search for: maxpwdag

...rAccountControl' to 514, disables the account, it doesn't do anything to the password. There are a few attributes in play here, one of which you haven't mentioned: 'ms-DS-User-Account-Control-Computed'. The one you need to look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate when the password expires. The easiest way to find info on this subject is to remember that you are now using Active Directory and use this in an internet search, along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the search. Rowland

This seems to work for maxPwdAge ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld maxPwdAge now I just need to query a users pwdLastSetq I tried the commands above but am not getting anything. I tried looking at the ungrepped output but I don't see how to link the pwdLastSet with any user. I get a l...

...l' to 514, disables the account, it doesn't > do anything to the password. Again i know that. I was asking effectively if 'pdbedit' is still an affordable tool to write account control in AD. > The one you need to > look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate > when the password expires. Ok, i've found that attribute, on the 'root' of the LDAP tree; but i think, measurement unit apart, it is the same of: root at vdcsv1:~# samba-tool domain passwordsettings show | grep ^Maximum Maximum password age (days): 90 right?...

...avelave... > It is an operational attribute. simply add  > msDS-UserPasswordExpiryTimeComputed > to the list of attributes requested when searching for the user. root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base "" maxPwdAge # record 1 dn: DC=ad,DC=fvg,DC=lnf,DC=it maxPwdAge: -77760000000000 # returned 1 records # 1 entries # 0 referrals root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "ou=Users,ou=FVG,dc=ad,dc=fvg,dc=lnf,dc=it" "(cn=gaio)" pwdlastSet msDS-UserPasswordExpir...

...oft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro I believe pdbedit will do what you are asking, but as I don't use it, I don't know how to. > > > The one you need to > > look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate > > when the password expires. > > Ok, i've found that attribute, on the 'root' of the LDAP tree; but i > think, measurement unit apart, it is the same of: > > root at vdcsv1:~# samba-tool domain passwordsettings show | grep > ^Maximum Maxim...

...ve LDAP attribute PwdLastSet. It's not an UNIX timestamp, it should be called LDAP time stamp or 18-digit LDAP timestamp...) Then you will have to compare this PwDLastSet to current and password max age. Current date is quite easy to retrieve. For Password max age the AD LDAP attribute is "maxPwdAge". You should be able to retrieve it using dirty "ldbsearch -H $sam maxPwdAge=* dn maxPwdAge" then you'll be able to get a nice and clean ldapsearch... Then calculation... The idea of Andrew would be nice if it works... 2017-02-02 13:47 GMT+01:00 Brian Candler via samba <sam...

On 01/02/2017 19:12, Jeff Sadowski wrote: > Or maybe better like so on login > > Last login: Wed Feb 1 10:47:53 > Password Expires in 28 days > [myaduser at machine ~]$ Something like this? warn_pwd_expire Defines number of days before pam_winbind starts to warn about passwords that are going to expire. Defaults to 14 days.

...nversion but I was wondering if there is a cleaner way On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > This seems to work for maxPwdAge > > > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > > dc=ad,dc=mydomain,dc=tld maxPwdAge > > > > now I just need to query a users pwdLastSetq > > I tried the commands above but am not getting anything. I tried > > looking at the ungrepped output but...

...veryday :-) A quick search in 'man smb.conf' on 'kdc', turns this up: gpo update command (G) This option sets the command that is called to apply GPO policies. The samba?gpupdate script applies System Access and Kerberos Policies to the KDC. System Access policies set minPwdAge, maxPwdAge, minPwdLength, and pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf. Apart from the wiki page (which dates back to 2014), that is it. Let me look into this further. Rowland

On Fri, 27 Oct 2017 07:17:56 +1300 Andrew Bartlett <abartlet at samba.org> wrote: > On Thu, 2017-10-26 at 09:26 +0100, Rowland Penny via samba wrote: > > On Thu, 26 Oct 2017 13:25:00 +1300 > > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > On Tue, 2017-10-24 at 18:13 +0100, Rowland Penny via samba wrote: > > > > > > > >

I am adapting a script that needs to know whether a user needs to change their password on the next login from NT to AD with Samba. I have tried "samba-tool user getpassword <user> --attributes PwdMustChangeNow", but that's not giving me anything useful - just a DN, and "Got password OK" (even on users that do need the password to change). Is there another line I

On Fri, 3 Feb 2017 07:44:39 -0700 Jeff Sadowski via samba <samba at lists.samba.org> wrote: > This seems to work for maxPwdAge > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > dc=ad,dc=mydomain,dc=tld maxPwdAge > > now I just need to query a users pwdLastSetq > I tried the commands above but am not getting anything. I tried > looking at the ungrepped output but I don't see how to link the...

...PwdLastSet. Anyway you don't care they are not real user touching keyboards and making mistakes. And you only want to display that information to real user making real mistakes : ) 2017-02-03 15:44 GMT+01:00 Jeff Sadowski via samba <samba at lists.samba.org>: > This seems to work for maxPwdAge > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld > maxPwdAge > > now I just need to query a users pwdLastSetq > I tried the commands above but am not getting anything. I tried looking at > the ungrepped output but I don't see how to link the pw...

...e which, as far as I can tell, Samba knows nothing about. So, you are left with a couple of options: Check if the 'computed' attribute 'msDS-UserPasswordExpiryTimeComputed' exists and if it does, turn that into a Unix date. Or calculate the expiry time from the contents of the 'maxPwdAge' and the accounts 'pwdLastSet' attributes. Rowland

Winner this worked wonderfully On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > This seems to work for maxPwdAge > > > > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b > > dc=ad,dc=mydomain,dc=tld maxPwdAge > > > > now I just need to query a users pwdLastSetq > > I tried the commands above but am not getting anything. I tried > > looking at the ungrepped output but...

...ere is a cleaner way > > On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Fri, 3 Feb 2017 07:44:39 -0700 >> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >> >> > This seems to work for maxPwdAge >> > >> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b >> > dc=ad,dc=mydomain,dc=tld maxPwdAge >> > >> > now I just need to query a users pwdLastSetq >> > I tried the commands above but am not getting anything. I tried >> > looking...

On 02/02/2017 15:17, mathias dufresne wrote: > So, back to ldapsearch -Y GSSAPI (if your users generate kerberos > ticket at connection time) to retrieve LDAP attribute PwdLastSet. It's > not an UNIX timestamp, it should be called LDAP time stamp or 18-digit > LDAP timestamp... Aside: it's a Microsoft Win32 FILETIME. (The LDAP standard uses ISO times) pwdLastSet

...t;> On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < >> samba at lists.samba.org> wrote: >> >>> On Fri, 3 Feb 2017 07:44:39 -0700 >>> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>> >>> > This seems to work for maxPwdAge >>> > >>> > ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b >>> > dc=ad,dc=mydomain,dc=tld maxPwdAge >>> > >>> > now I just need to query a users pwdLastSetq >>> > I tried the commands above but am not getting anything. I tri...

...do not show a clue about the expiry! > So, you are left with a couple of options: > Check if the 'computed' attribute 'msDS-UserPasswordExpiryTimeComputed' > exists and if it does, turn that into a Unix date. > Or calculate the expiry time from the contents of the 'maxPwdAge' and > the accounts 'pwdLastSet' attributes. This is not an option in applications that just allow a ldap filter (which is basically all applications with the exception of scripts). I consider this a big security omission: if? Samba is the source of information but not the the a...

...y! > > > So, you are left with a couple of options: > > Check if the 'computed' attribute > > 'msDS-UserPasswordExpiryTimeComputed' exists and if it does, turn > > that into a Unix date. Or calculate the expiry time from the > > contents of the 'maxPwdAge' and the accounts 'pwdLastSet' > > attributes. > > This is not an option in applications that just allow a ldap filter > (which is basically all applications with the exception of scripts). > > I consider this a big security omission: if? Samba is the source of...