On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:> > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote: > > > > On Sun, 26 Mar 2017 14:32:53 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > as root: > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))" > > > msDS-UserPasswordExpiryTimeComputed > > > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > > > Operation unavailable without authentication> <> > > > > > > When I added `-U user%pass` it worked. I don't suppose there is a way > > > to NOT specify the password? I'd rather not have to propigate the > > > domain administrator's password among all the domain members (-N did > > > not work). > > > > > > Thanks --Mark > > > > > > > Sorry, forgot about the required authentication, try it with '-P' > > without '-U administrator' > > > > Rowland > > Great! That did it. Final command: > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed >Not quite where I need to be. The above with the -P option works on the domain member when logged in as root. I had planned on interecepting the lightDM login program to incorporate this, but in fact I have no idea what that is or where to find it. So, next idea is to run a script when the user logs in to inform him/her of a pending expiration. The -P option does not work for a non-root user. I can get the info I need using -U id%pw, but again, I'd need to have each user's password for this. Is there a way a user can run ldbsearch ... without specifying a password? Is ldbsearch the only way to get a user's expiryTime? Thanks, --Mark
On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote:> > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote: > > > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote: > > > > > > On Sun, 26 Mar 2017 14:32:53 -0400 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > > > as root: > > > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub > > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))" > > > > msDS-UserPasswordExpiryTimeComputed > > > > > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > > > > Operation unavailable without authentication> <> > > > > > > > > When I added `-U user%pass` it worked. I don't suppose there is a way > > > > to NOT specify the password? I'd rather not have to propigate the > > > > domain administrator's password among all the domain members (-N did > > > > not work). > > > > > > > > Thanks --Mark > > > > > > > > > > Sorry, forgot about the required authentication, try it with '-P' > > > without '-U administrator' > > > > > > Rowland > > > > Great! That did it. Final command: > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed > > > > Not quite where I need to be. The above with the -P option works on the domain member when > logged in as root. I had planned on interecepting the lightDM login program to incorporate > this, but in fact I have no idea what that is or where to find it. > > So, next idea is to run a script when the user logs in to inform him/her of a pending > expiration. The -P option does not work for a non-root user. I can get the info I need using > -U id%pw, but again, I'd need to have each user's password for this. > > Is there a way a user can run ldbsearch ... without specifying a password? > > Is ldbsearch the only way to get a user's expiryTime? > > Thanks, --Mark >I figured out a way to have a normal user authenticate with ldbsearch. Instead of -P use: -k yes I've gone ahead and listed my resulting script below. This script is run when the user logs in which is defined in KDE: System Settings > Startup and Shutdown > Autostart. Hopefully, this script can be of some use to people who want a Windows-like notification of a expiring AD user password and the opportunity to change the password. --Mark #!/bin/bash # # Check for and permit changing of Expiring Password # warnDays=8 # CHECK FOR PASSWORD ABOUT TO EXPIRE expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \ grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'` expireDate=$((($expireTime/10000000)-11644473600)) today=`date +%s` togo=$((($expireDate-$today)/86400)) if [ $togo -gt $warnDays ]; then exit 0; fi # no warning yet IMAGE=/user/util/bin/pw1.png # this is just a generic silhouette of a user TITLE="Change Expiring Password" if [ "$togo" = 0 ] then MSG="Your password expires today.\nConsider changing your password." else MSG="Your password expires in $togo days.\nConsider changing your password." fi badPW=0 while [ 1 = 1 ] do pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \ --image "$IMAGE" --image-on-top --title "$TITLE" \ --text="$MSG" \ --align=right \ --field="Enter current password:H" \ --field="Enter new password:H" \ --field="Confirm Password:H"` pwOrg=`echo "$pw" | cut "-d~" -f1` pw1=`echo "$pw" | cut "-d~" -f2` pw2=`echo "$pw" | cut "-d~" -f3` if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi # user canceled if [ "$pw1" != "$pw2" ] then MSG="Sorry, passwords do no match. Try again." continue fi if [ -z "$pwOrg" ] then MSG="CURRENT PASSWORD REQUIRED!" continue fi ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1 rc=$? if [ "$rc" != 0 ] then badPW=$[ $badPW + 1 ] if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries MSG="WRONG CURRENT PASSWORD. Try again." continue fi if [ ${#pw1} -lt 8 ] then MSG="Password length must be at least 8 characters." continue fi # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces. cnt=0 x=$(echo "$pw1" | grep '[A-Z]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi x=$(echo "$pw1" | grep '[a-z]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi x=$(echo "$pw1" | grep '[0-9]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi x=$(echo "$pw1" | tr -d '[:alnum:]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi if [ $cnt -lt 3 ] then MSG="Password must have 3 of the following: upper case, lower case, number, punctuation." continue fi if [ "$pw1" = "$pwOrg" ] then MSG="You cannot use your previous password. Think of something new." continue fi break done # CHANGE PASSWORD samba-tool user password --oldpassword="${pwOrg}" --newpassword="${pw1}" >/dev/null 2>&1 status="$?" if [ "$status" == "0" ]; then yad --title "$TITLE" \ --center \ --button="gtk-ok:0" \ --text="Successfully changed password for $USER in AD." else yad --title "$TITLE" \ --center \ --button="gtk-ok:0" \ --text="Error changing password for $USER in AD." fi exit $status
Matt - thanks for the tip on passwdqc. That is not installed by default on Slackware, but it is in the SlackBuilds repository. I'll install it and check it out. On Mon, 27 Mar 2017 13:32:53 -0400 Matt Savin wrote:> > Hello Mark, > > Thank you for sharing! I would probably replace password length and > complexity check with: > > if [[ $(echo -e "$pw1\n$pwOrg\n$USER"| \ > pwqcheck min=disabled,disabled,disabled,8,8 max=20 match=4) \ > == OK && $? -eq 0 ]]; then echo yes; fi > > Cons: depends on passwdqc package, which is part of most distributions. > Pros: does substring matching. > > Regards, > Matt > > On Mon, Mar 27, 2017 at 11:54 AM, Mark Foley via samba < > samba at lists.samba.org> wrote: > > > On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote: > > > > > > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote: > > > > > > > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote: > > > > > > > > > > On Sun, 26 Mar 2017 14:32:53 -0400 > > > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > as root: > > > > > > > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub > > > > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))" > > > > > > msDS-UserPasswordExpiryTimeComputed > > > > > > > > > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > > > > > > Operation unavailable without authentication> <> > > > > > > > > > > > > When I added `-U user%pass` it worked. I don't suppose there is a > > way > > > > > > to NOT specify the password? I'd rather not have to propigate the > > > > > > domain administrator's password among all the domain members (-N > > did > > > > > > not work). > > > > > > > > > > > > Thanks --Mark > > > > > > > > > > > > > > > > Sorry, forgot about the required authentication, try it with '-P' > > > > > without '-U administrator' > > > > > > > > > > Rowland > > > > > > > > Great! That did it. Final command: > > > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub > > "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS- > > UserPasswordExpiryTimeComputed > > > > > > > > > > Not quite where I need to be. The above with the -P option works on the > > domain member when > > > logged in as root. I had planned on interecepting the lightDM login > > program to incorporate > > > this, but in fact I have no idea what that is or where to find it. > > > > > > So, next idea is to run a script when the user logs in to inform him/her > > of a pending > > > expiration. The -P option does not work for a non-root user. I can get > > the info I need using > > > -U id%pw, but again, I'd need to have each user's password for this. > > > > > > Is there a way a user can run ldbsearch ... without specifying a > > password? > > > > > > Is ldbsearch the only way to get a user's expiryTime? > > > > > > Thanks, --Mark > > > > > > > I figured out a way to have a normal user authenticate with ldbsearch. > > Instead of -P use: -k yes > > > > I've gone ahead and listed my resulting script below. This script is run > > when the user logs in > > which is defined in KDE: System Settings > Startup and Shutdown > > > Autostart. Hopefully, this > > script can be of some use to people who want a Windows-like notification > > of a expiring AD user > > password and the opportunity to change the password. > > > > --Mark > > > > #!/bin/bash > > # > > # Check for and permit changing of Expiring Password > > # > > > > warnDays=8 > > > > # CHECK FOR PASSWORD ABOUT TO EXPIRE > > > > expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k > > yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed > > | \ > > grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'` > > > > expireDate=$((($expireTime/10000000)-11644473600)) > > today=`date +%s` > > togo=$((($expireDate-$today)/86400)) > > > > if [ $togo -gt $warnDays ]; then exit 0; fi # no warning yet > > > > IMAGE=/user/util/bin/pw1.png # this is just a generic silhouette of a user > > > > TITLE="Change Expiring Password" > > > > if [ "$togo" = 0 ] > > then > > MSG="Your password expires today.\nConsider changing your password." > > else > > MSG="Your password expires in $togo days.\nConsider changing your > > password." > > fi > > > > badPW=0 > > > > while [ 1 = 1 ] > > do > > pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top > > --separator="~" \ > > --image "$IMAGE" --image-on-top --title "$TITLE" \ > > --text="$MSG" \ > > --align=right \ > > --field="Enter current password:H" \ > > --field="Enter new password:H" \ > > --field="Confirm Password:H"` > > > > pwOrg=`echo "$pw" | cut "-d~" -f1` > > pw1=`echo "$pw" | cut "-d~" -f2` > > pw2=`echo "$pw" | cut "-d~" -f3` > > > > if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi > > # user canceled > > > > if [ "$pw1" != "$pw2" ] > > then > > MSG="Sorry, passwords do no match. Try again." > > continue > > fi > > > > if [ -z "$pwOrg" ] > > then > > MSG="CURRENT PASSWORD REQUIRED!" > > continue > > fi > > > > ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1 > > rc=$? > > > > if [ "$rc" != 0 ] > > then > > badPW=$[ $badPW + 1 ] > > if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries > > MSG="WRONG CURRENT PASSWORD. Try again." > > continue > > fi > > > > if [ ${#pw1} -lt 8 ] > > then > > MSG="Password length must be at least 8 characters." > > continue > > fi > > > > # Verify Complexity: at least 1 of: upper case, lower case, number, > > punctuation. No spaces. > > > > cnt=0 > > x=$(echo "$pw1" | grep '[A-Z]') > > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > > > x=$(echo "$pw1" | grep '[a-z]') > > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > > > x=$(echo "$pw1" | grep '[0-9]') > > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > > > x=$(echo "$pw1" | tr -d '[:alnum:]') > > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > > > if [ $cnt -lt 3 ] > > then > > MSG="Password must have 3 of the following: upper case, lower > > case, number, punctuation." > > continue > > fi > > > > if [ "$pw1" = "$pwOrg" ] > > then > > MSG="You cannot use your previous password. Think of something > > new." > > continue > > fi > > > > break > > done > > > > # CHANGE PASSWORD > > > > samba-tool user password --oldpassword="${pwOrg}" --newpassword="${pw1}" > > >/dev/null 2>&1 > > status="$?" > > > > if [ "$status" == "0" ]; then > > yad --title "$TITLE" \ > > --center \ > > --button="gtk-ok:0" \ > > --text="Successfully changed password for $USER in AD." > > else > > yad --title "$TITLE" \ > > --center \ > > --button="gtk-ok:0" \ > > --text="Error changing password for $USER in AD." > > fi > > > > exit $status > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
On Mon, 27 Mar 2017 11:54:56 -0400 Mark Foley wrote:> > On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote: > > > > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote: > > > > > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote: > > > > > > > > Sorry, forgot about the required authentication, try it with '-P' > > > > without '-U administrator' > > > > > > > > Rowland > > > > > > Great! That did it. Final command: > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed > > > > Not quite where I need to be. The above with the -P option works on the domain member when > > logged in as root. I had planned on interecepting the lightDM login program to incorporate > > this, but in fact I have no idea what that is or where to find it. > > > > Is there a way a user can run ldbsearch ... without specifying a password? > > > > Is ldbsearch the only way to get a user's expiryTime? > > > > I figured out a way to have a normal user authenticate with ldbsearch. Instead of -P use: -k yes >It seems like there is no endpoint to this problem! After changing user 'mark's password, the ldbsearch no longer works with the -k yes parameter: $ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed Password for [HPRS\mark]: I am now prompted for a password. How do I fix this? Thanks --Mark