similar to: query account expired state

Op 28-10-2023 om 09:37 schreef Rowland Penny via samba: > On Fri, 27 Oct 2023 23:48:22 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Hi Team, >> >> Is it possible to make a LDAP-query that returns whether an account >> is expired or not? >> >> I am aware that it is possible to do the maths against the >>

On Fri, 27 Oct 2023 23:48:22 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > Hi Team, > > Is it possible to make a LDAP-query that returns whether an account > is expired or not? > > I am aware that it is possible to do the maths against the > "accountExpires" attribute, but that requires some scripting around > the query. > >

On Sat, 28 Oct 2023 11:54:34 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > > Op 28-10-2023 om 09:37 schreef Rowland Penny via samba: > > On Fri, 27 Oct 2023 23:48:22 +0200 > > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > >> Hi Team, > >> > >> Is it possible to make a LDAP-query that returns

Op 28-10-2023 om 13:22 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 11:54:34 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 28-10-2023 om 09:37 schreef Rowland Penny via samba: >>> On Fri, 27 Oct 2023 23:48:22 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Hi

On Mon, 23 Oct 2017 16:52:05 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C

Hi every one: I'm using samba4 as domain controller and a I want to check every 1 hour in my mail server the password expiration for every user in the domain. I need to kow what is the attribute used in samba4. Using ldbsearch i see badPasswordTime and accountExpires, but in the microsoft documentation said that accountExpires is used for represent the date when the account expires. Can i use

Mandi! Andrew Bartlett via samba In chel di` si favelave... > It is an operational attribute. simply add  > msDS-UserPasswordExpiryTimeComputed > to the list of attributes requested when searching for the user. root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base "" maxPwdAge # record 1 dn:

On Fri, 27 Oct 2017 07:17:56 +1300 Andrew Bartlett <abartlet at samba.org> wrote: > On Thu, 2017-10-26 at 09:26 +0100, Rowland Penny via samba wrote: > > On Thu, 26 Oct 2017 13:25:00 +1300 > > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > On Tue, 2017-10-24 at 18:13 +0100, Rowland Penny via samba wrote: > > > > > > > >

figured out how to use ldapsearch also to get what I want. Also found how to convert AD time to unix time Another thing I wanted calculated was when an account expires. ldapsearch -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld "(sAMAccountName=$user)" gives all the good information about a user. here is how I used it to tell me all accounts expiring this next month. h=ad.mydomain.tld

On Sat, 28 Oct 2023 13:50:31 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> I consider this a big security omission: if? Samba is the source of > >> information but not the the authenticator of the user, that > >> application cannot block expired users ! > > But, Samba when running as an AD DC is the source of information AND >

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

On Tue, 24 Oct 2017 18:37:09 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > The main problem here is that you are still looking at the problem > > from the NT perpective, > > Seems obvious to me. I came from 10+ years of experience on Samba3 NT > domains, that indeed had

I am adapting a script that needs to know whether a user needs to change their password on the next login from NT to AD with Samba. I have tried "samba-tool user getpassword <user> --attributes PwdMustChangeNow", but that's not giving me anything useful - just a DN, and "Got password OK" (even on users that do need the password to change). Is there another line I

This seems to work for maxPwdAge ldapsearch -LLL -Q -s base -h ad.mydomain.tld -b dc=ad,dc=mydomain,dc=tld maxPwdAge now I just need to query a users pwdLastSetq I tried the commands above but am not getting anything. I tried looking at the ungrepped output but I don't see how to link the pwdLastSet with any user. I get a long list. I think I'm looking for dn: and a matching pwdLastSet?

Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 13:50:31 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >>>> I consider this a big security omission: if? Samba is the source of >>>> information but not the the authenticator of the user, that >>>> application cannot block expired users !

That's a very interesting information. Is there, somewhere, a list of these computed attributes and their meaning? Best regards, mathias 2015-11-26 9:34 GMT+01:00 Andrew Bartlett <abartlet at samba.org>: > On Thu, 2015-11-26 at 00:40 -0500, Amaury Viera Hernández wrote: > > Hi every one: > > I'm using samba4 as domain controller and a I want to check every 1 >

Now it becomes really interesting: I just tested what happens when I set "the user must change the password on the next login". Then, on my Samba domain controller, I used kinit <the user name> and entered the current password. Surprisinlgy, I got the message from Kerberos "Password for the user is expired. You must change it now." And I can change the password!

Hi, I have a domain with a single Windows 2003 DC running. Today I created a Samba4 DC (using 4.0.0 release) and asked it to join the existing domain as an additional controller. Replication of both the objects and dns entries appears to be working well, and the usual tests of adding a user to one and confirming it is available in the other is similarly working. However, the `ldapcmp` tool

Hi, how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307. When i query a User withi get the following. getent passwd testswi SWI\testswi:*:10000:100:testswi:/home/SWI/testswi:/bin/false I want to change /bin/false to a other value /bin/bash I tried many things to change the value. 1. ldbedit -e vim -H /var/lib/samba/private/sam.ldb samaccountname=testswi

Op 28-10-2023 om 17:19 schreef Rowland Penny via samba: > On Sat, 28 Oct 2023 16:22:23 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba: >>> On Sat, 28 Oct 2023 13:50:31 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>>