On Mon, 27 Mar 2017 11:54:56 -0400 Mark Foley wrote:> > On Sun, 26 Mar 2017 20:51:26 -0400 Mark Foley wrote: > > > > On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote: > > > > > > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote: > > > > > > > > Sorry, forgot about the required authentication, try it with '-P' > > > > without '-U administrator' > > > > > > > > Rowland > > > > > > Great! That did it. Final command: > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed > > > > Not quite where I need to be. The above with the -P option works on the domain member when > > logged in as root. I had planned on interecepting the lightDM login program to incorporate > > this, but in fact I have no idea what that is or where to find it. > > > > Is there a way a user can run ldbsearch ... without specifying a password? > > > > Is ldbsearch the only way to get a user's expiryTime? > > > > I figured out a way to have a normal user authenticate with ldbsearch. Instead of -P use: -k yes >It seems like there is no endpoint to this problem! After changing user 'mark's password, the ldbsearch no longer works with the -k yes parameter: $ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed Password for [HPRS\mark]: I am now prompted for a password. How do I fix this? Thanks --Mark
Rowland Penny
2017-Mar-28 15:48 UTC
[Samba] Users list and the date the password will expire
On Tue, 28 Mar 2017 11:23:23 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> > It seems like there is no endpoint to this problem! After changing > user 'mark's password, the ldbsearch no longer works with the -k yes > parameter: > > $ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes > -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" > msDS-UserPasswordExpiryTimeComputed Password for [HPRS\mark]: > > I am now prompted for a password. How do I fix this? > > Thanks --Mark >Didn't you get my offlist message ? Rowland
On Tue, 28 Mar 2017 16:48:24 +0100 Rowland Penny wrote:> > On Tue, 28 Mar 2017 11:23:23 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > It seems like there is no endpoint to this problem! After changing > > user 'mark's password, the ldbsearch no longer works with the -k yes > > parameter: > > > > $ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes > > -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" > > msDS-UserPasswordExpiryTimeComputed Password for [HPRS\mark]: > > > > I am now prompted for a password. How do I fix this? > > > > Thanks --Mark > > > > Didn't you get my offlist message ?Yes, I did get it, but due to labyrinthine .procmailrc settings, it did not go to the mailbox in which I normally read the sambalist messages! Checking my offline mailbox ... in that email, you suggest (expanded): $ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail Enter 's password: So, it *still* asks for a password, and the user's ID in the prompt is empty (from the empty -U?). If I leave off the -U it asks for mark's password. Am I doing something wrong? Once I enter the password, the rest of your script ultimately does get me the "Password must change Time". BUT ... I need to enter the user's password! (neither -k nor -N work) Back to the original method, why would /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes ... work until I changed the user's domain password. Is there some way to get kerberos to "refresh" the user's info so the -k works again? This might also help with your rpcclient suggestion. I'm posting this both to the regular sambalist and back to you, so if you want to continue responding offlist, I'll check that list hereafter. THX --Mark