How to get user password expiration date from Active Directory?

Serge Roussak picture Serge Roussak · Jan 5, 2016 · Viewed 10.8k times · Source

folks!

There are an Active Directory (Windows) and a Linux samba client. At the Active Directory the policy had adjusted in a such way so users need to change his passwords periodically (passwords have an expiration time).

My question is pretty simple: can I get this expiration time for the given user if I work on the Linux machine with the Samba?

Answer

mondjunge picture mondjunge · Jan 20, 2016

This depends on the configuration of the domaincontroller. You can try:

net ads user info [email protected] -S DC_SERVER_NAME -U USERNAME

where [email protected] is the account to gather info from, DC_SERVER_NAME is the hostname of your domain controller and USERNAME is your username.

You will be prompted for your domain password.

Now you get either information to your account, including expiry date of your password or you get

ads_pull_uint32 failed

in this case, your domain controller is not configured to provide account information to UNIX like systems.

You may contact your domain administrator to convince him to install and configure Microsoft Windows Services for UNIX so that this command gives you the needed information.

This answer might be frustrating. It is for me as I am in the same situation and researched the topic a lot.

My workaround: I set a calendar reminder 80 days in the future, when I set my domain password (smbpasswd -U USERNAME -r DC_SERVER_NAME), since it expires every 90 days. Not perfect, but workable.

[UPDATE] I found a way to determine the expiration date of your domain password with rpcclient, here is my script:

#!/bin/bash
# author: Tim Wahrendorff 2016
# licence: Public Domain - https://wiki.creativecommons.org/wiki/Public_domain
# 
# To use this script you need at least: 
# sudo apt-get install libnotify-bin rpcclient
#
# Please set your account, password and domaincontroller to use this script


USER="username" # Domain accountname
PASS="Pa$$W0rd" # Domain password
DC="vmdc01"     # Domaincontroller

### START RPCCLIENT query
if [ "x$USERDCID" == "x" ]; then
    RPCLOOKUPID=$(rpcclient -U $USER%$PASS -c "lookupnames $USER" $DC 2> ./rpc_errFile)

    USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
fi

QUERYUSER=$(rpcclient -U $USER%$PASS -c "queryuser $USERDCID" $DC 2> ./rpc_errFile)

EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | grep -e '[a-Z]\{2\}, [0-9]\{2\} [a-Z]\{3\} [0-9]\{4\} [0-9]\{2\}:[0-9]\{2\}' -o)

## Load rpc error Message
RPCERR=$(<./rpc_errFile)

## send notifications to Unity Desktop
if [ "x$RPCERR" != "x" ]; then
    notify-send -i /usr/share/icons/gnome/48x48/status/dialog-error.png "Error while fetching expiration date of your domain password" "$RPCERR"    
else
    notify-send -i /usr/share/icons/gnome/48x48/status/dialog-information.png "your domain password expires at " "$EXPDATE h"
fi

### END RPCCLIENT query

I configured this script to run on autostart, I shows me when my domain password will expire in a Unity notification. Feel free to extend, improve and republish this script, it is public domain.

[/UPDATE]