[英]How to get user password expiration date from Active Directory?
folks! 乡亲们!
There are an Active Directory (Windows) and a Linux samba client. 有一个Active Directory(Windows)和一个Linux samba客户端。 At the Active Directory the policy had adjusted in a such way so users need to change his passwords periodically (passwords have an expiration time).
在Active Directory中,策略已以这种方式进行了调整,因此用户需要定期更改其密码(密码具有到期时间)。
My question is pretty simple: can I get this expiration time for the given user if I work on the Linux machine with the Samba? 我的问题很简单:如果我使用Samba在Linux机器上工作,我可以为给定的用户获得这个到期时间吗?
This depends on the configuration of the domaincontroller. 这取决于域控制器的配置。 You can try:
你可以试试:
net ads user info USERNAME@DOMAIN.COM -S DC_SERVER_NAME -U USERNAME
where USERNAME@DOMAIN.COM is the account to gather info from, DC_SERVER_NAME is the hostname of your domain controller and USERNAME is your username. 其中USERNAME@DOMAIN.COM是从中收集信息的帐户,DC_SERVER_NAME是域控制器的主机名,而USERNAME是您的用户名。
You will be prompted for your domain password. 系统将提示您输入域密码。
Now you get either information to your account, including expiry date of your password or you get 现在,您可以将其中一个信息(包括密码的到期日期)发送到您的帐户,或者
ads_pull_uint32 failed
in this case, your domain controller is not configured to provide account information to UNIX like systems. 在这种情况下,您的域控制器未配置为向类似UNIX的系统提供帐户信息。
You may contact your domain administrator to convince him to install and configure Microsoft Windows Services for UNIX so that this command gives you the needed information. 您可以联系您的域管理员,说服他安装和配置UNIX的Microsoft Windows服务,以便此命令为您提供所需的信息。
This answer might be frustrating. 这个答案可能令人沮丧。 It is for me as I am in the same situation and researched the topic a lot.
因为我处于相同的情况,所以对我进行了很多研究。
My workaround: I set a calendar reminder 80 days in the future, when I set my domain password (smbpasswd -U USERNAME -r DC_SERVER_NAME), since it expires every 90 days. 我的变通办法:设置域密码(smbpasswd -U USERNAME -r DC_SERVER_NAME)时,我会在80天后设置日历提醒,因为它每90天失效一次。 Not perfect, but workable.
不完美,但可行。
[UPDATE] I found a way to determine the expiration date of your domain password with rpcclient, here is my script: [更新]我找到了一种使用rpcclient来确定您的域密码的失效日期的方法,这是我的脚本:
#!/bin/bash
# author: Tim Wahrendorff 2016
# licence: Public Domain - https://wiki.creativecommons.org/wiki/Public_domain
#
# To use this script you need at least:
# sudo apt-get install libnotify-bin rpcclient
#
# Please set your account, password and domaincontroller to use this script
USER="username" # Domain accountname
PASS="Pa$$W0rd" # Domain password
DC="vmdc01" # Domaincontroller
### START RPCCLIENT query
if [ "x$USERDCID" == "x" ]; then
RPCLOOKUPID=$(rpcclient -U $USER%$PASS -c "lookupnames $USER" $DC 2> ./rpc_errFile)
USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
fi
QUERYUSER=$(rpcclient -U $USER%$PASS -c "queryuser $USERDCID" $DC 2> ./rpc_errFile)
EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | grep -e '[a-Z]\{2\}, [0-9]\{2\} [a-Z]\{3\} [0-9]\{4\} [0-9]\{2\}:[0-9]\{2\}' -o)
## Load rpc error Message
RPCERR=$(<./rpc_errFile)
## send notifications to Unity Desktop
if [ "x$RPCERR" != "x" ]; then
notify-send -i /usr/share/icons/gnome/48x48/status/dialog-error.png "Error while fetching expiration date of your domain password" "$RPCERR"
else
notify-send -i /usr/share/icons/gnome/48x48/status/dialog-information.png "your domain password expires at " "$EXPDATE h"
fi
### END RPCCLIENT query
I configured this script to run on autostart, I shows me when my domain password will expire in a Unity notification. 我将该脚本配置为在自动启动时运行,并在Unity通知中显示我的域密码何时过期。 Feel free to extend, improve and republish this script, it is public domain.
可以随意扩展,改进和重新发布此脚本,它是公共领域。
[/UPDATE] [/更新]
If you are using kerberos tickets, ADpassword is a simple python app to check password expiration and ask users to change it. 如果您使用的是kerberos票证,则ADpassword是一个简单的python应用程序,用于检查密码到期并要求用户对其进行更改。
On linux you can use pdbedit 在Linux上,您可以使用pdbedit
pdbedit -L -v -u <username>
And look for the line: Password must change 并查找以下行:密码必须更改
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.