On Tue, 28 Mar 2017 16:48:24 +0100 Rowland Penny wrote:> > On Tue, 28 Mar 2017 11:23:23 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > It seems like there is no endpoint to this problem! After changing > > user 'mark's password, the ldbsearch no longer works with the -k yes > > parameter: > > > > $ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes > > -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" > > msDS-UserPasswordExpiryTimeComputed Password for [HPRS\mark]: > > > > I am now prompted for a password. How do I fix this? > > > > Thanks --Mark > > > > Didn't you get my offlist message ?Yes, I did get it, but due to labyrinthine .procmailrc settings, it did not go to the mailbox in which I normally read the sambalist messages! Checking my offline mailbox ... in that email, you suggest (expanded): $ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail Enter 's password: So, it *still* asks for a password, and the user's ID in the prompt is empty (from the empty -U?). If I leave off the -U it asks for mark's password. Am I doing something wrong? Once I enter the password, the rest of your script ultimately does get me the "Password must change Time". BUT ... I need to enter the user's password! (neither -k nor -N work) Back to the original method, why would /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes ... work until I changed the user's domain password. Is there some way to get kerberos to "refresh" the user's info so the -k works again? This might also help with your rpcclient suggestion. I'm posting this both to the regular sambalist and back to you, so if you want to continue responding offlist, I'll check that list hereafter. THX --Mark
Rowland Penny
2017-Mar-29 17:59 UTC
[Samba] Users list and the date the password will expire
On Wed, 29 Mar 2017 12:41:46 -0400 Mark Foley <mfoley at ohprs.org> wrote:> Yes, I did get it, but due to labyrinthine .procmailrc settings, it > did not go to the mailbox in which I normally read the sambalist > messages! > > Checking my offline mailbox ... in that email, you suggest (expanded): > > $ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail> Enter 's password: > > So, it *still* asks for a password, and the user's ID in the prompt > is empty (from the empty -U?). If I leave off the -U it asks for > mark's password. > > Am I doing something wrong?Yes, you are running the script on the command line ;-)> > Once I enter the password, the rest of your script ultimately does > get me the "Password must change Time". BUT ... I need to enter the > user's password! (neither -k nor -N work)If you use the script as I suggested, it works without entering the password. OK, that isn't really true, when you login, you enter the password and this gets passed (along with the username) to the script. It works on the Mate desktop and I think that KDE uses a similar setup, but it does rely on PAM. Rowland
On Wed, 29 Mar 2017 18:59:40 +0100 Rowland Penny wrote:> > On Wed, 29 Mar 2017 12:41:46 -0400 > Mark Foley <mfoley at ohprs.org> wrote: > > > Yes, I did get it, but due to labyrinthine .procmailrc settings, it > > did not go to the mailbox in which I normally read the sambalist > > messages! > > > > Checking my offline mailbox ... in that email, you suggest (expanded): > > > > $ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail > > > Enter 's password: > > > > So, it *still* asks for a password, and the user's ID in the prompt > > is empty (from the empty -U?). If I leave off the -U it asks for > > mark's password. > > > > Am I doing something wrong? > > Yes, you are running the script on the command line ;-) > > > > > Once I enter the password, the rest of your script ultimately does > > get me the "Password must change Time". BUT ... I need to enter the > > user's password! (neither -k nor -N work) > > If you use the script as I suggested, it works without entering the > password. OK, that isn't really true, when you login, you enter the > password and this gets passed (along with the username) to the script. > > It works on the Mate desktop and I think that KDE uses a similar > setup, but it does rely on PAM. > > RowlandYes, that script worked when run from the .desktop. Also interesting to note that running: ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes ... and rpcclient -k -c "queryuser 1111" mail are now working again with the -k option. So, in the interest of "teaching a man to fish", I have a few follow-up questions: 1. I ran the successful `ldbsearch -k` *after* logging with the expiry-date.desktop configured. Did my running that notify-pass-expiry script *cause* the kerberos option on the ldbsearch/rpcclient to start working? In other words did running the notify-pass-expiry script cause kerberos to somehow refresh tickets (or whatever) for this user? 2. If not, why did -k start working today? Is there some refresh/cache/lease interval at work? 3. You say, "when you login, you enter the password and this gets passed (along with the username) to the script". Is this a feature of .desktop? Why would password get passed to the script via this mechanism and not via command line? Is there a man page on this somewhere or is this "legend around the digital campfire" stuff? THX, your solutions are invaluable. I can't imagine anyone getting a decent domain member workstation up without them. --Mark