search for: accountexpires

...alculated was when an account expires. ldapsearch -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld "(sAMAccountName=$user)" gives all the good information about a user. here is how I used it to tell me all accounts expiring this next month. h=ad.mydomain.tld b=dc=ad,dc=mydomain,dc=tld q=accountExpires for user in $(wbinfo -u);do accountExpires=$(ldapsearch -h $h -b $b "(sAMAccountName=$user)" $q 2>/dev/null | grep "^$q" | awk '{print $2}') if [ "$(echo ${accountExpires}|wc -c)" -gt 7 ];then #microsoft uses 100 nanosecond increments so I remove the last 7...

...> Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Hi Team, >> >> Is it possible to make a LDAP-query that returns whether an account >> is expired or not? >> >> I am aware that it is possible to do the maths against the >> "accountExpires" attribute, but that requires some scripting around >> the query. >> >> - Kees. >> >> > Would that it was so simple. > > There is a flag 'ADS_UF_PASSWORD_EXPIRED' in the userAccountControl > attribute, but you would have to obtain the value fro...

...at lists.samba.org> wrote: > > > >> Hi Team, > >> > >> Is it possible to make a LDAP-query that returns whether an account > >> is expired or not? > >> > >> I am aware that it is possible to do the maths against the > >> "accountExpires" attribute, but that requires some scripting around > >> the query. > >> > >> - Kees. > >> > >> > > Would that it was so simple. > > > > There is a flag 'ADS_UF_PASSWORD_EXPIRED' in the userAccountControl > > attribut...

I have been running experiments and I found an interesting multiple representations of never expiring accounts. I see when I create an account using the ADUC in windows 10 pro on samba-dc-4.7.5-2.fc27 when I use ldapsearch to get accountExpires I get 9223372036854775807 if I set the account to expire I get the expected value for that date. Here is the strange part when I set the account back to never expires the value is then 0 So both 9223372036854775807 and 0 represent an account that never expires. If I set the value using ldapmodify i...

...n Fri, 27 Oct 2023 23:48:22 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > Hi Team, > > Is it possible to make a LDAP-query that returns whether an account > is expired or not? > > I am aware that it is possible to do the maths against the > "accountExpires" attribute, but that requires some scripting around > the query. > > - Kees. > > Would that it was so simple. There is a flag 'ADS_UF_PASSWORD_EXPIRED' in the userAccountControl attribute, but you would have to obtain the value from that attribute and check if '...

Hi every one: I'm using samba4 as domain controller and a I want to check every 1 hour in my mail server the password expiration for every user in the domain. I need to kow what is the attribute used in samba4. Using ldbsearch i see badPasswordTime and accountExpires, but in the microsoft documentation said that accountExpires is used for represent the date when the account expires. Can i use this and send the email to the users telling that they need to change their password? About badPasswordTime said that represent The last time and date that an attempt to l...

...wrote: >>> >>>> Hi Team, >>>> >>>> Is it possible to make a LDAP-query that returns whether an account >>>> is expired or not? >>>> >>>> I am aware that it is possible to do the maths against the >>>> "accountExpires" attribute, but that requires some scripting around >>>> the query. >>>> >>>> - Kees. >>>> >>>> >>> Would that it was so simple. >>> >>> There is a flag 'ADS_UF_PASSWORD_EXPIRED' in the userAccountCo...

...er)" >> > >> > gives all the good information about a user. >> > >> > here is how I used it to tell me all accounts expiring this next >> > month. >> > >> > h=ad.mydomain.tld >> > b=dc=ad,dc=mydomain,dc=tld >> > q=accountExpires >> > for user in $(wbinfo -u);do >> > accountExpires=$(ldapsearch -h $h -b $b "(sAMAccountName=$user)" $q >> > 2>/dev/null | grep "^$q" | awk '{print $2}') >> > if [ "$(echo ${accountExpires}|wc -c)" -gt 7 ];then >>...

...dify, even if I prefer to avoid modifying > directly ldb files. > > What do you think samba-tool does ? Using samba-tool to set expiry, ultimately does this: setexp = """ dn: %s changetype: modify replace: userAccountControl userAccountControl: %u replace: accountExpires accountExpires: %u """ % (user_dn, userAccountControl, accountExpires) self.modify_ldif(setexp) Rowland

...="@$(( ($(ldbsearch > -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' > '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - > 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016 > > If i try to do the same with 'accountExpires': > > root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch > -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' > '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) > - 11676009600 ))" Wed Sep 15 04:48...

...,OU=OU,DC=exampledn,DC=com' [ldap://windowsdc.exampledn.com] 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com' [ldap://samba4dc.exampledn.com] Attributes found only in ldap://windowsdc.exampledn.com: instanceType whenCreated pwdLastSet accountExpires userAccountControl FAILED * Result for [DOMAIN]: FAILURE SUMMARY --------- Attributes found only in ldap://windowsdc.exampledn.com: pwdLastSet whenCreated instanceType userAccountControl accountExpires ERROR: Compare failed: -1 However, using `ldapsearch` to que...

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

...et to 66048, which disable expiry for password as well (in MS console, "password never expires" is now checked). This means that the password expiry (let say, every 6 month) will never popup again to the user, which is in my sense a wrong behaviour. Is there a way to change ONLY "accountExpires" attribute without changing "userAccountControl" ? Otherwise : is there another value for "userAccountControl" that does not disable the password expiry in the same time ? Thanks, --OB Le 2023-05-24 12:30, Rowland Penny via samba a ?crit : > On 24/05/2023 10:56, O...

...t; Hi every one: > > I'm using samba4 as domain controller and a I want to check every 1 > > hour in my mail server the password expiration for every user in the > > domain. I need to kow what is the attribute used in samba4. > > Using ldbsearch i see badPasswordTime and accountExpires, but in the > > microsoft documentation said that accountExpires is used for > > represent the date when the account expires. Can i use this and send > > the email to the users telling that they need to change their > > password? > > About badPasswordTime said that rep...

...pe: 4 whenCreated: 20140530142421.0Z displayName: testswi uSNCreated: 12359 name: testswi objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99 userAccountControl: 66048 codePage: 0 countryCode: 0 pwdLastSet: 130459334610000000 primaryGroupID: 513 objectSid: S-1-5-21-1143642306-2581635645-836595807-1605 accountExpires: 9223372036854775807 sAMAccountName: testswi sAMAccountType: 805306368 userPrincipalName: testswi at swi.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local loginShell: /bin/bash whenChanged: 20140605153458.0Z uSNChanged: 13969 distinguishedName: CN=testswi,OU=Benutzer,OU=SWI...

...v1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016 If i try to do the same with 'accountExpires': root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))" Wed Sep 15 04:48:05 CEST 30827 but goog...

...z at uci.cu>: > Hi every one: > I'm using samba4 as domain controller and a I want to check every 1 hour > in my mail server the password expiration for every user in the domain. I > need to kow what is the attribute used in samba4. > Using ldbsearch i see badPasswordTime and accountExpires, but in the > microsoft documentation said that accountExpires is used for represent the > date when the account expires. Can i use this and send the email to the > users telling that they need to change their password? > About badPasswordTime said that represent The last time and date...

...t; password as well (in MS console, "password never expires" is now > checked). > > This means that the password expiry (let say, every 6 month) > will never popup again to the user, which is in my sense a wrong > behaviour. > > Is there a way to change ONLY "accountExpires" attribute > without changing "userAccountControl" ? > > Otherwise : is there another > value for "userAccountControl" that does not disable the password expiry > in the same time ? > > Thanks, > > --OB > > Le 2023-05-24 12:30, Rowland...

On my ubuntu machines I added auth required pam_exec.so /scripts/password_expire.sh to the beginning of /etc/pam.d/common-auth it looks pretty similar to what I did below. In the /etc/bash.bashrc I added a check to wait for the file to be less than 1 second old before looking at it. break out after 5 seconds in case something failed or is taking longer then it should. now people get

...QWNlbnR1YcOnw6NvIGRhIFNpbHZh uSNCreated: 114017 name:: QWNlbnR1YcOnw6NvIGRhIFNpbHZh objectGUID: b4e527e8-229a-46f5-8c6e-33fe7a6b034d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-2137976744-3574706186-1594704298-5551 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: usuario777 sAMAccountType: 805306368 userPrincipalName: usuario777 at campus.sertao.ifrs.edu.br objectCategory: CN=Person,CN=Schema,CN=Configuration, DC=teste,DC=intra pwdLastSet: 131653581863461020 userAccountControl: 512 uSNChanged: 114020 distin...