samba - Mar 2017 - Users list and the date the password will expire

On Tue, 28 Mar 2017 16:48:24 +0100 Rowland Penny wrote:
>
> On Tue, 28 Mar 2017 11:23:23 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > It seems like there is no endpoint to this problem! After changing
> > user 'mark's password, the ldbsearch no longer works with the
-k yes
> > parameter:
> > 
> > $ /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local"
-k yes
> > -s sub
"(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
> > msDS-UserPasswordExpiryTimeComputed Password for [HPRS\mark]:
> > 
> > I am now prompted for a password. How do I fix this?
> > 
> > Thanks --Mark
> > 
>
> Didn't you get my offlist message ?
Yes, I did get it, but due to labyrinthine .procmailrc settings, it did not go
to the mailbox
in which I normally read the sambalist messages!

Checking my offline mailbox ... in that email, you suggest (expanded):

$ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail
Enter 's password:

So, it *still* asks for a password, and the user's ID in the prompt is empty
(from the empty
-U?). If I leave off the -U it asks for mark's password.

Am I doing something wrong?

Once I enter the password, the rest of your script ultimately does get me the
"Password must
change Time". BUT ... I need to enter the user's password! (neither -k
nor -N work)


Back to the original method, why would

/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes ...

work until I changed the user's domain password. Is there some way to get
kerberos to "refresh"
the user's info so the -k works again? This might also help with your
rpcclient suggestion.

I'm posting this both to the regular sambalist and back to you, so if you
want to continue
responding offlist, I'll check that list hereafter. 

THX --Mark

On Wed, 29 Mar 2017 12:41:46 -0400
Mark Foley <mfoley at ohprs.org> wrote:

> Yes, I did get it, but due to labyrinthine .procmailrc settings, it
> did not go to the mailbox in which I normally read the sambalist
> messages!
> 
> Checking my offline mailbox ... in that email, you suggest (expanded):
> 
> $ /usr/bin/rpcclient -U "" -c "lookupnames $USER" mail
> Enter 's password:
> 
> So, it *still* asks for a password, and the user's ID in the prompt
> is empty (from the empty -U?). If I leave off the -U it asks for
> mark's password.
> 
> Am I doing something wrong?
Yes, you are running the script on the command line ;-)
> 
> Once I enter the password, the rest of your script ultimately does
> get me the "Password must change Time". BUT ... I need to enter
the
> user's password! (neither -k nor -N work)
If you use the script as I suggested, it works without entering the
password. OK, that isn't really true, when you login, you enter the
password and this gets passed (along with the username) to the script.

It works on the Mate desktop and I think that KDE uses a similar
setup, but it does rely on PAM.

Rowland

On Wed, 29 Mar 2017 18:59:40 +0100 Rowland Penny wrote:
>
> On Wed, 29 Mar 2017 12:41:46 -0400
> Mark Foley <mfoley at ohprs.org> wrote:
>
> > Yes, I did get it, but due to labyrinthine .procmailrc settings, it
> > did not go to the mailbox in which I normally read the sambalist
> > messages!
> > 
> > Checking my offline mailbox ... in that email, you suggest (expanded):
> > 
> > $ /usr/bin/rpcclient -U "" -c "lookupnames $USER"
mail
>
> > Enter 's password:
> > 
> > So, it *still* asks for a password, and the user's ID in the
prompt
> > is empty (from the empty -U?). If I leave off the -U it asks for
> > mark's password.
> > 
> > Am I doing something wrong?
>
> Yes, you are running the script on the command line ;-)
>
> > 
> > Once I enter the password, the rest of your script ultimately does
> > get me the "Password must change Time". BUT ... I need to
enter the
> > user's password! (neither -k nor -N work)
>
> If you use the script as I suggested, it works without entering the
> password. OK, that isn't really true, when you login, you enter the
> password and this gets passed (along with the username) to the script.
>
> It works on the Mate desktop and I think that KDE uses a similar
> setup, but it does rely on PAM.
>
> Rowland
Yes, that script worked when run from the .desktop. Also interesting to note
that running:

ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes ...

and

rpcclient -k -c "queryuser 1111" mail

are now working again with the -k option. So, in the interest of "teaching
a man to fish", I
have a few follow-up questions:

1. I ran the successful `ldbsearch -k` *after* logging with the
expiry-date.desktop
configured.  Did my running that notify-pass-expiry script *cause* the kerberos
option on the
ldbsearch/rpcclient to start working? In other words did running the
notify-pass-expiry script
cause kerberos to somehow refresh tickets (or whatever) for this user?

2. If not, why did -k start working today? Is there some refresh/cache/lease
interval at work?

3. You say, "when you login, you enter the password and this gets passed
(along with the
username) to the script".  Is this a feature of .desktop? Why would
password get passed to the
script via this mechanism and not via command line? Is there a man page on this
somewhere or is
this "legend around the digital campfire" stuff?

THX, your solutions are invaluable. I can't imagine anyone getting a decent
domain member
workstation up without them.

--Mark