On Tue, 03 Apr 2018 23:34:13 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org> > wrote: > > > > On Sat, 31 Mar 2018 11:42:07 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny > > > <rpenny at samba.org> wrote: > > > > > > > > This will then prompt the user for their 'oldpassword' and then > > > > the new password (twice). There is a gotcha though, as given it > > > > will only work on a DC, to do the password change from a Unix > > > > domain member, you need to add '--ipaddress=DCIPADDRESS' > > > > > > I'll try that after I've figured out what the user's expiration > > > status is. With respect to this command, would the full syntax be: > > > > > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2 > > > > > > I've tried that with no syntax error, but haven't pulled the > > > trigger yet to change the password. I've also tried > > > --ipaddress=dchostname which also did not give a syntax error. > > > > Never tried it with the hostname, but I think the option name gives > > a big hint ;-) > > > > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the > > > > ldbsearch below ? If so, is the result actually '89' are you > > > > using some calculation to get '89' ? I ask this because I would > > > > expect the attribute to contain something like > > > > '9223372036854775807' > > > > > > Yes, the same ldbsearch. In fact, that and the calculation were > > > given to me by you a couple of years ago. The rest of the > > > calculation is: > > > > > > > OK > > > > > > > > > > If you are trying to find out if the users password has expired > > > > or is near to, you can use rpcclient for this. > > > > > > > > I did the following: > > > > > > # rpcclient -U "" -N 192.168.0.2 > > > rpcclient $> enumdomusers > > > : > > > user:[mark] rid:[0x457] > > > : > > > rpcclient $> queryuser 0x457 > > > User Name : mark > > > Full Name : Mark Foley > > > (empty lines removed) > > > Logon Time : Thu, 29 Mar 2018 17:12:54 > > > EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST > > > Kickoff Time : Wed, 31 Dec 1969 19:00:00 > > > EST Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT > > > Password can change Time : Wed, 28 Mar 2018 23:59:08 > > > EDT Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT > > > > > Not sure I see where the expiration is except that Kickoff Time is > > > set to Dec 31st, 1969 which is likely a zero in that field. Is > > > that the problem? > > > > When the users password expires it must be changed (hint, hint) ;-) > > Or an even bigger hint, the user needs to change their password > > before the 27th of June > > > > > > > > Why would passwd and kpasswd not reset that? > > > > I have no real idea, but it might have something to do with neither > > of having anything to do with AD. > > > > I think you're right that although passwd and kpasswd do change the > domain password for the user, "neither of them have anything to do > with AD" and hence apparently do not reset the exipriation day. So, > I've now tried: > > samba-tool user password -U $USER --ipaddress=192.168.0.2The relevant line in my yad script looks like this: ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME} ${OLDPASS}> > and that works and does reset the expiration count so that my > rpcclient query returns 90 days. I can also use the AD/DC host name > instead of the IP address. > > I'm using this as a $HOME/.kde/Autostart script to check the password > expiration days-to-go with the KDE desktop. If less than 8 days to > go, it puts up a GUI dialog inviting the user to change the password. > This mimics the functionality of Windows. Without something like > this, the user does not know his password is about to expire and he > finds himself locked out.Do you have the checking of the password and the changing in one script ? I use two, one to check when the password expires and another to change it. Rowland
On Wed, 4 Apr 2018 08:37:26 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Tue, 03 Apr 2018 23:34:13 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org> > > wrote: > > > > > > On Sat, 31 Mar 2018 11:42:07 -0400 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny > > > > <rpenny at samba.org> wrote: > > > > > > > > > > This will then prompt the user for their 'oldpassword' and then > > > > > the new password (twice). There is a gotcha though, as given it > > > > > will only work on a DC, to do the password change from a Unix > > > > > domain member, you need to add '--ipaddress=DCIPADDRESS' > > > > > > > > I'll try that after I've figured out what the user's expiration > > > > status is. With respect to this command, would the full syntax be: > > > > > > > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2 > > > > > > > > I've tried that with no syntax error, but haven't pulled the > > > > trigger yet to change the password. I've also tried > > > > --ipaddress=dchostname which also did not give a syntax error. > > > > > > Never tried it with the hostname, but I think the option name gives > > > a big hint ;-) > > > > > > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the > > > > > ldbsearch below ? If so, is the result actually '89' are you > > > > > using some calculation to get '89' ? I ask this because I would > > > > > expect the attribute to contain something like > > > > > '9223372036854775807' > > > > > > > > Yes, the same ldbsearch. In fact, that and the calculation were > > > > given to me by you a couple of years ago. The rest of the > > > > calculation is: > > > > > > > > > > OK > > > > > > > > > > > > > If you are trying to find out if the users password has expired > > > > > or is near to, you can use rpcclient for this. > > > > > > > > > > > I did the following: > > > > > > > > # rpcclient -U "" -N 192.168.0.2 > > > > rpcclient $> enumdomusers > > > > : > > > > user:[mark] rid:[0x457] > > > > : > > > > rpcclient $> queryuser 0x457 > > > > User Name : mark > > > > Full Name : Mark Foley > > > > (empty lines removed) > > > > Logon Time : Thu, 29 Mar 2018 17:12:54 > > > > EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST > > > > Kickoff Time : Wed, 31 Dec 1969 19:00:00 > > > > EST Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT > > > > Password can change Time : Wed, 28 Mar 2018 23:59:08 > > > > EDT Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT > > > > > > > Not sure I see where the expiration is except that Kickoff Time is > > > > set to Dec 31st, 1969 which is likely a zero in that field. Is > > > > that the problem? > > > > > > When the users password expires it must be changed (hint, hint) ;-) > > > Or an even bigger hint, the user needs to change their password > > > before the 27th of June > > > > > > > > > > > Why would passwd and kpasswd not reset that? > > > > > > I have no real idea, but it might have something to do with neither > > > of having anything to do with AD. > > > > > > > I think you're right that although passwd and kpasswd do change the > > domain password for the user, "neither of them have anything to do > > with AD" and hence apparently do not reset the exipriation day. So, > > I've now tried: > > > > samba-tool user password -U $USER --ipaddress=192.168.0.2 > > The relevant line in my yad script looks like this: > > ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME} > ${OLDPASS} > > > > > and that works and does reset the expiration count so that my > > rpcclient query returns 90 days. I can also use the AD/DC host name > > instead of the IP address. > > > > I'm using this as a $HOME/.kde/Autostart script to check the password > > expiration days-to-go with the KDE desktop. If less than 8 days to > > go, it puts up a GUI dialog inviting the user to change the password. > > This mimics the functionality of Windows. Without something like > > this, the user does not know his password is about to expire and he > > finds himself locked out. > > Do you have the checking of the password and the changing in one > script ? > I use two, one to check when the password expires and another to change > it.I'm using one script. It tests the expiration then exits if OK, otherwise, it continues to ask the user for the new password. Here's the entire script: #!/bin/bash # # Check for and permit changing of Expiring Password # warnDays=8 # CHECK FOR PASSWORD ABOUT TO EXPIRE expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \ grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'` expireDate=$((($expireTime/10000000)-11644473600)) today=`date +%s` togo=$((($expireDate-$today)/86400)) if [ -n "$1" ] # any arg will be a debug mode to display Days to Go only then echo "[$expireTime]" Days to go: $togo exit 0 fi if [ $togo -gt $warnDays ]; then exit 0; fi # Within $warnDays of expiration. Ask user to change PW IMAGE=/user/util/bin/pw1.png TITLE="Change Expiring Password" if [ "$togo" = 0 ] then MSG="Your password expires today.\nConsider changing your password." else MSG="Your password expires in $togo days.\nConsider changing your password." fi badPW=0 while [ 1 = 1 ] do pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \ --image "$IMAGE" --image-on-top --title "$TITLE" \ --text="$MSG" \ --align=right \ --field="Enter current password:H" \ --field="Enter new password:H" \ --field="Confirm Password::H"` pwOrg=`echo "$pw" | cut "-d~" -f1` pw1=`echo "$pw" | cut "-d~" -f2` pw2=`echo "$pw" | cut "-d~" -f3` if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi # Cancel if [ "$pw1" != "$pw2" ] then MSG="Sorry, passwords do no match. Try again." continue fi if [ -z "$pwOrg" ] then MSG="CURRENT PASSWORD REQUIRED!" continue fi # Verify current password ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1 rc=$? if [ "$rc" != 0 ] then badPW=$[ $badPW + 1 ] if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries MSG="WRONG CURRENT PASSWORD. Try again." continue fi if [ ${#pw1} -lt 8 ] then MSG="Password length must be at least 8 characters." continue fi # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces. cnt=0 x=$(echo "$pw1" | grep '[A-Z]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi x=$(echo "$pw1" | grep '[a-z]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi x=$(echo "$pw1" | grep '[0-9]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi x=$(echo "$pw1" | tr -d '[:alnum:]') if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi if [ $cnt -lt 3 ] then MSG="Password must have 3 of the following: upper case, lower case, number, punctuation." continue fi if [ "$pw1" = "$pwOrg" ] then MSG="You cannot use your previous password. Think of something new." continue fi break done # CHANGE PASSWORD samba-tool user password -U $USER --ipaddress=mail <<EOF $pwOrg $pw1 $pw1 EOF status="$?" if [ "$status" == "0" ]; then yad --title "$TITLE" \ --center \ --button="gtk-ok:0" \ --text="Successfully changed password for $USER in AD." else yad --title "$TITLE" \ --center \ --button="gtk-ok:0" \ --text="Error changing password for $USER in AD." fi exit $status --Mark
Le 04/04/2018 à 23:40, Mark Foley via samba a écrit :> On Wed, 4 Apr 2018 08:37:26 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: >> >> On Tue, 03 Apr 2018 23:34:13 -0400 >> Mark Foley via samba <samba at lists.samba.org> wrote: >> >>> On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org> >>> wrote: >>>> >>>> On Sat, 31 Mar 2018 11:42:07 -0400 >>>> Mark Foley via samba <samba at lists.samba.org> wrote: >>>> >>>>> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny >>>>> <rpenny at samba.org> wrote: >>>>>> >>>>>> This will then prompt the user for their 'oldpassword' and then >>>>>> the new password (twice). There is a gotcha though, as given it >>>>>> will only work on a DC, to do the password change from a Unix >>>>>> domain member, you need to add '--ipaddress=DCIPADDRESS' >>>>> >>>>> I'll try that after I've figured out what the user's expiration >>>>> status is. With respect to this command, would the full syntax be: >>>>> >>>>> samba-tool user password -U <myuser> --ipaddress=192.168.0.2 >>>>> >>>>> I've tried that with no syntax error, but haven't pulled the >>>>> trigger yet to change the password. I've also tried >>>>> --ipaddress=dchostname which also did not give a syntax error. >>>> >>>> Never tried it with the hostname, but I think the option name gives >>>> a big hint ;-) >>>> >>>>>> Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the >>>>>> ldbsearch below ? If so, is the result actually '89' are you >>>>>> using some calculation to get '89' ? I ask this because I would >>>>>> expect the attribute to contain something like >>>>>> '9223372036854775807' >>>>> >>>>> Yes, the same ldbsearch. In fact, that and the calculation were >>>>> given to me by you a couple of years ago. The rest of the >>>>> calculation is: >>>>> >>>> >>>> OK >>>> >>>>>> >>>>>> If you are trying to find out if the users password has expired >>>>>> or is near to, you can use rpcclient for this. >>>> >>>>> >>>>> I did the following: >>>>> >>>>> # rpcclient -U "" -N 192.168.0.2 >>>>> rpcclient $> enumdomusers >>>>> : >>>>> user:[mark] rid:[0x457] >>>>> : >>>>> rpcclient $> queryuser 0x457 >>>>> User Name : mark >>>>> Full Name : Mark Foley >>>>> (empty lines removed) >>>>> Logon Time : Thu, 29 Mar 2018 17:12:54 >>>>> EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST >>>>> Kickoff Time : Wed, 31 Dec 1969 19:00:00 >>>>> EST Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT >>>>> Password can change Time : Wed, 28 Mar 2018 23:59:08 >>>>> EDT Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT >>>> >>>>> Not sure I see where the expiration is except that Kickoff Time is >>>>> set to Dec 31st, 1969 which is likely a zero in that field. Is >>>>> that the problem? >>>> >>>> When the users password expires it must be changed (hint, hint) ;-) >>>> Or an even bigger hint, the user needs to change their password >>>> before the 27th of June >>>> >>>>> >>>>> Why would passwd and kpasswd not reset that? >>>> >>>> I have no real idea, but it might have something to do with neither >>>> of having anything to do with AD. >>>> >>> >>> I think you're right that although passwd and kpasswd do change the >>> domain password for the user, "neither of them have anything to do >>> with AD" and hence apparently do not reset the exipriation day. So, >>> I've now tried: >>> >>> samba-tool user password -U $USER --ipaddress=192.168.0.2 >> >> The relevant line in my yad script looks like this: >> >> ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME} >> ${OLDPASS} >> >>> >>> and that works and does reset the expiration count so that my >>> rpcclient query returns 90 days. I can also use the AD/DC host name >>> instead of the IP address. >>> >>> I'm using this as a $HOME/.kde/Autostart script to check the password >>> expiration days-to-go with the KDE desktop. If less than 8 days to >>> go, it puts up a GUI dialog inviting the user to change the password. >>> This mimics the functionality of Windows. Without something like >>> this, the user does not know his password is about to expire and he >>> finds himself locked out. >> >> Do you have the checking of the password and the changing in one >> script ? >> I use two, one to check when the password expires and another to change >> it. > > I'm using one script. It tests the expiration then exits if OK, otherwise, it continues to ask > the user for the new password. Here's the entire script: > > #!/bin/bash > # > # Check for and permit changing of Expiring Password > # > > warnDays=8 > > # CHECK FOR PASSWORD ABOUT TO EXPIRE > > expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \ > grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'` > > expireDate=$((($expireTime/10000000)-11644473600)) > today=`date +%s` > togo=$((($expireDate-$today)/86400)) > > if [ -n "$1" ] # any arg will be a debug mode to display Days to Go only > then > echo "[$expireTime]" Days to go: $togo > exit 0 > fi > > if [ $togo -gt $warnDays ]; then exit 0; fi > > # Within $warnDays of expiration. Ask user to change PW > > IMAGE=/user/util/bin/pw1.png > TITLE="Change Expiring Password" > > if [ "$togo" = 0 ] > then > MSG="Your password expires today.\nConsider changing your password." > else > MSG="Your password expires in $togo days.\nConsider changing your password." > fi > > badPW=0 > > while [ 1 = 1 ] > do > pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \ > --image "$IMAGE" --image-on-top --title "$TITLE" \ > --text="$MSG" \ > --align=right \ > --field="Enter current password:H" \ > --field="Enter new password:H" \ > --field="Confirm Password::H"` > > pwOrg=`echo "$pw" | cut "-d~" -f1` > pw1=`echo "$pw" | cut "-d~" -f2` > pw2=`echo "$pw" | cut "-d~" -f3` > > if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi # Cancel > > if [ "$pw1" != "$pw2" ] > then > MSG="Sorry, passwords do no match. Try again." > continue > fi > > if [ -z "$pwOrg" ] > then > MSG="CURRENT PASSWORD REQUIRED!" > continue > fi > > # Verify current password > > ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1 > rc=$? > > if [ "$rc" != 0 ] > then > badPW=$[ $badPW + 1 ] > if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries > MSG="WRONG CURRENT PASSWORD. Try again." > continue > fi > > if [ ${#pw1} -lt 8 ] > then > MSG="Password length must be at least 8 characters." > continue > fi > > # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces. > > cnt=0 > x=$(echo "$pw1" | grep '[A-Z]') > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > x=$(echo "$pw1" | grep '[a-z]') > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > x=$(echo "$pw1" | grep '[0-9]') > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > x=$(echo "$pw1" | tr -d '[:alnum:]') > if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi > > if [ $cnt -lt 3 ] > then > MSG="Password must have 3 of the following: upper case, lower case, number, punctuation." > continue > fi > > if [ "$pw1" = "$pwOrg" ] > then > MSG="You cannot use your previous password. Think of something new." > continue > fi > > break > done > > # CHANGE PASSWORD > > samba-tool user password -U $USER --ipaddress=mail <<EOF > $pwOrg > $pw1 > $pw1 > EOF > status="$?" > > if [ "$status" == "0" ]; then > yad --title "$TITLE" \ > --center \ > --button="gtk-ok:0" \ > --text="Successfully changed password for $USER in AD." > else > yad --title "$TITLE" \ > --center \ > --button="gtk-ok:0" \ > --text="Error changing password for $USER in AD." > fi > > exit $status > > > --Mark >Hi, Thanks Mark for this useful script! Maybe it could be on the Samba wiki? Regards, Yvan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 874 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180405/ce4fdc45/signature.sig>