similar to: How to get password expiration?

I want something like so on login Last login: Wed Feb 1 10:47:53 Password Expires: Wed March 1 00:00:00 [myaduser at machine ~]$ I just want them to know when their password expires. On Wed, Feb 1, 2017 at 9:39 AM, mathias dufresne <infractory at gmail.com> wrote: > Plop, > > You'd like to modify .bashrc to auto-disconnect user with expired > password? I thought modern

I was thinking of maybe putting a request update password expire time on login and have a system user go find the expire times. with ldap or something? It could put a file in the users home directory with a timestamp of when the user's password expires. Ex: In the bashrc or tcshrc (the global ones) add a line like so touch /tmp/requestpwexpupdate/${USER} and have a cronjob the searches

On 01/02/2017 19:12, Jeff Sadowski wrote: > Or maybe better like so on login > > Last login: Wed Feb 1 10:47:53 > Password Expires in 28 days > [myaduser at machine ~]$ Something like this? warn_pwd_expire Defines number of days before pam_winbind starts to warn about passwords that are going to expire. Defaults to 14 days.

Or maybe better like so on login Last login: Wed Feb 1 10:47:53 Password Expires in 28 days [myaduser at machine ~]$ On Wed, Feb 1, 2017 at 12:10 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > I want something like so on login > > Last login: Wed Feb 1 10:47:53 > Password Expires: Wed March 1 00:00:00 > [myaduser at machine ~]$ > > I just want them to know

Plop, You'd like to modify .bashrc to auto-disconnect user with expired password? I thought modern tools to use AD (SSSD, winbind, nslcd) would come with such a mechanism inside. I do believe to remember some Linux disconnecting me for "disabled user" or "expired password"... Anyway, don't put that into .bashrc, they can modify it. If you really go into that way, uses

Actually is there a way to show it more like a timestamp. It is hard to compute days left with a date format like that. I guess I could use date to do the conversion but I was wondering if there is a cleaner way On Fri, Feb 3, 2017 at 8:51 AM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Fri, 3 Feb 2017 07:44:39 -0700 > Jeff Sadowski via samba <samba at

I found what I needed to do DOMAIN=MIND.UNM.EDU SHORT=MIND authconfig --enablekrb5 --krb5kdc=${DOMAIN} --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN} --smbservers=${DOMAIN} --smbworkgroup=${SHORT} --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash --enablemkhomedir --enablewinbindusedefaultdomain

My smb.conf file now looks like so [global] #--authconfig--start-line-- # Generated by authconfig on 2017/10/30 10:47:34 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MIND password server = MIND.UNM.EDU realm = MIND.UNM.EDU security = ads idmap config * : range = 2000-7999

So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-) So many things work better * I can now sudo without having to newgrp first * I can now run id and get a list of all groups I am in * I can now run getent group and get a list of the domain groups but I now have two unexpected groups running the following I get id | sed 's/,/\n/g' | sort > id_without.txt id $USER

"id" alone does not show my user in the it group "id username" does why would id alone give different results? which is odd because as my username I can get into a folder that has 0760 permissions with user as root and it as the group as for %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL seems to work the same On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <

My smb.conf looks like so. [global] security = ads realm = MIND.UNM.EDU workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 idmap config MIND:unix_nss_info = yes winbind use default domain = yes restrict anonymous = 2 I have

On 30/07/2019 15:39, Jeff Sadowski via samba wrote: > winbindd -V > Failed to create /var/log/samba/cores for user 11490 with mode 0700 > Unable to setup corepath for winbindd: Permission denied > Version 4.10.5 > > cat /etc/samba/smb.conf > [global] > log level = 3 winbind:5 > winbind cache time = 10 > security = ads > realm = SUB.DOMAIN >

One of my colleagues at work brought to my attention that they could continuously attempt different passwords on a linux machine connected via AD via winbind. I did a test or too and it appears not to lock the account after numerous attempts. Is there a way to get the behavior like windows where too many invalid passwords puts a temporary lock on the account?

# id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > wbinfo -r username > shows the gid of it > and a bunch of -1's id guess for groups without gid's > my user belongs to 155 groups is there a problem with that many groups? > > On Tue, Dec 8,

On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 13 Mar 2018 15:57:35 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > On Tue, 13 Mar 2018 12:13:32 -0600 >> > Jeff Sadowski via

On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 13 Mar 2018 16:05:53 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > On Tue, 13 Mar 2018 15:57:35 -0600 >> > Jeff Sadowski

# cat /proc/sys/kernel/ngroups_max 65536 # sysctl kernel.ngroups_max kernel.ngroups_max = 65536 Is there a way to change/look at AUTH_SYS? Seems I have 28 groups now as my user I tried created a test user with much less groups but it turns out it is on all those other groups. As such I tried winbind nested groups=no but this doesn't seem to change anything. On Tue, Dec 8, 2015 at 5:05

On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 13 Mar 2018 12:13:32 -0600 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > >> My smb.conf file looks like so >> >> [global] >> security = ads >> realm = MIND.UNM.EDU >> workgroup = MIND >> idmap config * :

OS:fedora-26 SAMBA:4.6.8 [root at squints ~]# cat /etc/samba/smb.conf [global] security = ads realm = MIND.UNM.EDU workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes

This seems to work for maxPwdAge ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld maxPwdAge now I just need to query a users pwdLastSetq I tried the commands above but am not getting anything. I tried looking at the ungrepped output but I don't see how to link the pwdLastSet with any user. I get a long list. I think I'm looking for dn: and a matching pwdLastSet?