samba - Nov 2018 - Where is password expiration notice period

In our password settings we have:
> samba-tool domain passwordsettings show
:
Password complexity: on
Store plaintext passwords: off
:
Minimum password age (days): 0
Maximum password age (days): 90
:

I don't find any setting for how many days before the expiration to warn
users about the
pending expiration. On Windows, users seem to get notified about a pending
password expiration
at around 5-7 days beforehand. On Macos it's 20 days. I don't recall
that Linux/KDE notifies at
all. 

Is this an AD setting or is this strictly up to the individual OS/workstation to
set?

THX --Mark

Mandi! Mark Foley via samba
  In chel di` si favelave...
> I don't recall that Linux/KDE notifies at all. 
If you use kerberos, users get notified at every logon on password
expire.

> Is this an AD setting or is this strictly up to the individual
OS/workstation to set?
I think is an client OS settings.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

use pam_winbind
     $ man pam_winbind
         ...
         warn_pwd_expire
            Defines number of days before pam_winbind starts to warn 
about passwords that are going to expire. Defaults to 14
            days.
and (or)pam_krb5
     $ man pam_krb5
         ...
         defer_pwchange
         fail_pwchange
         force_pwchange

27.11.2018 19:14, Mark Foley via samba пишет:
> In our password settings we have:
>
>> samba-tool domain passwordsettings show
> :
> Password complexity: on
> Store plaintext passwords: off
> :
> Minimum password age (days): 0
> Maximum password age (days): 90
> :
>
> I don't find any setting for how many days before the expiration to
warn users about the
> pending expiration. On Windows, users seem to get notified about a pending
password expiration
> at around 5-7 days beforehand. On Macos it's 20 days. I don't
recall that Linux/KDE notifies at
> all.
>
> Is this an AD setting or is this strictly up to the individual
OS/workstation to set?
>
> THX --Mark
>

On Tue, 27 Nov 2018 17:26:57 Marco Gaiarin wrote:
>
> Mandi! Mark Foley via samba
>   In chel di` si favelave...
>
> > I don't recall that Linux/KDE notifies at all. 
>
> If you use kerberos, users get notified at every logon on password
> expire.
>
>
> > Is this an AD setting or is this strictly up to the individual
OS/workstation to set?
>
> I think is an client OS settings.
To follow up on this, yes, it appears that the password expiration notification
is a
client-side setting. To do this on Mac:

sudo defaults write /Library/Preferences/com.apple.loginwindow
PasswordExpirationDays 14

where the '14' is the number of days to give notice prior to expiration.
It appears that the
default is 20 (or 30, I don't recall which) days prior. Reading that setting
prior to doing the
'write' gives the message:

The domain/default pair of (/Library/Preferences/com.apple.loginwindow,
PasswordExpirationDays) does not exist

so, it uses a default of 20 or 30 days.

After doing the 'write', the set value (e.g. 14) is returned.

I believe this is working as I have not received any further notices after
logging in. We'll
see if it does, in fact, start to notice me at the 14 day point.

On Linux/KDE domain members I have the following script in
~/.kde/Autostart/checkPWexpire set
to show a notice with 8 days to go (credit to Rowland Penny for the ldbsearch):

#!/bin/bash
#
# Check for and permit changing of Expiring Password
#

warnDays=8

# CHECK FOR PASSWORD ABOUT TO EXPIRE

expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local"
-k yes \
  -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))"
msDS -UserPasswordExpiryTimeComputed | \
  grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

if [ -n "$1" ]
then
    echo "[$expireTime]" Days to go: $togo
    exit 0
fi

if [ $togo -gt $warnDays ]; then exit 0; fi

IMAGE=/user/util/bin/pw1.png

TITLE="Change Expiring Password"

if [ "$togo" = 0 ]
then
    MSG="Your password expires today.\nConsider changing your
password."
else
    MSG="Your password expires in $togo days.\nConsider changing your
password."
fi

The script then goes on to ask for the password change using a yad script, if
desired.

--Mark