How to get user password expiration date from Active Directory?
folks!
There are an Active Directory (Windows) and a Linux samba client. At the Active Directory the policy had adjusted in a such way so users need to change his passwords periodically (passwords have an expiration time).
My question is pretty simple: can I get this expiration time for the given user if I work on the Linux machine with the Samba?
Answer
This depends on the configuration of the domaincontroller. You can try:
net ads user info [email protected] -S DC_SERVER_NAME -U USERNAME
where [email protected] is the account to gather info from, DC_SERVER_NAME is the hostname of your domain controller and USERNAME is your username.
You will be prompted for your domain password.
Now you get either information to your account, including expiry date of your password or you get
ads_pull_uint32 failed
in this case, your domain controller is not configured to provide account information to UNIX like systems.
You may contact your domain administrator to convince him to install and configure Microsoft Windows Services for UNIX so that this command gives you the needed information.
This answer might be frustrating. It is for me as I am in the same situation and researched the topic a lot.
My workaround: I set a calendar reminder 80 days in the future, when I set my domain password (smbpasswd -U USERNAME -r DC_SERVER_NAME), since it expires every 90 days. Not perfect, but workable.
[UPDATE] I found a way to determine the expiration date of your domain password with rpcclient, here is my script:
#!/bin/bash
# author: Tim Wahrendorff 2016
# licence: Public Domain - https://wiki.creativecommons.org/wiki/Public_domain
#
# To use this script you need at least:
# sudo apt-get install libnotify-bin rpcclient
#
# Please set your account, password and domaincontroller to use this script
USER="username" # Domain accountname
PASS="Pa$$W0rd" # Domain password
DC="vmdc01" # Domaincontroller
### START RPCCLIENT query
if [ "x$USERDCID" == "x" ]; then
RPCLOOKUPID=$(rpcclient -U $USER%$PASS -c "lookupnames $USER" $DC 2> ./rpc_errFile)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
fi
QUERYUSER=$(rpcclient -U $USER%$PASS -c "queryuser $USERDCID" $DC 2> ./rpc_errFile)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | grep -e '[a-Z]\{2\}, [0-9]\{2\} [a-Z]\{3\} [0-9]\{4\} [0-9]\{2\}:[0-9]\{2\}' -o)
## Load rpc error Message
RPCERR=$(<./rpc_errFile)
## send notifications to Unity Desktop
if [ "x$RPCERR" != "x" ]; then
notify-send -i /usr/share/icons/gnome/48x48/status/dialog-error.png "Error while fetching expiration date of your domain password" "$RPCERR"
else
notify-send -i /usr/share/icons/gnome/48x48/status/dialog-information.png "your domain password expires at " "$EXPDATE h"
fi
### END RPCCLIENT query
I configured this script to run on autostart, I shows me when my domain password will expire in a Unity notification. Feel free to extend, improve and republish this script, it is public domain.
[/UPDATE]