samba - Jan 2019 - Get PasswordMustChangeNow parameter from command line

I am adapting a script that needs to know whether a user needs to change
their password on the next login from NT to AD with Samba.

I have tried "samba-tool user getpassword <user> --attributes
PwdMustChangeNow", but that's not giving me anything useful - just a
DN,
and "Got password OK" (even on users that do need the password to
change).

Is there another line I can use that will show when a user's password must
change? The OS is Debian 9, running samba 4.5.12-Debian (yes, I know it's
EOL, but it's what the Debian repo has)

On Wed, 23 Jan 2019 10:44:01 -0800
Luke Barone via samba <samba at lists.samba.org> wrote:
> I am adapting a script that needs to know whether a user needs to
> change their password on the next login from NT to AD with Samba.
> 
> I have tried "samba-tool user getpassword <user> --attributes
> PwdMustChangeNow", but that's not giving me anything useful - just
a
> DN, and "Got password OK" (even on users that do need the
password to
> change).
It wouldn't, mainly because 'PwdMustChangeNow' isn't one of the
listed
attributes and I don't know where you got it from.
> 
> Is there another line I can use that will show when a user's password
> must change? The OS is Debian 9, running samba 4.5.12-Debian (yes, I
> know it's EOL, but it's what the Debian repo has)
No and it has nothing to do with your version of Samba ;-)

There is an attribute 'msDS-UserPasswordExpiryTimeComputed' which would
give you what you want, but this doesn't seem to exist in AD yet.

You need to obtain two attributes from AD, the domains 'maxPwdAge' and
the users 'pwdLastSet', then with a bit of maths (okay, a lot), you can
calculate when the password will expire.

Rowland

Perfect, I got the parameter I needed! I just checked for
`msDS-UserPasswordExpiryTimeComputed`, and if it's 0, then I know the
password needs to change on the next login!

Thanks! I honestly had no idea what the attributes were, but now I see
they're the attributes that are in Active Directory.

On Wed, Jan 23, 2019 at 11:19 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 23 Jan 2019 10:44:01 -0800
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
> > I am adapting a script that needs to know whether a user needs to
> > change their password on the next login from NT to AD with Samba.
> >
> > I have tried "samba-tool user getpassword <user>
--attributes
> > PwdMustChangeNow", but that's not giving me anything useful -
just a
> > DN, and "Got password OK" (even on users that do need the
password to
> > change).
>
> It wouldn't, mainly because 'PwdMustChangeNow' isn't one of
the listed
> attributes and I don't know where you got it from.
>
> >
> > Is there another line I can use that will show when a user's
password
> > must change? The OS is Debian 9, running samba 4.5.12-Debian (yes, I
> > know it's EOL, but it's what the Debian repo has)
>
> No and it has nothing to do with your version of Samba ;-)
>
> There is an attribute 'msDS-UserPasswordExpiryTimeComputed' which
would
> give you what you want, but this doesn't seem to exist in AD yet.
>
> You need to obtain two attributes from AD, the domains 'maxPwdAge'
and
> the users 'pwdLastSet', then with a bit of maths (okay, a lot), you
can
> calculate when the password will expire.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba