok:0" \
    --text="Successfully changed password for $USER in AD."
else
    yad --title "$TITLE" \
    --center \
    --button="gtk-ok:0" \
    --text="Error changing password for $USER in AD."
fi

exit $status

Matt - thanks for the tip on passwdqc. That is not installed by default on
Slackware, but it is
in the SlackBuilds repository. I'll install it and check it out.

On Mon, 27 Mar 2017 13:32:53 -0400 Matt Savin wrote:
>
> Hello Mark,
>
> Thank you for sharing! I would probably replace password length and
> complexity check with:
>
> if [[ $(echo -e "$pw1\n$pwOrg\n$USER"| \
>     pwqcheck min=disabled,disabled,disabled,8,8 max=20 match=4) \
>     == OK && $? -eq 0 ]]; then echo yes; fi
>
> Cons: depends on passwdqc package, which is part of most distributions.
> Pros: does substring matching.
>
> Regards,
> Matt
>
> On Mon, Mar 27, 2017 at 11:54 AM, Mark Foley via samba <
> samba at lists.samba.org> wrote:
>
> > On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:
> > >
> > > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
> > > >
> > > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> > > > >
> > > > > On Sun, 26 Mar 2017 14:32:53 -0400
> > > > > Mark Foley via samba <samba at lists.samba.org>
wrote:
> > > > >
> > > > >
> > > > > > as root:
> > > > > >
> > > > > > ldbsearch --url=ldap://mail -b
"DC=hprs,DC=local" -s sub
> > > > > >
"(&(sAMAccountType=805306368)(sAMAccountName=mark))"
> > > > > > msDS-UserPasswordExpiryTimeComputed
> > > > > >
> > > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR
-  <00002020:
> > > > > > Operation unavailable without authentication>
<>
> > > > > >
> > > > > > When I added `-U user%pass` it worked. I don't
suppose there is a
> > way
> > > > > > to NOT specify the password? I'd rather not
have to propigate the
> > > > > > domain administrator's password among all the
domain members (-N
> > did
> > > > > > not work).
> > > > > >
> > > > > > Thanks --Mark
> > > > > >
> > > > >
> > > > > Sorry, forgot about the required authentication, try it
with '-P'
> > > > > without '-U administrator'
> > > > >
> > > > > Rowland
> > > >
> > > > Great! That did it. Final command:
> > > >
> > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local"
-P -s sub
> > "(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-
> > UserPasswordExpiryTimeComputed
> > > >
> > >
> > > Not quite where I need to be.  The above with the -P option works
on the
> > domain member when
> > > logged in as root.  I had planned on interecepting the lightDM
login
> > program to incorporate
> > > this, but in fact I have no idea what that is or where to find
it.
> > >
> > > So, next idea is to run a script when the user logs in to inform
him/her
> > of a pending
> > > expiration.  The -P option does not work for a non-root user.  I
can get
> > the info I need using
> > > -U id%pw, but again, I'd need to have each user's
password for this.
> > >
> > > Is there a way a user can run ldbsearch ... without specifying a
> > password?
> > >
> > > Is ldbsearch the only way to get a user's expiryTime?
> > >
> > > Thanks, --Mark
> > >
> >
> > I figured out a way to have a normal user authenticate with ldbsearch.
> > Instead of -P use: -k yes
> >
> > I've gone ahead and listed my resulting script below.  This script
is run
> > when the user logs in
> > which is defined in KDE: System Settings > Startup and Shutdown
>
> > Autostart.  Hopefully, this
> > script can be of some use to people who want a Windows-like
notification
> > of a expiring AD user
> > password and the opportunity to change the password.
> >
> > --Mark
> >
> > #!/bin/bash
> > #
> > # Check for and permit changing of Expiring Password
> > #
> >
> > warnDays=8
> >
> > # CHECK FOR PASSWORD ABOUT TO EXPIRE
> >
> > expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b
"DC=hprs,DC=local" -k
> > yes -s sub
"(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-UserPasswordExpiryTimeComputed
> > | \
> >   grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
> >
> > expireDate=$((($expireTime/10000000)-11644473600))
> > today=`date +%s`
> > togo=$((($expireDate-$today)/86400))
> >
> > if [ $togo -gt $warnDays ]; then exit 0; fi     # no warning yet
> >
> > IMAGE=/user/util/bin/pw1.png  # this is just a generic silhouette of a
user
> >
> > TITLE="Change Expiring Password"
> >
> > if [ "$togo" = 0 ]
> > then
> >     MSG="Your password expires today.\nConsider changing your
password."
> > else
> >     MSG="Your password expires in $togo days.\nConsider changing
your
> > password."
> > fi
> >
> > badPW=0
> >
> > while [ 1 = 1 ]
> > do
> >     pw=`yad --form --on-top --center --timeout=300
--timeout-indicator=top
> > --separator="~" \
> >         --image "$IMAGE" --image-on-top --title
"$TITLE" \
> >         --text="$MSG" \
> >         --align=right \
> >         --field="Enter current password:H" \
> >         --field="Enter new password:H" \
> >         --field="Confirm Password:H"`
> >
> >     pwOrg=`echo "$pw" | cut "-d~" -f1`
> >     pw1=`echo "$pw" | cut "-d~" -f2`
> >     pw2=`echo "$pw" | cut "-d~" -f3`
> >
> >     if [ -z "$pwOrg" ] && [ -z "$pw1" ]
&& [ -z "$pw2" ]; then exit 0; fi
> > # user canceled
> >
> >     if [ "$pw1" != "$pw2" ]
> >     then
> >         MSG="Sorry, passwords do no match. Try again."
> >         continue
> >     fi
> >
> >     if [ -z "$pwOrg" ]
> >     then
> >         MSG="CURRENT PASSWORD REQUIRED!"
> >         continue
> >     fi
> >
> >     ntlm_auth --username=$USER --password="$pwOrg" >
/dev/null 2>&1
> >     rc=$?
> >
> >     if [ "$rc" != 0 ]
> >     then
> >         badPW=$[ $badPW + 1 ]
> >         if [ $badPW -gt 2 ]; then exit -1; fi   # only permit 3 tries
> >         MSG="WRONG CURRENT PASSWORD. Try again."
> >         continue
> >     fi
> >
> >     if [ ${#pw1} -lt 8 ]
> >     then
> >         MSG="Password length must be at least 8 characters."
> >         continue
> >     fi
> >
> >     # Verify Complexity: at least 1 of: upper case, lower case,
number,
> > punctuation. No spaces.
> >
> >     cnt=0
> >     x=$(echo "$pw1" | grep '[A-Z]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     x=$(echo "$pw1" | grep '[a-z]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     x=$(echo "$pw1" | grep '[0-9]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     x=$(echo "$pw1" | tr -d '[:alnum:]')
> >     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> >
> >     if [ $cnt -lt 3 ]
> >     then
> >         MSG="Password must have 3 of the following: upper case,
lower
> > case, number, punctuation."
> >         continue
> >     fi
> >
> >     if [ "$pw1" = "$pwOrg" ]
> >     then
> >         MSG="You cannot use your previous password. Think of
something
> > new."
> >         continue
> >     fi
> >
> >     break
> > done
> >
> > # CHANGE PASSWORD
> >
> > samba-tool user password --oldpassword="${pwOrg}"
--newpassword="${pw1}"
> > >/dev/null 2>&1
> > status="$?"
> >
> > if [ "$status" == "0" ]; then
> >     yad --title "$TITLE" \
> >     --center \
> >     --button="gtk-ok:0" \
> >     --text="Successfully changed password for $USER in AD."
> > else
> >     yad --title "$TITLE" \
> >     --center \
> >     --button="gtk-ok:0" \
> >     --text="Error changing password for $USER in AD."
> > fi
> >
> > exit $status
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

On Mon, 27 Mar 2017 11:54:56 -0400 Mark Foley wrote:
>
> On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:
> >
> > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:
> > >
> > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:
> > > >
> > > > Sorry, forgot about the required authentication, try it with
'-P'
> > > > without '-U administrator'
> > > >
> > > > Rowland
> > >
> > > Great! That did it. Final command:
> > >
> > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s
sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-UserPasswordExpiryTimeComputed
> >
> > Not quite where I need to be.  The above with the -P option works on
the domain member when
> > logged in as root.  I had planned on interecepting the lightDM login
program to incorporate
> > this, but in fact I have no idea what that is or where to find it. 
> >
> > Is there a way a user can run ldbsearch ... without specifying a
password?
> >
> > Is ldbsearch the only way to get a user's expiryTime?
> >
>
> I figured out a way to have a normal user authenticate with ldbsearch.
Instead of -P use: -k yes
>
It seems like there is no endpoint to this problem! After changing user
'mark's password, the
ldbsearch no longer works with the -k yes parameter:

$ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s
sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS-UserPasswordExpiryTimeComputed
Password for [HPRS\mark]:

I am now prompted for a password. How do I fix this?

Thanks --Mark