Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] About password expiry
198 views
Skip to first unread message
Amaury Viera Hernández
Nov 26, 2015, 12:50:03 AM11/26/15
to
Hi every one:
I'm using samba4 as domain controller and a I want to check every 1 hour in my mail server the password expiration for every user in the domain. I need to kow what is the attribute used in samba4.
Using ldbsearch i see badPasswordTime and accountExpires, but in the microsoft documentation said that accountExpires is used for represent the date when the account expires. Can i use this and send the email to the users telling that they need to change their password?
About badPasswordTime said that represent The last time and date that an attempt to log on to this account was made with a password that is not valid.
I'm confuse. Could you help me to know which of this attributes I need for advise to the users about their password expiration?
Thanks in advance. Amaury.
ldbsearch --url=/var/lib/samba/private/sam.ldb samaccountname=pp
# record 1
dn: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pp
instanceType: 4
whenCreated: 20151124051519.0Z
whenChanged: 20151124051519.0Z
uSNCreated: 3847
name: pp
objectGUID: 95e62723-1bfb-4847-825a-8749705e4ef9
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-2370192828-1696309146-286596188-1117
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pp
sAMAccountType: 805306368
userPrincipalName: p...@eomarit.com.cu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eomarit,DC=com,DC=cu
pwdLastSet: 130928157190000000
userAccountControl: 512
uSNChanged: 3849
distinguishedName: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm using samba4 as domain controller and a I want to check every 1 hour in my mail server the password expiration for every user in the domain. I need to kow what is the attribute used in samba4.
Using ldbsearch i see badPasswordTime and accountExpires, but in the microsoft documentation said that accountExpires is used for represent the date when the account expires. Can i use this and send the email to the users telling that they need to change their password?
About badPasswordTime said that represent The last time and date that an attempt to log on to this account was made with a password that is not valid.
I'm confuse. Could you help me to know which of this attributes I need for advise to the users about their password expiration?
Thanks in advance. Amaury.
ldbsearch --url=/var/lib/samba/private/sam.ldb samaccountname=pp
# record 1
dn: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pp
instanceType: 4
whenCreated: 20151124051519.0Z
whenChanged: 20151124051519.0Z
uSNCreated: 3847
name: pp
objectGUID: 95e62723-1bfb-4847-825a-8749705e4ef9
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-2370192828-1696309146-286596188-1117
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pp
sAMAccountType: 805306368
userPrincipalName: p...@eomarit.com.cu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eomarit,DC=com,DC=cu
pwdLastSet: 130928157190000000
userAccountControl: 512
uSNChanged: 3849
distinguishedName: CN=pp,CN=Users,DC=eomarit,DC=com,DC=cu
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
Nov 26, 2015, 3:30:04 AM11/26/15
to
Hi,
Use pwdLastSet + your AD password policy to know when password will expire.
Expiration will happen at pwdLastSet + how long this password is valid.
Cheers,
mathias
Use pwdLastSet + your AD password policy to know when password will expire.
Expiration will happen at pwdLastSet + how long this password is valid.
Cheers,
mathias
Andrew Bartlett
Nov 26, 2015, 3:40:03 AM11/26/15
to
On Thu, 2015-11-26 at 00:40 -0500, Amaury Viera Hernández wrote:
> Hi every one:
> I'm using samba4 as domain controller and a I want to check every 1
> hour in my mail server the password expiration for every user in the
> domain. I need to kow what is the attribute used in samba4.
> Using ldbsearch i see badPasswordTime and accountExpires, but in the
> microsoft documentation said that accountExpires is used for
> represent the date when the account expires. Can i use this and send
> the email to the users telling that they need to change their
> password?
> About badPasswordTime said that represent The last time and date that
> an attempt to log on to this account was made with a password that is
> not valid.
>
> I'm confuse. Could you help me to know which of this attributes I
> need for advise to the users about their password expiration?
> Thanks in advance. Amaury.
Try asking for the operational (so generated, and only given if
> Hi every one:
> I'm using samba4 as domain controller and a I want to check every 1
> hour in my mail server the password expiration for every user in the
> domain. I need to kow what is the attribute used in samba4.
> Using ldbsearch i see badPasswordTime and accountExpires, but in the
> microsoft documentation said that accountExpires is used for
> represent the date when the account expires. Can i use this and send
> the email to the users telling that they need to change their
> password?
> About badPasswordTime said that represent The last time and date that
> an attempt to log on to this account was made with a password that is
> not valid.
>
> I'm confuse. Could you help me to know which of this attributes I
> need for advise to the users about their password expiration?
> Thanks in advance. Amaury.
requested) attribute "msDS-UserPasswordExpiryTimeComputed" in current
versions.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Amaury Viera Hernández
Nov 26, 2015, 12:00:05 PM11/26/15
to
On 26/11/15 03:21, mathias dufresne wrote:
> Hi,
>
> Use pwdLastSet + your AD password policy to know when password will expire.
>
> Expiration will happen at pwdLastSet + how long this password is valid.
>
> Cheers,
>
> mathias
Thanks. It was very useful for me. This is the first version of the script.
> Hi,
>
> Use pwdLastSet + your AD password policy to know when password will expire.
>
> Expiration will happen at pwdLastSet + how long this password is valid.
>
> Cheers,
>
> mathias
Regards, Amaury.
#!/bin/bash
#=============== Parámetros que s pueden modificar
==================================================
# Dias para que expire la contrasena en el AD, por defecto: 90 días.
RESTRICCION_EXPIRACION=90
# Segundos antes para enviar el correo, por defecto: 7 días
DIAS_PARA_NOTIFICAR=7
# Servidor de directorio activo
H="192.168.56.10"
# Puerto de directorio activo
P="389"
# Usuario de directorio activo
DN="cn=mailadmin,ou=services,dc=diveppr,dc=co,dc=cu"
# Contraseña de directorio activo
PW="p@ssw0rd"
# Base de directorio activo
B="ou=services,dc=diveppr,dc=co,dc=cu"
# Tiempo de consulta por usuario
TIEMPO_POR_USUARIOS=0
# Sitio para que los usuario cambien la contraseña
SITIO="https://cambiarcontrasena.diveppr.co.cu"
# Logs para el reporte diario
FILE_LOGS="/var/log/reporte-comprobacion-expiracion-de-cuentas.log"
# Fecha para el reporte
TIME="$(date '+%Y-%m-%d %H:%M')"
# Dirección remitente
FROM="root"
# Dirección destino
TO="root"
# Asunto del reporte
ASUNTO="Reporte de expiración de contraseña de los usuarios"
#======================================== Ejecución del script
============================================
echo > $FILE_LOGS
chmod 777 $FILE_LOGS
enviarCorreo(){
DIAS_QUE_FALTAN=$1
USUARIO=$2
FECHA_EXPIRACION=$3
from="$4"
to=$2
subject="Su cuenta espira en $1 días"
body=" Su cuenta espira en $1 días o sea el $3 usted puede cambiar la
contraseña en la siguiente dirección:
$SITIO
Administrador de servicios telemáticos.
"
mail -s "$subject" -r "$from" "$to" <<< "$body"
}
# Comando base
CMD="ldapsearch -D "$DN" -w $PW -p $P -h $H -b "$B""
# Filtro base
FP="(objectclass=person)"
USERS=$($CMD -s sub "$FP" userPrincipalName | grep userPrincipalName |
cut -d ' ' -f2)
ACTUALUNIX=`date "+%s"`
echo "Comprobación de expiración de las cuentas" >> $FILE_LOGS
echo "" >> $FILE_LOGS
echo "Inicio de la comprobación: $TIME" >> $FILE_LOGS
echo "" >> $FILE_LOGS
for USER in $USERS ; do
if [ $USER != "requesting:" ] ; then
PWDLASTSET=$($CMD -s sub "(&$FP(userPrincipalName=$USER))"
pwdLastSet | grep pwdLastSet: | cut -d' ' -f2)
if [ $PWDLASTSET != "0" ] ; then
LASTSETUNIX=`expr $PWDLASTSET / 10000000 - 11644473600`
else
WHENCREATED=$($CMD -s sub "(&$FP(userPrincipalName=$USER))"
whenCreated | grep whenCreated: | cut -d' ' -f2)
DATECREATED=${WHENCREATED:0:8}
LASTSETUNIX=`date -d $DATECREATED "+%s"`
fi
let REST=" ($RESTRICCION_EXPIRACION*86400) "
EXP=$(expr $LASTSETUNIX + $REST)
TEMP=$(expr $LASTSETUNIX + $REST - $ACTUALUNIX)
DIAS=$(expr $TEMP / 86400)
FECHAEXP=$(date --date="@$EXP")
echo "Comprobación del usuario: $USER" >> $FILE_LOGS
echo " Fecha que vence: $FECHAEXP" >> $FILE_LOGS
echo " Días que faltan: $DIAS" >> $FILE_LOGS
if [ $DIAS -le $DIAS_PARA_NOTIFICAR ] ; then
echo "El usuario a sido notificado" >> $FILE_LOGS
enviarCorreo "$DIAS" "$USER" "$FECHAEXP" "$FROM"
fi
echo "" >> $FILE_LOGS
fi
#Esto es importante para que no sature el correo, o sea, cada 2 segundos
comprobar un usuario.
sleep $TIEMPO_POR_USUARIOS
done
mail -s "$ASUNTO" -r "$FROM" "$TO" << EOF
$(cat $FILE_LOGS)
EOF
mathias dufresne
Nov 27, 2015, 4:50:04 AM11/27/15
to
That's a very interesting information. Is there, somewhere, a list of these
computed attributes and their meaning?
Best regards,
mathias
computed attributes and their meaning?
Best regards,
mathias
Lee Brown
Nov 27, 2015, 11:50:04 AM11/27/15
to
This was the first thing I found on google:
https://msdn.microsoft.com/en-us/library/cc223384.aspx
Hope it helps -- lee
On Fri, Nov 27, 2015 at 1:40 AM, mathias dufresne <infra...@gmail.com>
wrote:
https://msdn.microsoft.com/en-us/library/cc223384.aspx
Hope it helps -- lee
On Fri, Nov 27, 2015 at 1:40 AM, mathias dufresne <infra...@gmail.com>
wrote:
0 new messages